Trust but Verify — How PCI-DSS is Impacting Contact Centres Gone Remote

Gabriel Avner

Many companies are still playing catch up when it comes to finding solutions for working securely with payment details. We spoke with an expert for his tips on how to build customer trust

Trust but Verify — How PCI-DSS is Impacting Contact Centres Gone Remote

When COVID-19 forced contact centres to shut their doors and send their team remote, many of the challenges on their checklists were obvious.  

Tasks like ensuring that everyone had the hardware and connectivity to keep taking calls were at the top of everyone’s list. Worrying about maintaining regulatory compliance for industry standards like PCI-DSS was probably lower down as organisations were more concerned about staying in business long enough to be audited later. 

At first, the regulators were prepared to grant leniency in enforcing compliance standards. But now after nearly eight months of adjustment leeway, companies are expected to be putting in place safeguards to payment card data that will keep their customers protected from fraud. 

For companies handling payment card information, the move to remote work imposes challenges that they simply have not had to contend with in the past.  

Furthermore, being able to prove to auditors that they are taking sufficient steps is even more difficult as many of the protective measures that they relied on in the working from office days are far less feasible. 

The Challenge of Enforcing PCI-DSS in a Remote Work Reality 

Kieron Flood

Kieron Flood

Speaking with Kieron Flood, a Client Director at cloud communications provider Olive, he tells UC Today that maintaining compliance standards under PCI-DSS means meeting a checklist of some 263 different points that cover the controls and procedures that businesses take to ensure that their employees are taking the required precautions to keep payment card data safe.  

In order to meet these standards, companies have implemented policies that govern how employees are able to access payment card information stored within their systems. This generally means managing authorisations and identities of employees who are allowed to access this valuable information. By tracking who accessed what and creating a “paper trail”, these technology-driven safeguards should deter malicious activity by raising the probability of bad actors getting caught. 

However, there is always the human link in the chain that is hard to lockdown. For contact centres that take payment card numbers over the phone, a bad actor could, in theory, always just write the card number down on a piece of paper and sell them on the black market.  

In the office setting, companies can more or less keep an eye on employees with trusted supervisors. But in a work-from-home situation, this monitoring becomes downright impossible. And from a regulatory point of view, even harder to document that everyone was on their best behaviour. 

“As we try and transition into the working from home environment, the ability to be able to control and prove to the auditors that you have secured the locations which people are working from is very, very difficult,” says Flood, noting that in the home environment, a malicious insider can wreak havoc to a company’s reputation if they engage in fraud.

“The control measures that you have within an office space are becoming less controllable.” 

So, given the severity of the risk at hand, how can companies protect their customers and remain compliant in operating their contact centres? 

3 Trends Aimed at Improving Customer Security and Experience 

In his role working with Olive’s customers on modernising the way that they securely interact with their customers, Flood has noticed a number of trends and key points that are moving the conversation forward.

1 – Taking the Data out of Scope

When it comes to data security in general, the best way to avoid information falling into the wrong hands is to not store it in the first place.  

Flood says that some companies are taking basic steps to reduce their exposure by pausing recordings of calls when payment card numbers are taken 

He describes how, “Others are implementing more advanced solutions which allow for the full call to be recorded as the caller enters their card details into their keypad, the DTMF tones are masked so the agent is unable to recognise them. Once the information is captured, the system sends it directly to the card provider for approval, thus descoping the contact centre. Once that approval is given, the agent receives a notification and the transaction can proceed.  

An interesting security feature here that Flood points out is that this system uses a monotone for the keypad to avoid anyone familiar with the different button tones from identifying which numbers are being used.   

2 – Offer Multi-Channel Transaction Options

In a similar vein to the tact of taking humans out of the loop, Flood says that companies are beginning to offer alternatives to making transactions over the phone.  

Many customers, if given the option, would prefer to transact on their channel of choice, for me if I can be sent a link via WhatsApp, email or text, then I’ll do that,” he says, adding that, “It’s not only easier than entering in the keypad, but it also feels more secure. 

Flood is hardly alone. A recent study found that consumers’ use of chat technologies and social media has risen threefold (opens pdf) during the pandemic. 

With this scenario, a customer can be on the phone and carry out their payment, out of the scope of the agent. They can receive a link that takes them to a secure portal for the transaction. This cuts down much of the security risk, and also reduces the possibility of errors in taking his information.  

Moreover, Flood emphasises the point that, “Consumers now expect to be able to transact on the channel of their choice, and it is up to the companies to provide them with options if they aren’t to fall behind. 

3 – Tokenisation of Payment Details

Most business websites will offer the ability to store card data for repeat purchases or subscription services,” Flood explains, “However without a compliant solution in place, replicating this customer journey over your inbound channels has previously been difficult. A PCI-DSS solution overcomes this challenge by offering the same tokenisation methods on these channelssimplifying and improving customer experience whilst remaining compliant.” 

In their first transaction, the customer is offered the ability to store their card details for future purchase. If the customer agrees, then the agent can select the appropriate transaction type and the solution will request a token from the payment card provider. The token substitutes a string of random numbers for their customer data, leaving the real data stored in highly secured token vaults. The customer card data never enters the business environment and the tokens themselves, if intercepted, are useless to fraudsters.   

Using tokens also cuts down the time that it takes to transact, which not only improves customer experience but also reduce the cost to serve for the business by freeing up valuable agent time. “We have all experienced frustrating calls where misheard card numbers result in failed payments over the phone and you end up having to repeat card numbers multiple times in a hope the person on the other end hears you correctly the second time,” says Flood, noting today’s consumers are more sensitive to these hiccups and poor experience could be enough to put someone off a repeat transaction. 

 “If you build great relationships with your customers, deliver them a simple to use, brilliant experience and they feel they can trust you, then they will become long term customers and advocates of your business”

Trust is Key to Success 

While most consumers are willing to grant companies time to play catch up to the new ways of conducting commerce, their patience will likely not last forever. As they see that major brands that they use every day make it easier and safer to transact online, that is where they will go to do their business.  

Add to this mix the disruption that the pandemic has had on the brick and mortars, and we see that the value of an easy and reliable customer service experience can have on capturing those sales.  

But building trust is dependent on showing that you are taking steps to mitigate the risk of fraud. This means adopting tools that will make the transaction more secure and ensure that you are in line with compliance guidelines. Having that PCI-DSS logo on your website can go a long way in promoting your brand as trustworthy. 

The good news is that businesses appear to be listening to the increased demand for security, likely due in no small part to the rampant rise of cyber attacks that have sought to take advantage of the sudden WHF situation. Recent reports have shown that while security budgets are likely to take a hit as resources constrict across the board, businesses are placing a premium on protecting their payment systems due to their critical role in supporting online sales.   

Compliance as a Competitive Edge

Moving forward as the competition heats up, I would argue that forward-thinking companies will use compliance to gain a competitive edge, offering their customers a more secure purchasing experience. So, taken together, companies can promise their customers that they will not only make transacting with a smoother experience but a more secure one as well. 

Many companies are already moving to adopt some of the technology solutions that circumvent the human agents, which not only reduces risk but also means less time wasted on the line. 

Those businesses that are able to reduce their exposure and win over customers’ trust now will find themselves much better positioned as we navigate towards our new normal. 



Join our Weekly Newsletter