How to Make Your Remote Workforce PCI Compliant

A photo of happy home call centre agent

Steve Murray of IP Integration discusses how you can alleviate some of the security concerns that come with remote working.

Before the coronavirus struck, contact centres everywhere were on track with their digital transformation strategies, with well-laid plans of how they could grow their technological capabilities.

The COVID-19 crisis threw everything into disarray, and contact centres from every industry had to adapt to the situation and find new ways of handling and guiding the customer experience.

Common trends that soon emerged were a huge increase in calls and a massive jump in customers paying for things online or over the phone since they could no longer go outside to shop.

While some industries likely saw less of a change than others or perhaps were better equipped technologically to handle such business disruption, nearly everyone has felt the effects of the pandemic and is having to change their digital transformation plans.

Indeed, Gartner research around tech spending patterns found that large multi-year tech programmes have been placed on hold and instead a focus has been placed on fast tracking applications and solutions which provide immediate benefit to help business return to usual.

In particular, organizations are prioritizing secure payment applications, particularly as many contact centre agents still working remotely.

Contact centres have to ensure that their remote agents are remaining PCI (Payment Card Industry) compliant, even outside the office.

While companies might have been planning to implement such a strategy further down the line, they have now been pushed to the front of the queue as an essential tool to help navigate the evolving homeworking risk landscape.

Indeed, organizations are looking to better support their agents and make sure they remain compliant, whilst bolstering business, and have recognized that they need new solutions that are able to increase capacity and adapt to any situation.

With remote working likely to be part of the new norm – IBM found that 54% of workers would like to switch permanently to working remotely on a full-time basis – and very few expectations that things will return to exactly as they were before, organizations are looking to accommodate new ways of working. But first, they must be aware of the dangers.

The Compliance Challenges of Homeworking Agents

Though business practices have changed in many respects, organizations must still keep to the compliance frameworks – GDPR, FCA, PCI etc. – that are in place to keep both consumers and businesses safe.

The ICO hasn’t slowed down its operations during the pandemic, and neither have cybercriminals, with easyJet suffering a data breach in May leaving the personal details of nine million customers exposed, including card data.

As reliance on the internet grows to support the likes of remote working, protecting customers is a priority now more than ever.

The biggest challenge with having remote workers be part of the online or over the phone payment process is securing sensitive data.

Contact centres need to make sure that remote agents can take payments securely, especially since the risk profile of a homeworking agent is significantly increased.

Firstly, they aren’t connected to a secure corporate network. This makes them more vulnerable to outside threats, as IT can’t secure other vulnerable devices on their home network or audit any security vulnerabilities.

The home office environment can be extremely difficult to secure, and even workers themselves are concerned, with SentryBay finding that 49% of employees feel insecure about the security of working from home.

There’s also the human element to consider. Working from home can mean many distractions for agents, as they try to juggle work and home life, and it’s also harder for managers to monitor performance and compliance.

Whilst technology like workforce management systems make it much easier, when it comes to secure payments, remote working means there is one less layer of security.

Similarly, as communication channels grow ever more numerous – phone, SMS, webchat, email – with the increase in digital-first customers, remote workers also have a lot of ground to cover to make sure payments are made securely across these different platforms.

This presents a huge security challenge, as payments need to be made securely while taking into account the customer’s wants and needs.

How to Make Sure Your Homeworkers Are Remaining Compliant

With a large proportion of agents working from home, making secure payments is a course filled with hurdles. Yet there are sure-fire ways to ensure your virtual contact centre is doing everything it can to keep its agents and customers safe.

Below, I’ve taken a look at the best practices – and the not so best ones – on how to make sure your virtual contact centre is compliant:

No technology: While some level of compliance could have been possible with everyone working in the office, this isn’t an option for homeworkers. This approach means a lot of heavy lifting, high costs and it would be impossible to administer and maintain compliance without any sort of technology.

Pause & Resume: In either manual or automatic form, Pause & Resume does successfully address a small number of PCI controls – primarily around card detail storage, details which aren’t captured on the call recorder.

But this approach still leaves the agent exposed to the sensitive card information, and doesn’t take into account the homeworking environment.

Automated Payment IVR: While this method keeps card data away from homeworkers – directing callers through to an automated payment application – it can be quite disruptive to the customer journey.

If the agent is off-boarding the customer, for example, this can cause calls to be disconnected, leading to increased drop-off rates. And if a customer wants to return to speaking to an agent if they’re encountering a problem, there’s no guarantee they’ll be reconnected to the same agent as before.

What’s more, if on premise, this approach requires very robust PCI controls.

DTMF Suppression: Dual-Tone Multi-Frequency (DTMF) Suppression is viewed as the compliance gold standard, helping organizations attain PCI compliance whilst continuing to take payments over the phone and record calls.

DTMF works by generating a series of audio signals when a caller inputs numbers onto their phone keypad, each key producing two tones of a specific frequency.

But while this prevents a voice from imitating the tones, hackers can decode the frequencies without too much trouble.

Masking – or supressing – the tones by replacing them or converting the two pitches into a single flat tone, means the code cannot be deciphered by either a hacker or someone within the organization.

Customers can input sensitive card details into their phone without any concerns that the cardholder data will be exposed at the other end.

Indeed, DTMF Suppression eliminates the Cardholder Data Environment (CDE) – the ring of cardholder data that enters your business – for homeworkers as the payment details never enter their home network, going only to the payment service provider and the bank.

The agents are one step removed from the sensitive card information, making the entire process more secure for both parties.

Omnichannel: Achieved via the same integration as DTMF, customer payments across multiple channels can be made securely.

The CDE is once again removed as, when a customer is inputting their card details via webchat or on an online browser, for example, the details are blocked from the agent’s view and never enter the home network.

Not only does this give customers more choice when it comes to making payments, but it also removes a lot of the risks associated with agents taking payments from their home office and significantly reduces (as much as 90%) the PCI compliance controls needed.

Also, there’s an extra layer of security added through the omnichannel approach as many customers will be using devices with biometric capabilities.

Give Your Agents the Power to Add Value to the Business

As agents continue to work remotely, contact centres must be aware that the risk profile of the home office is significantly higher than in the office.

When it comes to taking secure payments, via any channel, and remaining compliant, organizations must take actionable steps to ensure everyone remains secure.

The best solution is to take the CDE out of the equation entirely. Not only will customers be able to pay securely, but by turning to solutions like DTMF Suppression, organizations will be adding value to the business by giving agents the means to become revenue generating without the fear of being non-compliant.

A headshot of Steve Murray

Steve Murray

While DTMF Suppression isn’t the be all and end all, it should form part of an agent’s arsenal, especially when it comes to today’s omnichannel customer.

As the coronavirus pandemic remains steadfast in our lives for the time being, contact centres must find ways to adapt and empower customers and agents alike in this new normal.

For more from IP Integration and to find out more about their contact centre solutions, visit

Author: Robyn Coppell

Published On: 14th Aug 2020 - Last modified: 18th Aug 2020
Read more about - Industry Insights,

Follow Us on LinkedIn

Recommended Articles

A woman is looking at her credit card while on her phone, sat at a desk next to a computer
PCI Compliance Best Practices for Call Recording and Transcription
Close up of credit card and lock
An Introduction to… PCI Compliance
PCI - Payment Card Industry acronym in neon lights
The Ultimate Guide to PCI Compliance
Technology Toolkit - PCI compliant card payment handling