Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Finance > THE IMPACT OF TIGHTER PCI DSS RULES ON FINANCIAL SERVICES’ CONTACT CENTRES

THE IMPACT OF TIGHTER PCI DSS RULES ON FINANCIAL SERVICES’ CONTACT CENTRES

Published by Gbaf News

Posted on February 19, 2015

6 min read

Last updated: January 22, 2026

Visual representation of PCI DSS compliance in financial services contact centres - Global Banking & Finance Review — An illustrative image depicting the importance of PCI DSS compliance in financial services contact centres, highlighting security measures and data protection strategies essential for safeguarding customer information.

By Justin Hamilton-Martin, CEO, Ultra Comms

The new, tighter rules around the Payment Card Industry Data Security Standard (PCI DSS) impacting any company taking payments over the phone came into effect on January 1^st 2015. Under these enhanced international standards, non-compliance costs will be applied sooner and escalated more quickly: for a small-to-medium sized organisation, this could easily reach $250,000 (£166,000). In a larger financial services company, those costs could be a lot more.

Plus, as Ben Densham, CTO of Nettitude, adds: “Firms that fail to keep up can expect to incur costly fines, but the financial implications of failing to remain compliant can be far higher, with data breaches often costing victims a small fortune. With reputational damage also a major factor, businesses must ensure that security is at the top of the agenda and that they are keeping in-line with all regulatory changes.”

These tighter measures mean that financial services companies – who have perhaps focused less on ensuring PCI DSS compliance in the past – are now having to make compliance a priority. Until now, many organisations have found PCI DSS compliance (particularly in contact centre environments where agents are talking to customers) a challenge, due to the volume of measures that need to be taken to protect customer data.

It is hardly surprising that a study from Verizon in 2014 found that less than a third of companies were still PCI DSS compliant a year after accreditation. There are multiple aspects to achieving PCI DSS compliance, including firewall and security checks, plus controls around the telephony infrastructure to enable contact centres to achieve compliance much more quickly and easily.

What is PCI DSS

The Impact Of Tighter PCI DSS Rules On Financial Services’ Contact Centres

The Impact Of Tighter PCI DSS Rules On Financial Services’ Contact Centres

Before we look at those steps in more detail, let’s quickly remind ourselves exactly what PCI DSS is, and why it exists. The PCI DSS standards were developed by the PCI Security Standards Council (SSC), whose founder members include American Express, Mastercard and Visa. These payment brands and their partners are the governing bodies that enforce any penalties businesses receive for non-compliance.

The PCI DSS standards exist to protect consumers from fraud or data breaches caused as a result of contact centre agents having access to payment details. I’d also argue that PCI DSS standards – when complied with – also protect an organisation, because it gives a company the evidence to prove that it was not the source of a confidential information breach.

The PCI DSS standards specify that customer credit card information must not be stored in any form, encrypted or not, and that companies are advised to implement technologies that require ‘no manual intervention by staff’. This means that the practicalities of PCI DSS compliance are considerable for any contact centre taking payments over the phone.

Steps towards simpler PCI DSS compliance when taking over-the-phone payments

There are various options for organisations looking to achieve PCI compliance when taking payments over the phone. These range from manual processes through to implementing the latest generation of technology solutions, which minimise the need for staff intervention. The processes undertaken depend on the number of transactions processed annually.

For instance, merchants that qualify for Level 1 are those that process over six million transactions per year, while those that fall into Levels 2-4 process up to 6 million transactions incrementally. The latter organisations can use the PCI Self-Assessment Questionnaire (SAQ) to self-certify, using a Self-Assessment Questionnaire (SAQ), within which there are four categories (A-D) and further sub-categories within those. Each organisation must decide which SAQ Level its’ business comes under.

In practice, the Level and the type of SAQ determine how many self-assessment questions an organisation has to answer to achieve compliance. The difference can be huge, ranging from a few dozen question up to in excess of 400 since January of this year (compared to around 300 last year), depending on a variety of factors (for instance, whether customers’ payment details are entered in to a contact centre’s computer network or not).

The volume and complexity usually determines just how much external assistance a company will want to achieve compliance, but clearly, the less time and effort involved, the less the cost to the company. So it is in an organisation’s interest to fall into one of the less demanding categories if possible. Of course, this cannot be at the expense of achieving robust compliance, which is where technology solutions have a role to play.

Technology has a role to play

Some PCI solutions are placed in front of the client’s phone system and stop the customers’ sensitive card details from even entering the contact centre environment (whilst retaining the agent safely in the loop) during the payment process, thus reducing the number of applicable compliance questions that need to be completed and ensuring that the company sits in the most basic level, namely SAQ-A certification. This approach generally uses technology known as DTMF (dual-tone multi-frequency) clamping, which completely mask the customer’s payment information from entering the contact centre and makes screen and call recording safe for organisations.

Another option which with readers may be familiar is ‘Pause/Resume’ PCI solutions. These are well established in the marketplace and allow contact centre agents to manually stop and start call recordings from their desktops. This method theoretically stops customers’ sensitive payment data from being recorded, but as the agents can still hear and potentially store customers’ details, these solutions do not guarantee safety. Therefore, organisations are still obligated to fulfil the more demanding requirements of SAQ forms C and D, compared to SAQ A and B.

This creates quite a heavy workload that negates some of the financial benefits of technology-versus-manual techniques. For instance, companies have to implement of a ‘white room’ policy prohibiting pens, paper, mobile phones, USBs or other storage devices from being taken into the contact centre environment.

2015 is the year that PCI DSS compliance has really come to the forefront and with the threat of increasingly heavy penalties, this is too important an issue to ignore. The good news is that while compliance can seem onerous, the effort and associated costs can be minimised, giving both financial services companies and their customers’ peace of mind around data privacy.