The importance of PCI DSS for businesses of every size
Established in 2006, the Payment Card Industry Data Security Standard (PCI DSS) is a vital compliance rule for any organisation collecting, storing, and processing payments data. While it is not legally enforceable, PCI DSS violations are considered serious security flaws that could invite large penalties or even lead to a data breach. However, most organisations are yet to meet 100% PCI DSS compliance, as these standards are rigorous and may appear too big an investment for small businesses. In a recent contact centre compliance by NICE, 99% of respondents admitted that there was room for improvement in their compliance tools and software.
The Payment Card Industry Data Security Standard (PCI DSS) is a collection of rules governing how payment data is exchanged and utilised, envisioned by the Payment Card Industry Securities Standards Council and executed by major card providers such as Visa, Mastercard, American Express, Discover, and the Japan Credit Bureau or JCB. Its purpose is to prevent credit card fraud and close security loopholes during transactions that multiply fraud risks.
In 2021 and beyond, PCI DSS is extremely important for businesses of every size because:
Amid this high-risk environment, customer demands are continually evolving. But in a bid to provide convenient, flexible, and empowering experiences, companies cannot compromise on the security of payments and business transactions. This is where PCI DSS comes in.
PCI DSS lays down six clear objectives you must fulfil in order to demonstrate compliance and stay secure:
As you can see, PCI DSS isn’t a single, specific rule that you can implement in your contact centre. It is an overarching guideline that seeks to regulate the entire ambit of card-based payment transactions, both in your contact centre and your online/offline point of sale. Companies that achieve PCI DSS certification are viewed as highly trusted entities, and this certification is typically necessary if you want to transact with government bodies or operate in a regulated industry like healthcare or financial services.
Conversely, failure to implement PCI DSS can result in heavy fines even if there is no actual data breach. For example, the Information Commissioner’s Office (ICO) recently fined Ticketmaster UK £1.25 million for lapses in PCI DSS and GDPR compliance, despite the breach having been caused by a third-party application exploit.
For this reason, it is advisable to stay on the right side of PCI DSS by following these best practices:
According to PCI, there are four categories of companies and your compliance burden will vary accordingly. Companies are segmented based on how many transactions they process annually – whether it is less than 20,000, between 20,000 and 1 million, 1-6 million, or 6 million+. For small businesses, a yearly assessment based on a self-assessment questionnaire (SAQ) along with a quarterly PCI scan of your technology environment will suffice. Larger organisations must undergo an internal audit once a year, led by an authorised PCI auditor. Additionally, they must run a PCI scan by an approved scanning vendor (ASV), every quarter and submit the resulting report.
No matter the size of your business, it is advisable to conduct and document quarterly audits and refresh your certification annually, so that you are always up-to-date with PCI DSS mandates. Large companies can go a step further by appointing a certified PCI professional to their in-house compliance & security team.
With so many objectives and a lot of ground to cover, it can be difficult to pinpoint where exactly you should start your PCI DSS compliance efforts. It’s best to take a prioritised approach, tackling the most high–risk and high–exposure activities first, before delving into the details. Here is the recommended milestone sequence:
This entire process must be carefully documented so that you can demonstrate compliance and obtain PCI DSS certification. You choose to have an authorised PCI auditor present to simplify certification.
Legacy technologies and contact centre systems can be responsible for a lot of the PCI DSS violations that commonly happen, even if you have a strict procedure in place for your agents. For example, traditional systems would entail that an agent manually presses pause-and-resume on the call recording when a customer is entering their card details via DTMF. However, the agent might forget to resume the recording, which means that the call isn’t captured at all, or might press pause at the wrong juncture. A modern contact centre system would automatically pause and resume the recording when sensitive data is being shared or use DTMF masking to suppress cardholder data.
Fortunately, contact centre providers are joining hands with compliance experts to make PCI DSS a top priority. Recently, Avaya partnered with Semafone to enable a PCI DSS compliant Session Border Controller (SBC) for contact centre environments.
You can also use speech recognition to automatically detect when cardholder data is being shared and pause the call recording. Speech recognition even enables automated, agentless interactions, further reducing your risk exposure. If you are migrating to a cloud-based contact centre in the next few quarters (which is the case for 62% of contact centres as per Cisco), choose a PI FDSS-certified solution like Bright Pattern, NICE inContact, etc.
This is a simple best practice that is frequently overlooked by contact centres in a bid to reduce compliance costs. However, as we mentioned, fines for non-compliance can go up to several million, not to mention irreparable damage to customer trust and market reputation. The three types of certified audit professionals you could engage are:
At the end of the day, PCI DSS compliance is part of your overall data security and governance blueprint – any loophole at the high level will trickle down to impact payment information as well. For example, if your data resides in silos without any centralised visibility or accurate mapping of inter-functional data flows, it will be extremely difficult to trace an exposure back to its root cause. An ongoing vulnerability could also go undetected, resulting in inadvertent non-compliance.
For this reason, your overall data governance capability – including GDPR, customer data protection, agent data privacy rights, confidential IP, knowledge management, etc. – must be revisited. A centralised data store across the organisation that follows a set of standard protocols, privileges, and benchmarks is recommended. Payment data risk containment has to be formalised as part of your overall data security strategy and not relegated to the contact centre or e-commerce management alone.
Despite growing concerns around data security and customer data breaches, it appears that compliance is actually declining. Between 2018 and 2019, compliance with PCI DSS fell from 52.5% to 36.7% globally. This is in line with a steady downward trend from a 55.4% peak in 2016. Importantly, the APAC leads in terms of compliance at 69.6%, compared to 48% in EMEA and just 20.4% in the Americas.
Going forward, companies must buck this trend by avoiding the following pitfalls: