Five reasons why every contact centre should have a PCI DSS Compliance Programme in place

In the age of social media, where good news travels fast and bad news even faster can a brand afford for clients’ card data to be lost, with the resulting PR backlash?

Survey¹ findings revealed that almost a third of medium sized organisations have no compliance programme in place. Downloading the standard available via SAQ (Self Assessment Questionnaire) can help companies to roadmap a PCI DSS programme.

Referring to the downloadable PDF of the VISA Merchant Agents List to engage with a trusted advisor is also a useful first step to vetting vendors – and avoiding fines and lawsuits should the unthinkable happen and customer card data be stolen.

Paying for goods and services remotely is the norm for consumers and they expect their personal information to be kept secure. Every contact centre that accepts card payments over the telephone is responsible for safeguarding their customer’s information and can be held liable for security compromises.

The Payment Card Industry Data Security Standard (PCI DSS) is intended to protect cardholder data. By complying with PCI DSS, companies can meet their obligations to the payment eco-system and build a culture of security that benefits everyone.

PCI DSS is a change in mind-set, not a one-off exercise. It is the implementation of security procedures that underpin the company’s behaviour when dealing with payments, as well as how networks are designed, and access is granted and logged.

PCI DSS compliance must be revisited every year and that takes time and resource. Employing a compliance officer, who has the complete support of the contact centre management, can help to ensure the required changes are driven through.

Customers transact with an organisation when they are confident their payment cards will not be compromised and their personal details are secure. However, if something goes wrong, consumer brand loyalty can quickly fade.

In the event of a security breach customers become quickly upset at the thought of their details being stolen and used fraudulently. The resulting inconvenience and risk leads to reduced customer confidence in the retailer and payment method. Reactive contact centres could find themselves playing catch up as customers vote with their feet.

Many contact centres don’t realise that PCI DSS covers the entire trading environment. This means partners that handle card data on their behalf or supply services where card data is transmitted must also comply before full PCI DSS compliance is achieved.

The latest version of PCI DSS introduced a new requirement, compelling service providers to supply a “Responsibility Matrix” which defines who is responsible for each of the 300+ PCI controls; namely the client, the supplier or both.

The best way to minimise exposure to the primary risk areas of staff and infrastructure is by investing in training and education on the PCI DSS standard and work with payment organisations that are themselves Level 1 PCI DSS compliant.