Credit Card Payment Security in Contact Centers
Credit card data theft is big business. No customer likes the thought of card details being stored on a company’s databases due to the risk of potential fraud. Contact centers that take payments over the phone need to make sure customer data is safe.
Theft of cardholder data is a significant problem, particularly for those transactions where the cardholder is not present. Contact centers in particular have been a target for data theft, with fraudsters either attempting to secure call center jobs or in many cases seeking to bribe contact center staff for this information, all in order to steal card details. According to the CIFAS Internal Fraud Database, over 20% of internal fraud cases originate in call centers, so consumers are right to be wary.
Adhering to legislation aimed at keeping consumers safe from credit card data theft is crucial for any contact center taking credit card payments. But compliance with these “PCI DSS” requirements can be difficult, particularly in contact centers where payments are collected and processed during live and recorded telephone interactions.
However, failure to comply can result in costly fines, damaged reputations, and the loss of customer relationships and the ability to process payments.
What is PCI DSS?
PCI DSS is the Payment Card Industry Data Security Standard. The PCI Security Standards Council published the Data Security Standard (DSS), an internationally recognized set of technical and operational requirements published specifically with the aim of protecting cardholder data, in hopes of reducing fraud and protecting customers from data compromise. It has become increasingly crucial as emerging technologies (among other factors) have resulted in an increase in the number of fraudulent transactions.
To achieve compliance, organizations must adhere to rules related to policies and procedures, security management, network architecture and other crucial protective measures. They must also ensure that payments are processed securely and that customers’ payment data is kept safe throughout each transaction. Details that must remain confidential include 16 digit numbers, expiry dates and csv codes.
The key hurdle in achieving this is that many companies are legally required to record their calls, so what happens if they’re also taking card payments over the phone? The recording and storage of this confidential data becomes a huge compliance headache.
How NOT to Achieve PCI DSS Compliance
Historically, many businesses have buried their head in the sand when it comes to PCI compliance. Some call centers introduced a “clean room” policy where agents are not allowed to have pens, paper, mobile devices, etc., on their person or around them in order to avoid details being stolen.
Other companies limited the telephone-based card payments to only a small payment team, instead of all of their agents, hoping this would ensure some security. Stop/start recording is yet another technique that contact centers have used to try to get around the problem. The idea behind this method is to have an agent physically stop the recording for that section of the live call where the card details are being spoken by the customer. But this method is fraught with problems and does not completely fulfill PCI compliance requirements.
The PCI Security Council advises companies trying to achieve PCI DSS compliance to implement technology that requires “no manual intervention by staff”, which clearly leaves ‘stop-start recording’ as a far from ideal option for businesses seeking full compliance.
PCI Compliant Call Recording in the Cloud
Cloud technology offers an affordable yet totally secure alternative. Cloud PCI Compliance from West ensures that customer card data is never recorded or stored while the whole of the call is still recorded with no reliance on stop/start method.
West’s network based recording service uses a unique secure mode activation service that is initiated every time card details are requested from customers.
When prompted, the customer enters their card details using the telephone keypad and even the sound of the buttons they press are masked. At the same time, the customer is still assisted by an agent. The agent never leaves the call and yet they never hear the card details. And more importantly, at no point does the customer need to read their confidential data out loud. Once the payment has been authorized, the transaction ID and authorization code is passed back to the application which allows any future refunds or repeats to be securely carried out.
Because the agent is on hand throughout the call, it’s a much better customer experience with far less chance of confusion and drop-offs. This method eliminates the risk of fraud whether the agents are working onsite in the contact center or remotely.
Customers can rest assured that their payment card data is secure, increasing satisfaction and the likelihood of future transactions, and your business is removed from scope of PCI compliance.
All calls can be recorded as normal, with no reliance on manual (and potentially unsafe) procedures while ensuring that any other regulatory demands and regulations for call recording (such as FCA) are also adhered to. There is zero chance of customer card data being stolen as the data is simply not there to steal.
Video: How to keep your contact center PCI compliant.