Keep Calm and De-Scope! PCI DSS Compliance for Contact Centres

Keeping your data secure without stifling innovation is possible with a little planning and technology.

Call centre agent working with PCI DSS Compliance

Colin Hay at Puzzel met up with Tony Smith at PCI Pal to discuss how to make compliance and customer experience the perfect match. Here are their thoughts and 3 ways to de-scope your contact centre.

As many more of us rely on credit and debit cards to pay for goods and services, the fear of our personal information ending up in the wrong hands is growing and the threat is real. According to research sponsored by IBM Security, the average total cost of data breaches is US$3.62million with each lost or stolen record typically costing US$141. Alarmingly, 47% of the organisations represented in the research said the root causes of data breaches were malicious or criminal attack followed by systems glitches and human error.

Three contact centre challenges

The truth is that data breaches result in lost sales and customer loyalty with the added burden of costs associated with finding the source of the original data breach, limiting damage control, repairing corporate reputation and fines. Contact centres accepting card payments often face an additional set of challenges:

1. Cardholder not present – when consumers make purchases online or in-store, they are generally in control of the payment and have their credit or debit cards with them. This is not the case in contact centres where paying via an intermediary is often a leap of faith as agents switch between screens and IT systems to complete customer card transactions.

2. Conflicting needs – customers want personalisation, immediacy, single agent resolution, choice of channel and they want companies to value their data security as highly as they do. Businesses want customer loyalty, employee engagement, standard IT platforms, effective cost control, risk and compliance management. Blending the two together can be a distant dream.

3. All channels, all ways – customers today expect to interact using a variety of channels but these vary greatly depending on demographics. While consumers under the age of 34 opt for mobile apps, social media and web chat, their more mature counterparts usually prefer the telephone. The payment experience has to be first-class whatever the channel or demographic.

Why take PCI DSS compliance seriously?

While the majority of card accepting contact centres understand the importance of protecting customer data from fraud and cybercrime, not all appreciate the importance of putting the Payment Card Industry Data Security Standard (PCI DSS) into practice. PCI compliance is linked to a decrease in data breaches but the fact remains that over 40% of global organisations are still not meeting PCI DSS compliance standards.

Traditionally, contact centres relied on a variety of compensating controls such as call and screen recording, encrypted VoIP technology and a clean room environment as a short-cut and cure-all for PCI Compliance. However, these methods have proved to be no more than a band-aid fix. The aim should be for contact centre agents to take card payments without handling the actual card data itself but how? The answer lies in working with a third party payment service provider to remove card data from the process, and the contact centre, to help achieve compliance.

Three ways to de-scope

1. Educate staff on phishing attacks and deploy anti-phishing software – in busy, high-pressure environments like contact centres, it’s easy for agents to click on an email that appears to be sent from a reliable source and inadvertently share sensitive information. Educating staff to identify and report phishing emails goes a long way in preventing attacks but check your anti-phishing software is up-to-date to help stop malicious emails reaching agents in the first place.

2. Ensure PCI compliance – from out-of-date anti-virus software and old hardware to not encrypting stored credit card details, there are multiple points whereby an organisation might not be PCI DSS compliant at the time of a data breach. When it comes to payments in the contact centre, the goal should be to ensure as little credit card data as possible is stored, accessed and, where possible it should removed from the environment

3. Make de-scoping technology your best friend – avoid storing card data on your internal infrastructure by working with a technology provider that ensures PCI DSS compliance and improves the ongoing security of all telephone, IVR, web and SMS financial transactions. Whatever the approach taken it is important for agents to continue to talk to customers to deliver a seamless, satisfying customer experience throughout the payment process.

When choosing a de-scoping partner, make sure their organisation is Level 1 PCI DSS certified. Only entities can be PCI DSS compliant not software solutions. The technology should also be highly customisable, scalable and integrate seamlessly with multiple acquirers and banks. Superior reporting
capabilities are essential for demonstrating PCI DSS compliance to Qualified Security Assessors (QSAs). The perfect de-scoping partner should additionally offer accessibility and stability with a 24/7 global support system including a dedicated secure customer portal and guaranteed 99.999% uptime.

It’s time to step-up protection and introduce de-scoping to stop cyber criminals in their bid to access sensitive payment data. By following these three simple steps, you’ll be rewarded with a highly flexible, innovative contact centre that delivers consistent, exceptional customer experience and boosts customer loyalty, sales and profits.

To find out more, join Puzzel and PCI Pal at a breakfast briefing on 4th October by registering here. Alternatively, visit to find out more about how Puzzel and PCI Pal can help you secure your customer data and protect the business without compromising the agility of your contact centre operations.

About the Author

Colin HayColin Hay is VP Sales at Puzzel. Colin is an experienced senior executive with a background in software, media and mobile communications. Following a distinguished eleven year career in the British Army, Colin completed an MBA. Prior to joining Puzzel, he worked for mobile giants Motorola, 02 and Three and is an Associate Fellow at Warwick Business School.

Leave a Comment