PCI DSS Compliance In The Contact Center

Technology has reshaped our lives in unimaginable ways. From social media to entertainment and e-commerce. Increased digitalization has immensely helped us. Security is no exception to this. The current technological advancements have propelled security into new highs. 

And while this has meant more protection for customers. A lot of data safety concerns remain prominent.

As the driving force behind customer support, contact centers collect a lot of data. This data includes bank account details, social security numbers but especially payment card data. As such, call center PCI compliance is a must. 

And since credit card transactions are a major financial service. You can find more on financial customer support here.

What Is the Payment Card Industry Data Security Standard (PCI DSS)

Jointly made by MasterCard, Visa, Discover Financial Services, JCB International, and American Express. PCI DSS is a batch of security standards.

Under the governance of the Payment Card Industry Security Standards Council (PCI SSC). This safety compliance was designed to make credit and debit card transactions secure. This includes protection against fraud and theft.  

And because call centers collect and process a lot of credit card transactions. Contact center compliance with PCI DSS imposes itself. Thus, since we at simply contact put data safety as a top priority. Our contact centers are PCI DSS compliant. This means that we feature all of the PCI DSS compliance checklists.

6 Key Requirements to Comply With the PCI DSS

Call center PCI compliance requires respecting a PCI DSS compliance checklist. This list includes 6 key requirements. 

These key requirements are:

Build and maintain a secured network

Building and maintaining a secured network can be broken into two parts:

• Installing and maintaining a firewall configuration. This firewall configuration is aimed at protecting cardholder data. By inspecting network traffic, firewalls protect your internal networks. This is done by the firewall comparing your traffic to a set of standard rules.

In order to maintain contact center compliance with PCI DSS. Firewall configuration rules must be updated every 6 months.

• Avoiding the use of vendor-supplied defaults. Using vendor-supplied defaults for system passwords will compromise your security. This is because hackers and cybercriminals can easily access vendor-supplied defaults. 

Call center PCI compliance stipulates that all vendor-supplied defaults should be changed. This includes passphrases, passwords, and SNMP community strings.

Protect cardholder data

One of the key components of the PCI DSS compliance checklist is protecting cardholder data. As such, storing cardholder data should be avoided. Any previously stored cardholder data should be deleted. 

Moreover, Sensitive Authentication Data should be eliminated after usage. And requested card data must be limited to what is legally required.

Additionally, contact center compliance with PCI DSS requires encrypted transmission of cardholder data. Such encryption should feature powerful cryptography. This is necessary to avoid any data theft by hackers.  

Cardholder numbers should also never be sent through social media apps.

Maintain a vulnerability management program

Since a lot of software is involved in credit card transactions. The PCI DSS compliance checklist requires the use of anti-virus software. 

Nowadays web services are subject to heavy malware targetting. Credit card transactions are no exception to this. It is thus essential that contact centers provide protection against malware. 

Anti-virus programs must be regularly updated. Periodic malware scans are to be implemented too. 

Developing secure systems and applications is also a necessity. Call center PCI compliance relies on this. Secure systems scan and identify new vulnerabilities that pose a threat to cardholder data.

Creating secure applications can be achieved through regular training of developers. As adequately trained developers are capable of detecting vulnerabilities. These vulnerabilities include:

• Cross-site scripting. 
• Cross-site request forgery. 
• Buffer overflows.

Front-end web applications should also be tested. The tests include application security tools and application penetration testing.

Implement strong access control measures

Contact center compliance also features implementing access control measures. The implementation of these measures can be broken into 3 key aspects:

• Restricted access to cardholder data. This can be achieved by respecting the concept of “need to know”. This concept means that an entity should only have access to the amount of data required to perform a job. This restricted access is essential to call center PCI compliance. The access to cardholder data must be restricted to the least amount required.
• Restricted physical access to cardholder information. Any physical form of cardholder data must be restricted. For instance, paper forms should be destroyed once their retention span has expired. 

Contact centers should also favor virtual data forms. This is because such forms feature data encryption. 

• Secure authentication access to system components. Authentication access should require the usage of unique IDs. The authentication should also feature unique passwords (7 alphanumeric characters). This way liability for all actions is ensured.

Regularly monitor and test networks

An integral element of the PCI DSS compliance checklist is monitoring. Such compliance involves regular monitoring and testing of networks.

• Monitoring access to networks and cardholder data. Incorporate logging for all systems. This translates into tracking actions on all individual accounts. The resulting logs should be stored for at least one year. 

Additionally, logs should be reviewed on a daily basis. They should also be saved on a centralized server.

