A PCI DSS Compliance for Call Centers
With the advancement of technology, the importance of protecting the privacy of customers has become a major problem of fines and reputation, especially in the confidential information of people when carrying out a transaction on the Internet, whether with cash, credit or debit cards.
Learn about our call recording solution for Call Center.
To ensure the secure handling of information and protect customers from identity theft, the top five credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. This translates to in which Call Centers have to adjust their processes to be able to comply with PCI DSS, for example, there is certain information about the cardholder that cannot be stored under any circumstances.
What is PCI DSS compliance?
PCI DSS compliance refers to a company’s adherence to a set of security regulations created to protect consumers against misuse of their personal information used during online transactions. The PCI DSS is a regulation created by the most important credit card companies in the world: Visa, MasterCard, Discovery and American Express.
The PCI DSS has 6 main objectives.
- Secure connection: Companies that store sensitive cardholder information must protect their network / connection with robust firewalls and strict security controls.
- Encryption: All cardholder information stored in a company’s system must be encrypted.
- Security software: Businesses should protect their data against malicious third-party threats using antivirus software, anti-spyware programs, and other malware protection solutions.
- Restricted access: Businesses should restrict access to sensitive data only to those who need to access it.
- Network monitoring: Networks should be tested regularly to ensure that they continue to meet the security standard.
- Documented security policy: Companies must develop and adhere to a formal information security policy.
PCI DSS compliance best practices
Learn the 10 keys to how Call Centers can comply with PCI DSS and instill customer confidence that data is protected.
1. Capture: According to PCI DSS, recorded calls are subject to the same rules as any other method of capturing and storing payment card authentication data. Some recording systems provide Call Center agents with a button that allows them to pause recording when credit card numbers are spoken, while others integrate with the CRM system to automatically pause recording based on actions taken. by the agent. Other call recording software uses Speech Analytics technology to prevent sensitive cardholder data from being recorded, call recording is automatically muted when account numbers, security codes and other sensitive information are spoken. Thanks to solutions like Recordia that prevent the recording of confidential payment information, calls from Call Centers are not within the scope of a PCI DSS audit.
2. Network security: It is essential to ensure that the entire network and connection system complies with PCI DSS guidelines. This starts with an effective firewall and router, as well as internal processes that provide additional layers of protection. All unsafe host and network traffic should be restricted, and there should never be any direct access between any network component that contains payment cardholder data.
3. Role-based security: Call center environments, agent and supervisor desktops should have role-based logins to limit the amount of staff exposed to sensitive data and ensure that individual staff members only have access only what they need to do their job.
4. Additional Security Considerations: Call Centers should also consider the points at which agents come into contact with data to ensure security and proper compliance. Access to confidential customer and payment data should be restricted, for example limiting access to key areas of the building by adopting an identification card system.
5. PCI DSS compliance information: All organizations that store, process and transmit payment cardholder data must comply with PCI DSS compliance regulations. The PCI DSS Policies for Call Centers, containing all necessary policies, procedures, forms, checklists, templates, and other supporting material are available on the official PCI DSS website.
6. Use whiteboards instead of pencil and paper: One of the easiest ways to comply with PCI DSS is to prevent officers from using pencil and paper and instead use a whiteboard instead. This change will prevent physical storage of customer data. Just make sure you keep a set of rules about the use of the whiteboards, for example, that they cannot be removed from an agent’s desk and also that they are cleaned regularly.
7. Ban Mobile Phones from Call Centers: Another really simple and sometimes overlooked step is to ban mobile phones from Call Centers. By taking this step, you can eliminate any chance of sensitive customer information being leaked onto an agent’s personal device.
8. Encrypt sensitive data: When it comes to storing sensitive personal data, encryption is a widely accepted best practice. In the case of PCI DSS compliance, it is essentially a requirement. While the PCI DSS regulations do not mention encryption explicitly, they do say that any cardholder information must be stored using “strong cryptography with associated key management processes and procedures.” It is worth remembering that PCI DSS Requirement 3 states that no CVV code can be stored. However, if the company requires other information from the cardholder, such as name, account number and expiration date, it can store it as long as it meets a number of conditions related to the level of encryption and key management .
PCI DSS compliance requires a high level of encryption with a minimum 256-bit key strength. In terms of key management, one of the best PCI DSS compliance practices is that the company that stores the cardholder’s data should not have access to the key.
9. Enforce PCI DSS: An all too common mistake call centers make is to view PCI DSS compliance as an annual or one-off exercise. This approach can lead to problems and potential compliance failures. Instead, PCI DSS compliance should be viewed as an ongoing process, managers need to ensure that controls are applied continuously, day to day.
One of the main reasons for taking this ongoing approach is that the PCI DSS standards are constantly being updated, with the latest version 3.2.1 released in July 2018. The update added a number of requirements, including multi-factor authentication for access to cardholder data and new rules on the display of card numbers.
10. Agent training: PCI DSS compliance must be considered in agent training. Training should be provided to officers on an ongoing basis, especially those who have demonstrated risky behaviors that could potentially result in non-compliance.
Frequently asked questions about PCI DSS compliance
Who is affected by PCI DSS compliance?
Any company or organization that “accepts, transmits or stores” payment card holder data.
Are there levels of PCI DSS compliance?
Yes, there are 4 levels. These levels are based on the number of payment card transactions, including:
- Level 1: more than 6 million card transactions per year
- Level 2: 1 to 6 million transactions per year
- Level 3: 20,000 to 1 million transactions per year
- Level 4: less than 20,000 card transactions per year
Are payments made over the phone covered by PCI DSS compliance?
Yes. There are some caveats, but these transactions must be honored.
Get to know now our call recording solution for Call Centers.