PCI Compliance in a Contact Center: A Handy Guide

PCI regulations govern the exchange of payment data

PCI Compliance
Contact CentreInsights

Last Edited: June 1, 2023

Rebekah Carter

intoThe regulations set down by the Payment Card Industry (PCI) govern the exchange of payment data, storage, and utilization. 

While PCI has no legal authority to enforce compliance, it is a requirement for any organization looking to operate debit/credit card transactions. Worryingly, a 2020 survey by Verizon revealed that only 27.9 percent of organizations were fully compliant with the Data Security Standard (DSS) set up by PCI

Even worse, this was a visible decline from 36.7 percent in the previous year.  

To help businesses get back on track, let’s consider the various tenets of PCI-DSS and why they are proving so tricky for contact centers to comply with. 

What Does PCI Compliance Entail? 

PCI DSS spans six distinct areas to help protect payment information and customer data privacy. These include:

  1. Network Security
  2. Encryption
  3. Security software
  4. Access Restrictions
  5. Security Documentation
  6. Regular Network Audits

As contact centers regularly communicate over more channels, they now have many more considerations to make across each segment.

Yet, the lion’s share of a contact center’s responsibility in maintaining PCI compliance is agent training and quality assurance. IT must support the remaining components, communicating regularly with infrastructure providers.  

Critical Steps for PCI Compliance 

Many steps can make achieving and demonstrating compliance with PCI-DSS easier. 

First, clarify the processes surrounding payment data collection. Also, encrypt payment data fetched from public systems, CRM, websites, e-Commerce apps, supplier portals, etc.

Next, it is essential to secure payment data storage in repositories protected by role-based access, multi-factor authentication, and robust network firewalls. 

Finally, document all security policies and the measures taken to enforce them, like agent training.

Tips for Complying with PCI DSS in the Contact Center

Aside from choosing a compliant CCaaS solution and following the steps above, companies can also follow best practices like:

  • Redaction: The PCI security standards require companies to minimize the personally identifiable information they store. DTMF masking, automated systems for payment collection, security codes, and record pausing may help here.
  • Network Security: To secure networks, companies need to ensure they have a firewall and router in place, as well as internal processes which allow for extra layers of protection. The IT team must permanently restrict traffic from unsafe networks and hosts.
  • Role-Based Security: Reducing the number of agents or contact center employees with access to sensitive data can improve PCI compliance. Access-based controls make it easier to ensure fewer employees can access sensitive information.
  • Implementing Policies: Companies can enforce strict policies to help employees to adhere to PCI compliance. This may include guiding team members on how to collect personal information and ensuring every employee uses unique passwords.
  • Reduced Storage: Ideally, companies should reduce the amount of information they have collected and stored in-person or online. Avoiding using a pen and paper to collect information and removing unnecessary data from the database are practical steps.
  • Encryption: While PCI regulation standards don’t specifically mention encryption, they require cardholder information to be stored with the right “cryptography” components. Using encryption at a minimum strength of 265 bits is essential.
  • Agent training: Regular agent training can help to ensure PCI compliance standards are consistently adhered to throughout the workforce. Deliver coaching to employees continuously, especially when they exhibit risky behaviors.

Above all else, the contact center must continually enforce and examine PCI compliance. It’s not something companies should be checking in on each year. Instead, companies need to ensure they’re consistently monitoring and enforcing the proper security standards.

Such moves are essential as PCI DSS standards can be regularly updated, adding new requirements like a demand for multi-factor authentication to the mix. Staying on top of the latest regulations is crucial for businesses in the contact center space.

For more insights on running a compliant contact center, read our article: How Secure Is Your Contact Center?


Security and Compliance

Share This Post