Taking Credit Card Payments? Here's Everything You Need to Know About PCI Compliance

It seems every year, the explosion of data breaches and credit card fraud grows, with the FTC reporting fraud losses of over $5.8 billion in 2021 alone. Thus, credit card safety has never been more critical or more vulnerable. But how do you protect your customers from fraud and also safeguard your organization from liability?  

If you run a contact center—or any business for that matter— that takes card payments over the phone, you must maintain the security of your customers. The future of your company may depend on it.

Here's what you need to know about payment card industry (PCI) compliance and tips to ensure adherence in your contact center: 

What is PCI Compliance? 

PCI compliance is one way that payment providers ensure companies do what they can to maintain the best security practices to keep cardholder information safe. Put another way; it is the operational and technical standards companies must follow to ensure that customer card information is protected and secure from breaches. 

Compliance standards are determined in agreements and terms of contracts with merchant service providers and payment service providers.  

While details of agreements may vary, the PCI Data Security Standard (DSS) is the typically accepted guideline for compliance overseen by the PCI Security Standards Council (SSC). There are three main aspects of PCI compliance:  

• Ensuring that sensitive card data is collected and transmitted in a secure manner  
• Data is stored securely  
• Security controls are validated each year according to the merchant level of requirements  

A contact center must complete an assessment comprised of 12 requirements that prove the company's systems and practices are secure to achieve compliance. They must also scan the process payment network, which requires the help of an outside organization. In some cases, small companies may be able to perform this themselves, while larger contact centers require a third-party assessment.  

The 12 main requirements are:  

1. Deploy and manage a firewall configuration that protects customer data 
2. Avoid vendor-supplied defaults for passwords and other security parameters 
3. Secure all stored cardholder information  
4. Encrypt all cardholder data across public networks  
5. Install and update anti-virus software to protect against malware  
6. Deploy and manage secure systems and applications  
7. Maintain need-to-know access to cardholder data  
8. Assign a unique ID to everyone with access to customer data  
9. Secure physical access to workplace and cardholder information  
10. Supervise all network access to resources and customer information  
11. Conduct regular penetration testing and vulnerability scans  
12. Provide all personnel with a policy that addresses data security  

In addition, PCI DSS has more than 300 sub-requirements to address security best practices. Failing to follow contract procedures can cause serious issues, such as thousands of dollars in fees and the potential cost of a data breach.  

IBM reported that the average price of a data breach in 2021 was $4.24 million. For most contact centers, the costs and headache of maintaining compliance are far easier than the expense of ignoring it.  

Businesses are categorized by level. Remaining compliant depends on business size, history, and the number of transactions performed each year. 

The four compliance levels are:  

• Level 1: Organizations that process over 6 million transactions or have experienced a breach that led to data loss.  
• Level 2: Organizations that process between 1 million to 6 million transactions yearly. 
• Level 3: Organizations that process between 20,000 to 1 million credit card transactions. 
• Level 4: Organizations that process less than 20,000 online transactions. 

Top Tips to Ensure PCI Compliance in the Contact Center 

To become PCI compliant, contact centers need to pay attention to how they use cardholder data to ensure it remains secure. Here are some of the top things to know about PCI compliance: 

PCI Compliance Applies to Almost Every Contact Center 

If a contact center accepts credit card payments, it must be PCI compliant, even if it only processes one transaction a year. Thus, even small contact centers must take steps to remain compliant.  

While filling out questionnaires can be tedious and frustrating, it is critical to maintaining compliance. Those who check yes to every question and are later compromised often face stiffer penalties. As a result, you need to take the steps to compliance seriously. 

Maintain Good Data Hygiene Practices 

In an effort to provide good customer service, many contact centers compromise cardholder data and fail to abide by PCI Compliance.  

For example, customer service reps take credit card information over the phone and keep ahold of sensitive data. One study found that 72% of contact center agents who collect payment information over the telephone still require customers to read their information aloud. Doing so is not compliant, leaving companies and customers vulnerable to scammers who can easily record and transcribe calls to steal information.  

It is essential to perform safe data practices to ensure PCI compliance and prevent compromised data.  

Other secure data practices include:  

• Using strong, unique passwords  
• Store only essential sensitive data and avoid physical copies  
• Keep all software up to date as older software and point-of-sale terminals are vulnerable to data breaches, while newer cloud-based systems have strong encryption  
• Use PCI SSC-validated card readers and payment software  
• Train employees to follow best practices and explain the importance of cardholder security  

Security starts with your employees. By implementing and practicing good data hygiene, you can better achieve PCI compliance and lower the risk of compromised information. 

Leverage Systems for Easier Compliance

PCI compliance does not have to be a long and tedious process. The right systems help secure contact centers with low-maintenance and PCI compliance support. 

For example, PCI Pal provides Level 1 PCI DSS certified PCI compliant solutions to help contact centers assist customers and take payments securely. As one of our recent partners, they provide a solution that makes PCI compliance easier for contact centers. 

Get PCI Compliant 

Maintaining PCI compliance is critical to improving cardholder security and preventing a costly information breach. Because contact centers are often required to handle sensitive customer data, abiding by PCI DSS minimizes the risk of leaking sensitive information and facing hefty fines. Always using best practices and the right tools will help ensure that data remains secure.  

If you need clarification on PCI compliance for your organization, we can help. Please reach out to get the information you need to maintain compliance and customer trust. 

If you enjoyed this article, you might also enjoy:

• Understanding Security in a Hosted Communications Environment
• Technology That Helps You Manage a Remote Contact Center Team