The Payment Card Industry Data Security Standard or PCI DSS is a security standard for companies taking credit card payments from customers who use major credit providers such as Visa, American Express or Visa, and administered by the Payment Card Industry Security Standards Council.
Launched in 2004, it was designed to reduce fraud around electronic card transactions and defines very precisely the standards companies need to fulfil to comply.
However, while there are very comprehensive rules set for protecting Personally Identifiable Information (PII) at the back end, regulation around the collection of that information on the front end through contact centres is remarkably thin, all the more surprisingly considering the potential for credit card fraud if data isn’t collected and stored securely.
In the course of a phone call to a contact centre, customers may give out their full credit card information including expiration dates and CVV. While the vast majority of agents are honest, there is nothing to prevent those that aren’t to make a note of it on a pad for fraudulent use.
Furthermore, many companies record calls for training purposes nowadays which means that this sensitive data is kept, often not encrypted and accessible by a large proportion of the contact centre personnel. For multi-sites contact centres and those using home-based phone agents, ensuring security is even more challenging.
To address these concerns, the PCI DSS Council issued a revised Frequently Asked Questions document in 2011 clarifying that companies with contact centres are not allowed to store communications with card data if those recordings can be queried.
For businesses who do take orders over the phone, there are technological solutions that can assist them, such as Interactive Voice Response (IVR). At the point of sales, the call can be transferred to IVR, which will collect the credit card information without it ever being accessible to the agent.
However, this makes for a slightly awkward interaction so solutions like agent-assisted automation may be preferable. In that system, the agent stays on the phone and customers enter their information into the company’s CRM software themselves through the keypad of their phone. The tones made by each digit are suppressed so that agents can’t recognise numbers. This solution also provides a great level of safety.
Is your contact centre compliant with PCI DSS? If you would like to know more, contact CorporateConnect on 0800 230 000 or via our contact form.