IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Understanding PCI compliance: The role of the channel

With GDPR only months away, it's essential clients are fully compliant with payment standards

Hand holding an assortment of credit cards

According to the latest Payment Security study by Verizon, almost half of global organisations fail to comply with the security standards laid out by the Payment Cards Industry to ensure customer payment data is fully protected.

The Payment Card Industry Data Security Standard (PCI DSS) was originally set up by leading card brands VISA and MasterCard to help businesses that take card payments reduce the risk of fraud. The standard is now regulated by the Payment Card Industry Security Standards Council (PCI SSC) and is made up of a set of 12 mandatory requirements, all designed to protect data that is processed, transmitted and stored during manual or electronic payment transactions.

For any organisation operating a contact centre that takes card payments from customers over the phone, they are responsible for keeping that data as safe and secure as possible. Therefore, any organisation that stores, processes or transmits cardholder data from the major card schemes must comply with PCI DSS requirements.

How does it work?

The PCI compliance standards work to protect against card fraud by making sure every business that handles cardholder information does so in a way that keeps the data secure and protected.

If a contact centre wants to handle card payments from any of the major schemes they must comply with the following 12 rules:

  • Install and maintain a secure firewall
  • Use unique passwords (rather than defaults)
  • Encrypt stored data
  • Encrypt data during transmission
  • Keep anti-virus software current and updated
  • Regularly check systems and applications are secure
  • Ensure access is restricted to only those who need it
  • Make sure those with access have a unique user ID
  • Ensure physical access to data is restricted and controlled
  • Make sure access to network and data is tracked and monitored
  • Regularly test security systems and incident response plans
  • Have a clear information security policy

Adhering to each of these requirements will ensure PCI DSS compliance for the contact centre. However, it's important to remember that PCI compliance doesn't automatically reduce risk or make an organisation more secure -- there are however services available to do just that.

Why is it important?

The PCI DSS requirements are designed to combat card fraud by keeping cardholder data safe from hackers and other security breaches, but it's not just customers' safety that is protected.

A single data breach is now estimated to cost a company $3m on average, while the loss of connectivity caused by a breach or DDoS attack can prevent businesses operating for long periods of time. Not only can this negatively affect (or even ruin) a company's reputation, it also damages confidence in the industry as a whole.

While PCI DSS compliance is not a legal requirement, it does ensure compliance with the Data Protection Act, therefore protecting organisations legally should the worst occur. If a system is compromised and the company is found not to be PCI DSS compliant, the business could face severe penalties, such as brand damage, lawsuits and legal costs, share price drop, job losses, insurance claims, regulator fines, higher banking fees, and potentially, the loss of ability to accept card payments.

These, coupled with the fraud losses, the cost of replacing cards, loss of customer confidence, and the ensuing decrease in sales can all lead to a company suffering huge financial losses or even going out of business entirely.

Rather worryingly, it has been reported that 9 out of 10 large organisations suffered a security attack in the past five years; so how you can support your customers from becoming one of these firms?

A Partnership Approach

From a channel perspective, there are many opportunities to support customers with payment card security solutions that integrate with existing contact centre and CRM systems.

You can work with customers to provide an annual PCI checklist to help them remain compliant. There are several checks that must be performed annually to maintain security and mitigate the risks of a compromise of card or personal data.

On top of this, with the new GDPR rules coming into force in May 2018, contact centres will be obligated to let callers know just how their data is being handled, stored, processed and used. Businesses will be held more accountable and legally liable for any data breaches that occur, therefore making sure compliant payment security is in place is more of a priority than ever before, providing greater opportunities to engage with customers looking for support in this field.

Phil Jude is Partner Manager at PCI Pal

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022
Palo Alto and Deloitte to deliver managed security services in the US
Managed service provider (MSP)

Palo Alto and Deloitte to deliver managed security services in the US

17 May 2022
US and EU thrash out plans to avert chip production “subsidy race”
Hardware

US and EU thrash out plans to avert chip production “subsidy race”

17 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022