If your business takes credit card payments over the phone, you need to comply with PCI DSS guidelines. Credit card information should not be stored in any form, encrypted or not, and you are advised to implement technologies that require “no manual intervention by staff”. This can pose a significant challenge if you are required to record your calls to comply with other regulatory bodies, and for your own business development needs.
Wherever cardholder data is stored, processed or transmitted within an organisation they are in scope of PCI DSS controls. Assessment of payment channels and minimising the areas of the organisation that are within scope reduces the complexity and therefore cost of compliance, and more importantly, reduces the potential of a security breach.
Contact centres face several unique challenges in achieving PCI DSS compliance:
- Physical Environment. A clean desk policy can reduce vulnerability to a rogue agent, however treating all agents as potential ‘rogues’ can be hugely de-motivational and greatly increase staff attrition rates. Plus, the contact centre environment remains in scope.
- Call recordings. PCI DSS forbids the capture of the payment card security code on a call recording – even if it’s encrypted.
- Agents and the IT network. Empowering an agent with the flexibility to input cardholder data on the customer’s behalf brings the agent desktop and network connection into scope for PCI DSS.
Historically, ‘pause and resume’ was one of the most commonly known processes, where agents manually pause recordings when taking card data, and then reactivate it afterward. In fact, according to the 2016 UK Contact Centre Decision Maker’s Guide, 66% of organisations taking card payments are still using pause and resume solutions. However, if you’re using ‘pause and resume’ processes in your contact centre, you may need to think again.
Manual pause and resume does not de-scope the call recorder, and it is expected that the PCI DSS Council will deem that pause and resume will no longer be compliant when the next update to its standards is published.
So, what are the options for a compliant contact centre?
When regular payments are required, a Voice Portal / IVR solution can remove your contact centre from scope; reducing the scale of PCI auditing activity that you need to complete, and the associated cost.
This can be set up to either start with an advisor assisted call, which transfers the customer to an automated IVR for the payment details to be entered, or where the payments are handled by an IVR system without the advisor being online.
While the payment transaction occurs, the advisor can either remain on hold until it is completed or assist other customers. A ‘mid call divert’ facility is frequently provided with this type of solution, enabling the customer to reach an advisor by pressing a single button on their telephone keypads or saying ‘advisor’ or ‘help’ (if speech recognition is used).
Customers can also dial directly into the IVR, enabling the transaction to be handled in a completely automated manner. This solution is common where regular payments are involved. As above, a mid-call divert facility can be provided to give the option of live operator assistance if required.
Automated solutions can, however, increase call abandonment rates, provide a less positive customer experience, and as a result, can have an impact on your brand.
On-Premise DTMF Masking
Masked DTMF (dual tone multi-frequency) based solutions enable your customers to enter their card details directly through their telephone keypad at any point during the call, with any agent; delivering better security and an improved customer journey.
The agent is never exposed to cardholder data and they can remain on the call throughout the payment process – greatly reducing call abandonment rates and lost sales opportunities. Plus, because neither the agent nor the call recorder ever receives any of the card details – either verbally or via DTMF – continuous call recordings are possible, delivering you a complete audit trail.
On-premise DTMF masking solutions are technically still in scope for PCI DSS compliance, albeit the requirements are significantly reduced.
Off-Premise (Cloud-based) DTMF Masking
When DTMF Masking is deployed in the cloud your contact centre has effectively outsourced the payment process for PCI DSS purposes. With the contact centre environment completely out of scope the risk to your business has been completely removed, without impacting your operating profits, breaking your audit trails, or damaging your customer journey. Unlike other solutions on the market, cloud based DTMF masking solutions make it possible to protect your customers, your brand, and your bottom line.
The only way to guarantee PCI DSS compliance in the contact centre is to not capture the payment card information in the first place, and today, cloud based DTMF masking solutions make this an affordable reality.
Ultracomms is a PCI DSS Level 1 certified service provider and provides a range of PCI payment handling solutions from IVR and on premise, to a fully PCI DSS level 1 certified cloud based offering. Our team are experts in contact centre compliance, and have been helping to manage client’s customer interactions securely and compliantly for over a decade.
If you want to learn more about how to keep your contact centre out of PCI DSS scope, get in touch with one of our team at firstname.lastname@example.org. Alternatively, you can see how we’ve helped some of our clients become PCI DSS compliant here.