Every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS (Payment Card Industry Data Security Standard) compliant. However the process of becoming and staying compliant can be hugely expensive. The interpretation of the 258 controls often leads to confusion and conflicting advice from PCI Qualified Security Assessors (QSAs).
Information about the dos and don’ts of PCI DSS and its cost and impact on every day business processes can often lead to companies putting off the process or self-certifying unaware of the risks should they then suffer card data loss. For many once PCI DSS has been achieved the expense in time and resource leaves them with very little to show or to shout about.
The answer is to wise up on what compliance really means and what the responsibilities are. PCI DSS covers a great many areas and touches almost every aspect of an organisation’s operations. Compliance in the contact centre should address risk and be achievable for a sensible and realistic cost. To truly understand the best practices for each of the 258 boxes that should be ticked takes a real specialist; however, looking at the key vulnerabilities, namely staff and the choice of third party payments supplier, will result in large reductions in both PCI DSS scope and the price of securing your customers’ valuable information.
There is no such thing as a PCI DSS compliant solution
Solution providers can make the mistake of marketing their products as “PCI DSS Compliant” – there is no such thing. It is correct, however, to state that a given solution can help achieve compliance. Any third party payment service provider needs to be able to prove it is PCI DSS compliant. This is because the overall contractual obligation of compliance is always between the merchant and their merchant bank. So the third-party organisation which may include outsourced contact centres, payment service providers or collections company will not get fined in the event of a breach that results in card data loss or fraud. The buck stops with merchant.
Get smarter – chose the right payment solution
No one payment solution fits all. Different people prefer different methods of payment. A younger tech-savvy demographic may be happy with mobile payments while more mature customers may prefer to speak to an agent. Therefore think of customer demographics and select a payment solution to suit. This usually results in a requirement for multiple payment methods being implemented but has the overall benefit of reducing frustration felt by customers that would have otherwise been forced to use a payment service they’re not comfortable with.
Continuous authority payments (also known as recurring payments) can help to reduce the scope and cost of PCI DSS compliance audits. Once an initial transaction is verified the card used becomes trusted and any repeat uses will not require details to be taken again. On average 40% of customers will opt to have their card details stored for future use. However, there may not always be funds available on the stored card and therefore payments can be declined. Some suppliers, such as Encoded, have a Tokenisation feature to enable card holders to validate and amend stored cards when something goes wrong; avoiding fines, fees and interest charges by self-managing the details held on file.
Tokenisation, recurring and stored card payment solutions mean that organisations with contact centres can vastly reduce the scope of their PCI DSS audits. Tokens can only be used through specific payment gateways and if they are stolen or written down then the Token is completely useless to anyone outside the payment environment.