• Periodic testing of networks and processes. Internal and external vulnerability scans. Penetration testing. File integrity monitoring. And intrusion detection systems are all tests that ensure network safety and data protection.  

Maintain an information security policy

An information security policy is essential to call center PCI compliance. Maintaining an information security policy is paramount to cardholder data protection. Contact centers must document policies and processes involved in data protection. 

Additionally, usage policies should provide clear guidelines. Call centers should also provide an incident response plan. Incident response plans include:

• Notifying card brands in the event of a data breach.
• Ensuring continuity through continuity plans.
• Implementing data backup processes.  

Dangerous Outdated Practices that Call Centers Should Abandon

While adopting the PCI DSS compliance checklist is a step forward for call centers. Some outdated practices may compromise their data safety. As such, contact centers must avoid these practices at all costs. 

Major outdated practices that should be abandoned are:

• Insecure voice transactions. According to a Harvard business review study. 61% of mobile users call a business while they are considering a purchase. This means that many customers may end up spelling their credit card data over the phone. 

This can lead to dire consequences. Not only are voice transactions subject to data theft. They also lack the encryption that a secure transaction system provides. It is, therefore, crucial that contact centers avoid insecure voice transactions.

• Free access to payment information. This can lead to cardholder data compromise. As such, access to payment data needs to be restricted. Clients should be advised to withhold sharing their credit card data with call center agents freely.
• Sharing sensitive cardholder data. Sharing cardholder data should not be allowed. Call center agents should be trained on how to handle cardholder data. This training should include the only legal cases where data sharing is allowed. 

When a situation requires cardholder data sharing. Adequate security measures must be implemented.

You can find more on how to provide adequate call center agent training here.

• Not reporting risky situations. Businesses are prone to risky situations. Call centers are no exception to this. 

Many contact centers think that they can handle risky situations on their own. This is a mistake. Not reporting risky situations may lead to major data breaches. 

As such, whenever a system breach is signaled, contact centers are advised to report it. 

• Using a pen and paper. Some contact centers still use pens and paper to write down cardholder data. This is a major risk to credit card owners. A paper can be lost and anyone finding it might use this data to make illegal purchases. Thus, call centers must ban using pans and paper.
• Allowing mobile phones in the call center. Not only will allowing mobile phones hamper productivity. But it does also pose a risk of data leakage. Mobile phones are subject to malware targetting. If a mobile phone’s microphone is hacked, cardholder data might be recorded. As such, mobile phones should not be allowed in call centers. 

All in all, contact center compliance with PCI DSS is a must. Abandoning outdated practices is also essential to ensuring payment data safety. 

PCI Compliance for Call Centers: Best Practices  

In addition to the PCI DSS compliance checklist, there are some best practices that contact centers must follow.

Some of the key best practices are:

• Ensuring phone calls' privacy. PCI Security Standards Council stipulates that phone calls are subject to the same rules as any other method of capturing cardholder data.

Contact centers are thus obliged to implement phone call safety measures.

Some recording systems fulfill call center PCI compliance. For instance, such systems allow agents to pause calls when credit card numbers are spoken. Other systems feature a CRM process that automatically pauses calls. 

Speech analytics technology can also be used to prevent cardholder data from being recorded.

• Role-based security. In order to ensure contact center compliance with PCI. Call centers need to implement role-based security. Agent and supervisor desktops should have role-based log-ins. This ensures that access to sensitive data is limited to concerned staff members. 
• Using a whiteboard. As we have already mentioned before. Writing down sensitive data on paper is a risky practice. Thus, call centers are advised to start using a whiteboard. This limits the physical storage of customer details.
• Banning mobile phones in contact centers. A contact center compliance with PCI might be top-notch. However, if mobile phones are allowed, data might still get leaked. Call centers must therefore prohibit mobile phone usage.
• Prohibiting personal items and bags. Personal items and bags should be banned during work sessions. It is also advised that agents go through a security check when entering the building.

Summary

In this era, data safety is at the heart of customers’ concerns. Companies and call centers understood this well. This is what has led to the creation of PCI DSS security measures. 

Nowadays these security measures are a must for any call center aspiring to provide high-quality data protection. Not only do they ensure cardholder data safety. But they also highlight how much a contact center is committed to data protection.

This is why we at Simply Contact feature both PCI DDS and ISO/IEC 27001:2013 compliances. Being a call center that respects PCI DSS compliance checklist. Simply contact provides premium cardholder data protection.

If you are looking for an exceptional customer service provider, don’t hesitate to contact us.