You may have heard the term PCI getting floated about in your call centre. Although, unless you’re directly involved your knowledge of it, thereafter might be a little cloudy. This blog outlines what PCI DSS is, why it’s important for your contact centre and the main elements that your contact centre should be concerned about.
What does PCI DSS stand for?
PCI DSS stands for Payment Card Industry Data Security Standard and was set up by five of the biggest card payment providers: Visa, MasterCard, American Express, Discover and JCB International. The card providers wanted to join forces to clarify and align their fraud prevention measures and regulations in a single global standard. PCI DSS sets out guidelines and rules for merchants (organisations who take card payments) to follow. These guidelines aren’t legally enforced however card brands can issue fines to merchants who don’t follow outlined procedure.
PCI DSS is not static, it changes every 3 years. The “Verizon 2015 PCI Compliance Report2” found that only 20% of businesses are fully compliant with PCI DSS, although the average compliance rate (i.e. the proportion of all requirements & sub-requirements that are met) is close to 94%. The report also identified that just under one third of organisations are still fully compliant a year after they were given a successful validation. This concern is addressed by the latest version on PCI DSS which aims to emphasise compliance as a “business-as-usual” approach.
Why is PCI DSS important for my Contact Centre?
“Chip and PIN” had a big impact on reducing Cardholder Present fraud however it did not contribute to an overall reduction, it relocated attempted fraud. As “chip and PIN” cards increase in popularity Contact Babel predict this will cause an increased amount of Cardholder Not Present fraud, which can happen for example, in a contact centre. Contact Babel produce leading benchmark reports for the call centre industry in both the UK and the US.
What are the main elements of PCI DSS?
There are 12 main elements of PCI DSS, 3 of the elements have greater impact on contact centres more so than the others;
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
To view all 12 download Contact Babel’s Inner Circle Report here.
Requirement 3: Protect stored cardholder data
Call centres collect customer data each day, this requirement tries to stop call centres and other merchants from storing unnecessary information. While some data is required at the time of a transaction thereafter it is often not needed, in these instances the requirement kicks in to enforce merchants to have systematic process of permanently deleting unnecessary data after validation. This reduces the risk of cardholder data fraud. Even whereby information is encrypted the requirement suggests deletion over encryption. An important consideration for this requirement is that data can be stored in other places, not just part of the formal card handling process, for example if a customer gives their details in an email or webchat.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
This requirement is concerned with the encryption of credit card data as it passes through the network, not just at one particular point or another. The network is only as strong as its weakest link, and badly configured wireless networks, with out of date security and weak passwords are a particular concern. In the case of a contact centre anywhere that card details can be accessed must be compliant.
Requirement 12: Maintain a policy that addresses information security for all personnel
Requirement 12 is solely concerned with addressing the responsibility of employees and the information they have access to. The requirement suggests organisations expose their employees to messages daily on security guidelines around dealing with sensitive data. In particular the requirement places emphasis homeworking agents.
For more information around PCI DSS and what it means for your contact centre download Contact Babel’s Inner Circle report here.