What are contact centres doing to address PCI DSS compliance?

Many contact centres are changing their approach to how they deal with customer information to meet the pressure to comply with PCI DSS Standards. However, while most merchants are endeavouring to meet increasing customer security demands and protect their customers’ data, some do not see PCI compliance as a necessary step to achieve this.

In a recent Eckoh survey, 93% of contact centres either had a PCI Compliance programme underway or are planning one. All contact centres tended to adopt one of the following strategies that had varying degrees of achieving PCI DSS compliance:

Denial – “Fraud won’t happen to us”
17% only use basic security as their main fraud deterrent, using manual processes and training to ensure correct handling of payment information. These contact centres also rely heavily on firewalls and other security related equipment to prevent breaches to systems and use encryption software for areas that store customers’ information. Although these are good practice measures and form part of basic systems security, they are not fail-safe and often span generic systems without any specific focus on one department’s activity or processes. When breached, it often spells financial and reputational disaster for the organisation involved.

Segmenting – separate payments areas, clean rooms, pausing recordings
42% of contact centres use additional security to segment the payment process within the contact centre. This includes creating ‘clean room’ environments or segregating credit card handlers from other contact centre personnel. Although this is generally good practice, there are still gaps in these systems and processes. Call recordings and data collected on PCs and networks will be exposed in a PCI audit, so segmenting in isolation will not adequately address the full scale of PCI requirements.

As an additional step, some contact centres are transferring calls from one agent to an unrecorded extension where a second agent takes the customer’s payment card details (such as the CVV number) for bank verification. Other systems (used by 30% of our contact centre sample) enable agents to manually pause and resume recording using buttons on their screen or handset.

These methods may work and are used extensively. The downsides are that they are still open to human error; and standards and regulations are continually evolving making gaps to achieve compliance ever wider. It is also well known that the payment card council standards prefer solid, technology-based solutions.

Protecting – outsourcing the risk to PCI compliant service providers
More contact centres are realising the benefits of outsourcing security requirements to PCI DSS Level One service providers, as it reduces the scope of the lengthy and time consuming audit. Of our sample, 13% of contact centres use external vendor technology such as EckohPAY, where agents can transfer calls to an IVR platform such as at the point in a conversation when they need to take payments. The caller uses their telephone keypad to enter their card details. 

Third party cloud-based solutions such as EckohPROTECT can also be applied to the whole contact centre. This method works by the agent asking the caller to enter their card details manually through their telephone keypad. The agent is never exposed to cardholder data and enables the customer to stay on the phone with the caller while they are processing their payment. Minimal agent intervention is needed and the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. It also enables call recordings to continue without interruption. This approach is proving to be popular with contact centres that are aiming to increase the volume of home based and remote agents to their workforce as they can use the same security systems as their premise based colleagues.

Some businesses already have established IT network compliance methods for payment data through other means which means they only to address the telephony aspects of their IT infrastructure. Solutions like CallGuard which focuses purely on the call recordings, eliminates sensitive card data from telephone conversations before they are recorded. It can also prevent your agents from seeing any card data on screen, removing the potential for card data theft. 

Cloud-based solutions are proving to be the most resilient form of PCI compliance available to contact centres. Of our sample, 9% of contact centres had adopted such solutions with a further 13% considering this approach as part of their future compliance programme.