Cyber thieves are siphoning billions of dollars each year from businesses and consumers. The retail industry must remain vigilant in protecting customers’ private information. Any company that processes credit card information by phone, fax or online must comply with the Payment Card Industry Data Security Standards or PCI Compliance (PCI-DSS). The stakes are even higher for retail call centers. In particular, those that accept, handle or store credit and debit card data for ongoing purchases or recurring billing.
What is PCI Compliance?
PCI is a set of 12 best practices developed and enforced by the major credit card brands. Although it is not a law, violations for non-compliance can result in hefty fines starting at $5,000 per month. Call centers can also face resource-draining audits, increased transaction fees, and termination of merchant account agreements. A study released by Ponemon Institute estimates that a single data breach costs an average of $3.86 million.
Retail call centers have a duty to educate staff about compliance and to secure technology that transmits payment data. This information encompasses the full Primary Account Number (PAN), cardholder name, expiration date, and CCV security code. Unfortunately, a Semafone survey has revealed that 7 in 10 call centers are using outdated practices that compromise security. With basic defenses in place, many of the most common breaches are preventable.
Under the latest 3.2 PCI standards, your retail call center has a responsibility. To implement the following policies and procedures to keep customers’ sensitive information safe:
Technology: Operate a Secure Network
Most of the PCI security standards address technology tools merchants need to defend against cyber thieves and their automated tools. Among these guidelines are building and preserving a secure network. This protects sensitive data. At a minimum, every workstation must have several things. The protection of an antivirus program, a secure system configuration, the latest patches, a robust firewall, and strict employee access controls. Additional layers of protection fortify the network and internal applications to keep hackers from gaining access.
PCI compliance also requires call centers to maintain a vulnerability management program. This includes performing regular updates to software applications and operating systems. Each internal program must also be evaluated for security impacts. Carrying an SSL certificate provides only the first tier of security between the customer’s browser and your server. Merchants must now take additional precautions to prevent malicious attacks and intrusions. This includes upgrading encryption protection to TLS 1.2 or higher.
Monitoring and regularly testing access to the company data helps call centers evaluate areas of susceptibility. Pay particular attention to weak passwords and misconfigured technologies, which provide the easiest points of entry. Larger companies must run quarterly scans for security compliance. However, every organization should validate the system at least annually and after every change in processes or programs. Service providers are now also responsible for simulating external and internal penetration tests every six months. An automated tool is available to scan network and web applications for vulnerabilities in the operating system, services, and devices.
Security: Encrypt Storage of Cardholder Data
Under the PCI compliance standards, companies cannot store customer information on unencrypted systems. Call centers have an obligation to restrict access to recordings and implement a destruction policy to prevent prolonged storage of data.
Retail contact centers have several options for securely accepting card data to reduce the risk of a breach. Going the low-tech route, agents can use a whiteboard, rather than pen and paper, to jot down numbers. The call center processes and purges information immediately. This satisfies the requirement to not store payment information.
However, the situation gets more complicated when calls are recorded for quality assurance. While customers read their card details to an agent, the recording must be paused. This prevents the illegal storage of sensitive personal information. Alternatives to stop-start recording technology include encryption software and tokenization solutions. These affordable options minimize merchant exposure by preventing the onsite storage of data.
Call centers are also adopting DTMF suppression to securely accept phone payments. As customers tap their information on the keypad, the dual-tone multi-frequency technology masks the number tones so that they are indecipherable by a machine or person. Bypassing the contact center, the encoded data arrives directly to the payment processor. This approach also protects customers from being overheard when they share personal information while in public settings.
Accountability: Developing Security Policies and Staff Training
In addition to rigorous technical requirements, the PCI Security Standards Council outlines ways that call centers can create secure environments. These include implementing a safety policy, training employees and controlling staff access to cardholder data. Developing, assessing and refining your company’s best practices is an ongoing process. The Information Security Policy should include your technology protection solutions, data storage methods, and access control measures as well as crisis strategies for incidence responses and business continuity. Every merchant is responsible for quickly responding to, documenting and reporting breaches and risky situations to their financial services provider.
The PCI Council suggests placing restrictions on agents’ use of company and personal devices as well as assigning every employee role-based codes to limit data exposure. Outline restrictions for employees accessing cardholder data and sharing it with other agents. Company policies should also include frequently changing passwords and automatic timeout of workstations.
Proper training of staff on PCI compliance is critical to reducing the risk of information leaks. When employees understand how to handle data securely and recognize hacking tactics, they become a call center’s strongest line of defense rather than its weakest link. “One of the best ways to combat that risk is to generate a culture of security and security awareness within your organization,” advises ControlScan QSA Brad Chronister in a short video explaining the unique challenges of processing payment transactions over the phone.
Regular education of employees who come into contact with cardholder data is a requirement of standard 12.6. Onboarding training, refresher courses, and coaching programs should be built into the annual calendar to keep employees alert to new hacking tactics and to share updates on new company procedures. One of the largest threats today is social engineering. This is a technique that fraudsters use to manipulate employees into giving up personal data. The quest for delivering excellent customer experiences can drive helpful agents to divulge details that thieves use to access accounts and steal identities. Campaigns to identify knowledge gaps in security awareness can help contact centers strengthen their defenses.
PCI Compliance Management: In-House and Outsourced
Meeting the demands of the PCI compliance standards is time-consuming and costly. Depending on how many credit card transactions your business processes, prices can easily exceed $200,000. Under the 3.2 standards, companies must appoint a staff member or department to be responsible for understanding PCI compliance, creating clear procedures, monitoring company security systems, inspecting vulnerabilities, enforcing rules and documenting changes. This is a big job, but this information is vital to have during the annual review.
Working with a BPO contact center can help you navigate the intricacies of processing payments across multiple communication channels while also significantly lowering compliance costs. With Ansafone’s expert retail call center services, you will be able to grow your businesses by providing excellent customer experiences that drive sales and build trust. Contact our PCI specialists at (800) 510-0514 to implement a secure payment system that exceeds today’s industry standards.