By Justin Hamilton-Martin, CEO, Ultra Comms
The new, tighter rules around the Payment Card Industry Data Security Standard (PCI DSS) impacting any company taking payments over the phone came into effect on January 1st 2015. Under these enhanced international standards, non-compliance costs will be applied sooner and escalated more quickly: for a small-to-medium sized organisation, this could easily reach $250,000 (£166,000). In a larger financial services company, those costs could be a lot more.
Plus, as Ben Densham, CTO of Nettitude, adds: “Firms that fail to keep up can expect to incur costly fines, but the financial implications of failing to remain compliant can be far higher, with data breaches often costing victims a small fortune. With reputational damage also a major factor, businesses must ensure that security is at the top of the agenda and that they are keeping in-line with all regulatory changes.”
These tighter measures mean that financial services companies – who have perhaps focused less on ensuring PCI DSS compliance in the past – are now having to make compliance a priority. Until now, many organisations have found PCI DSS compliance (particularly in contact centre environments where agents are talking to customers) a challenge, due to the volume of measures that need to be taken to protect customer data.
It is hardly surprising that a study from Verizon in 2014 found that less than a third of companies were still PCI DSS compliant a year after accreditation. There are multiple aspects to achieving PCI DSS compliance, including firewall and security checks, plus controls around the telephony infrastructure to enable contact centres to achieve compliance much more quickly and easily.
What is PCI DSS
Before we look at those steps in more detail, let’s quickly remind ourselves exactly what PCI DSS is, and why it exists. The PCI DSS standards were developed by the PCI Security Standards Council (SSC), whose founder members include American Express, Mastercard and Visa. These payment brands and their partners are the governing bodies that enforce any penalties businesses receive for non-compliance.
The PCI DSS standards exist to protect consumers from fraud or data breaches caused as a result of contact centre agents having access to payment details. I’d also argue that PCI DSS standards – when complied with – also protect an organisation, because it gives a company the evidence to prove that it was not the source of a confidential information breach.
The PCI DSS standards specify that customer credit card information must not be stored in any form, encrypted or not, and that companies are advised to implement technologies that require ‘no manual intervention by staff’. This means that the practicalities of PCI DSS compliance are considerable for any contact centre taking payments over the phone.
Steps towards simpler PCI DSS compliance when taking over-the-phone payments
There are various options for organisations looking to achieve PCI compliance when taking payments over the phone. These range from manual processes through to implementing the latest generation of technology solutions, which minimise the need for staff intervention. The processes undertaken depend on the number of transactions processed annually.
For instance, merchants that qualify for Level 1 are those that process over six million transactions per year, while those that fall into Levels 2-4 process up to 6 million transactions incrementally. The latter organisations can use the PCI Self-Assessment Questionnaire (SAQ) to self-certify, using a Self-Assessment Questionnaire (SAQ), within which there are four categories (A-D) and further sub-categories within those. Each organisation must decide which SAQ Level its’ business comes under.
In practice, the Level and the type of SAQ determine how many self-assessment questions an organisation has to answer to achieve compliance. The difference can be huge, ranging from a few dozen question up to in excess of 400 since January of this year (compared to around 300 last year), depending on a variety of factors (for instance, whether customers’ payment details are entered in to a contact centre’s computer network or not).
The volume and complexity usually determines just how much external assistance a company will want to achieve compliance, but clearly, the less time and effort involved, the less the cost to the company. So it is in an organisation’s interest to fall into one of the less demanding categories if possible. Of course, this cannot be at the expense of achieving robust compliance, which is where technology solutions have a role to play.
Technology has a role to play
Some PCI solutions are placed in front of the client’s phone system and stop the customers’ sensitive card details from even entering the contact centre environment (whilst retaining the agent safely in the loop) during the payment process, thus reducing the number of applicable compliance questions that need to be completed and ensuring that the company sits in the most basic level, namely SAQ-A certification. This approach generally uses technology known as DTMF (dual-tone multi-frequency) clamping, which completely mask the customer’s payment information from entering the contact centre and makes screen and call recording safe for organisations.
Another option which with readers may be familiar is ‘Pause/Resume’ PCI solutions. These are well established in the marketplace and allow contact centre agents to manually stop and start call recordings from their desktops. This method theoretically stops customers’ sensitive payment data from being recorded, but as the agents can still hear and potentially store customers’ details, these solutions do not guarantee safety. Therefore, organisations are still obligated to fulfil the more demanding requirements of SAQ forms C and D, compared to SAQ A and B.
This creates quite a heavy workload that negates some of the financial benefits of technology-versus-manual techniques. For instance, companies have to implement of a ‘white room’ policy prohibiting pens, paper, mobile phones, USBs or other storage devices from being taken into the contact centre environment.
2015 is the year that PCI DSS compliance has really come to the forefront and with the threat of increasingly heavy penalties, this is too important an issue to ignore. The good news is that while compliance can seem onerous, the effort and associated costs can be minimised, giving both financial services companies and their customers’ peace of mind around data privacy.