Understanding PCI compliance: The role of the channel

Hand holding an assortment of credit cards

According to the latest Payment Security study by Verizon, almost half of global organisations fail to comply with the security standards laid out by the Payment Cards Industry to ensure customer payment data is fully protected.

The Payment Card Industry Data Security Standard (PCI DSS) was originally set up by leading card brands VISA and MasterCard to help businesses that take card payments reduce the risk of fraud. The standard is now regulated by the Payment Card Industry Security Standards Council (PCI SSC) and is made up of a set of 12 mandatory requirements, all designed to protect data that is processed, transmitted and stored during manual or electronic payment transactions.

For any organisation operating a contact centre that takes card payments from customers over the phone, they are responsible for keeping that data as safe and secure as possible. Therefore, any organisation that stores, processes or transmits cardholder data from the major card schemes must comply with PCI DSS requirements.

How does it work?

The PCI compliance standards work to protect against card fraud by making sure every business that handles cardholder information does so in a way that keeps the data secure and protected.

If a contact centre wants to handle card payments from any of the major schemes they must comply with the following 12 rules:

  • Install and maintain a secure firewall
  • Use unique passwords (rather than defaults)
  • Encrypt stored data
  • Encrypt data during transmission
  • Keep anti-virus software current and updated
  • Regularly check systems and applications are secure
  • Ensure access is restricted to only those who need it
  • Make sure those with access have a unique user ID
  • Ensure physical access to data is restricted and controlled
  • Make sure access to network and data is tracked and monitored
  • Regularly test security systems and incident response plans
  • Have a clear information security policy

Adhering to each of these requirements will ensure PCI DSS compliance for the contact centre. However, it's important to remember that PCI compliance doesn't automatically reduce risk or make an organisation more secure -- there are however services available to do just that.

Why is it important?

The PCI DSS requirements are designed to combat card fraud by keeping cardholder data safe from hackers and other security breaches, but it's not just customers' safety that is protected.

A single data breach is now estimated to cost a company $3m on average, while the loss of connectivity caused by a breach or DDoS attack can prevent businesses operating for long periods of time. Not only can this negatively affect (or even ruin) a company's reputation, it also damages confidence in the industry as a whole.

While PCI DSS compliance is not a legal requirement, it does ensure compliance with the Data Protection Act, therefore protecting organisations legally should the worst occur. If a system is compromised and the company is found not to be PCI DSS compliant, the business could face severe penalties, such as brand damage, lawsuits and legal costs, share price drop, job losses, insurance claims, regulator fines, higher banking fees, and potentially, the loss of ability to accept card payments.

These, coupled with the fraud losses, the cost of replacing cards, loss of customer confidence, and the ensuing decrease in sales can all lead to a company suffering huge financial losses or even going out of business entirely.

Rather worryingly, it has been reported that 9 out of 10 large organisations suffered a security attack in the past five years; so how you can support your customers from becoming one of these firms?

A Partnership Approach

From a channel perspective, there are many opportunities to support customers with payment card security solutions that integrate with existing contact centre and CRM systems.

You can work with customers to provide an annual PCI checklist to help them remain compliant. There are several checks that must be performed annually to maintain security and mitigate the risks of a compromise of card or personal data.

On top of this, with the new GDPR rules coming into force in May 2018, contact centres will be obligated to let callers know just how their data is being handled, stored, processed and used. Businesses will be held more accountable and legally liable for any data breaches that occur, therefore making sure compliant payment security is in place is more of a priority than ever before, providing greater opportunities to engage with customers looking for support in this field.

Phil Jude is Partner Manager at PCI Pal