By Geoff Forsyth, Chief Technical Officer at PCI Pal
If your company takes card payments from customers over the phone, you are responsible for keeping that data as safe and secure as possible – not just to protect your customers but to protect your business as well.
Contact centres represent the sharp end of communication for many businesses; linking them directly with their customers and representing the brand to the general public.
While their importance is clear, they don’t come without downsides, and in 2018 one of the biggest challenges they face are those attached to issues of data security. By their very nature, call centres are brimming with private information and so it is vital to ensure security measures are in place to keep potential hackers at bay.
Enter the Payment Card Industry Data Security Standard – or PCI DSS as it is also known. This is a set of 12 binding requirements that are designed to ensure complete data protection for merchants who take card payments from the major card schemes, such as VISA, MasterCard, AMEX, Discover and JCB.
Any organisation that stores, processes or transmits cardholder data from the major card schemes must comply with PCI DSS requirements. The PCI compliance standards work to protect against card fraud by ensuring every business that handles cardholder information does so in a way that keeps customer data secure and protected.
If a contact centre wants to handle card payments from any of the major schemes they must comply with the following 12 requirements:
- Install and maintain a secure firewall
- Use unique passwords (rather than defaults)
- Encrypt stored data
- Encrypt data during transmission
- Keep anti-virus software current and updated
- Regularly check systems and applications are secure
- Ensure access is restricted to only those who need it
- Make sure those with access have a unique user ID
- Ensure physical access to data is restricted and controlled
- Make sure access to network and data is tracked and monitored
- Regularly test security systems and incident response plans
- Have a clear information security policy
Ultimately, the PCI DSS requirements are designed to combat card fraud by keeping cardholder data safe from hackers and other security breaches, but it’s not just your customers’ safety that is protected.
By ensuring your contact centre is PCI DSS compliant, you are also protecting your business – both financially and legally. A single data breach is now estimated to cost a company $3m on average*.
Not only does this have the potential to negatively affect a company’s reputation, but it also damages confidence in the wider industry. While PCI DSS compliance is not a legal requirement, it does help ensure compliance with the General Data Protection Regulations (GDPR) – protecting you legally should the worst happen.
If a system is compromised and the company is found not to be PCI DSS compliant, the business could face severe penalties, such as brand damage, lawsuits and legal costs, share price drop, job losses, insurance claims, regulator fines, higher banking fees, and potentially, the loss of ability to accept card payments.
These, coupled with the fraud losses, the cost of replacing cards, loss of customer confidence, and the ensuing decrease in sales can all lead to a company suffering huge financial losses, or even going out of business entirely.
To help ensure PCI DSS requirements are met, there are three continuous steps that should be carried out as follows:
- Assess – You must identify cardholder data and take an inventory of your IT assets and business processes for payment card processing, then assess them for vulnerabilities that could lead to a compromise of cardholder data.
- Remediate – You must fix any vulnerabilities and not store any cardholder data that you do not need.
- Report – The final step is to compile and submit compliance reports to the banks and card schemes you do business with, along with any remediation validation records if applicable.
Ultimately, maintaining a secure contact centre is a job that will continue to constantly evolve, and your vulnerability, as handlers of valuable payment information, is only likely to ever increase. Investment in cyber-security is today an essential consideration, while PCI compliance will ensure customers’ sensitive payment card data is not at threat.
*Ponemon Institute has identified the average cost of a breach as $3.62 million in its 2017 Cost of Data Breach study – https://www.information-age.com/data-breaches-financial-impact-123470254/