PCI-DSS is short for the beautifully phrased term Payment Card Industry Data Security Standard.

It provides an actionable framework for developing a robust payment card data security process —including prevention, detection and appropriate reaction to security incidents.

Created in 2004 by four of the world’s largest credit card companies: MasterCard, Visa, Discover, and American Express, PCI-DSS compliance refers to a company’s adherence to a set of security regulations to protect consumers against the misuse of their personal information shared during a cash, credit or debit card transaction.

When is PCI-DSS required in a call centre?

PCI-DSS is required if your call centre is involved in taking any form of payment over the phone.

What’s involved in becoming PCI-DSS Compliant for a call centre?

There is a range of requirements in becoming PCI-DSS compliant in a call centre however they can be broadly split into three key areas:

1. People

  • Background checks on employees
  • Security Awareness training

2. Process

  • Documentation
  • Not writing down card details using pen and paper
  • Role-based security
  • Agents know their obligations

3. Technology

  • Anti-virus
  • Patching
  • System Configuration
  • Network security
  • Access control
  • Network, Firewalls, Switches etc

Ways to apply PCI-DSS in a call centre

  • Ensure the network your system runs on is compliant with PCI-DSS standards
  • Ban mobile phones on the call centre floor
  • Don’t allow pens and paper to write down any card details
  • Use technology that can assist (refer below)

PCI-DSS Technology for call centres

There are now a lot of solutions for call centres to support compliance with PCI-DSS. These include:

Enabling agents to manually pause call recording

When your agents are about to take a credit card payment they hit pause to stop recording and then resume once the payment has been completed.

Direct customers to a keypad payment solution

It’s normally a third-party solution that once an agent begins the authorisation process, the technology masks the DTMF touchtones so the agent and the recording do not record the payment details.

Use ‘pause and resume’ or ‘mute and unmute’ technology

Pause and resume will automatically pause the recording when the agent accesses the payment details page and resumes it again when the page is closed.

Mute and unmute does something similar except the call recording continues and is replaced by either silence or a tone signal.

Benefits of this approach is that as its a complete recording, the times will match up with all your other metrics like talk time, start and finish times etc making it easier to reconcile data at a later stage.

Remove payment details from emails and live chat (redaction)

Redaction uses Optical Character Recognition (OCR) to detect and remove credit card numbers.

Modern PCI-DSS Technology

One of the challenges with the above methods is they often involve transferring a customer to a third party solution rather than staying on the line with the customer.

There are now new solutions that enable the agent to remain connected to the customer throughout the entire transaction.

Customers can:

  • Receive a link sent to their phone so they can pay while they are online to the call centre
  • Use Apple Pay

Next steps

Be the first to comment

Leave a Reply