The importance of PCI compliance cannot be overlooked by companies processing card payments. A Ponemon Institute survey found that 86% of companies considered it to be a top priority and by nearly half as the hardest to comply with. Why the formidable reputation?
PCI DSS compliance is not always well understood, perhaps due to its complexity. We have seen over time that this affects how small- to medium-sized businesses manage their telephony processes. This is because phone payments are tied to call recording, as well as the options open to an agent in their interaction with the customer.
PCI Compliance Facts
The PCI compliance standards exist for the protection of every party involved in a card payment. They do this by governing best practice for merchants (companies offering payments to customers). This in turn reduces the risk for payment card providers (whose reputations depend on the security of their services), as well as the issuing banks.
If your business acts as a merchant processing card payments, it will fall under one of the below categories, based on the volume of payments processed per year:
Depending on the level, there are different PCI compliance requirements in order to protect the processing of sensitive data involved in card payments. The value of these requirements is best understood by what the outcomes of non-compliance can be:
- Greater risk of a data breach – it is more likely that card data can be stolen and customers’ money is at risk. A breached merchant will be fined in accordance with their contractual relationship with a card provider.
- Contractual penalties – not reaching the required level of compliance is a risk to payment card providers. Through their relationship with an issuing bank, fines can be imposed on merchants until they reach the required level.
- Loss of reputation – In the event of a breach, media scrutiny can ensure that significant damage is done to a brand. This spills over and affects the merchant’s relationship with the card issuer, where further financial punishments can be handed out.
The ability to process phone payments is tied to being PCI compliant because a) card data must be transmitted to the merchant in some way, and b) these interactions will usually need to be recorded for regulatory, industry-specific practices or for internal business purposes. In the contact center, this effect is measured in PCI DSS scope, where the overall scope refers broadly to all devices and methods involved in the processing of card data.
Again scope is relative to the PCI DSS levels. For example, the scope of a Level 1 merchant’s contact center operations would cover many agents in a tightly-controlled dedicated environment, requiring them to have the most up-to-date encryption and data storage security as well as annual on-site assessment by a Qualified Security Assessor.
On the other hand, a Level 4 merchant with two agents processing card payments might only have to encrypt their telephony service and would fill out a Self Assessment Questionnaire to determine their scope.
What to Do
To reduce the cost of achieving the right level of PCI certification, the aim is to reduce your scope. A big part of achieving this is ensuring that if calls must be recorded, only non-sensitive (i.e. not card data) is stored. babelforce’s call handling platform allows agents to stop and start recordings, enabling the control to take this data out of scope.
In the context of a call processing a card payment, this might look something like this
- An agent receives a call and informs the customer of the recording procedure. Customer agrees and the agents begins recording.
- The call reaches the point where card details must be taken, and so the agent pauses the recording. The data is processed by the agent.
- Once the sensitive data has been successfully processed, the agent resumes the recording for the remainder of the call.
There are now two call recordings, both potentially still containing personal information. The ability to tag them separately allows for easy retrieval in line with data protection legislation and other regulations.
But what if the agent makes a mistake, accidentally recording some of the card numbers? babelforce enables flagging of recordings, so they can be marked out for review by a call center manager.
Another feature which makes compliance easier is VoIP encryption. SRTP and SIP encryption come as standard on the babelforce platform, meaning that for the leg of the call in which data enters the merchant’s network, telephony is secure.
Due to the operational risk and expense of providing phone payments services, we have noticed that small- to medium-sized merchants opt for phone service which offer the required functionality at the lowest overall cost.
babelforce makes PCI compliance easier whilst integrating deeply with other business processes. Agents should be able to process compliant payments using their everyday helpdesk/CRM tools, and context data about these calls should also be made visible to BI reporting and dashboards.