PCI Compliance for Contact Centres: How to Accept Payments Over the Phone Safely and Securely
In today’s digital age, where cyber-attacks, fraud and data breaches are frequent, organisations face increasing pressure to ensure they protect the customer data collected from handling payments over the phone.
In this blog, we’ll explore how your organisation can effectively utilise cloud contact centre software to safely and securely accept payments over the phone, adhering to PCI DSS compliance requirements.
What is PCI Compliance?
In 2006, credit card companies such as Mastercard and Visa worked with the Payment Card Industry Security Standards Council (PCI SSC) to establish the Payments Card Industry Data Security Standard (PCI DSS). This global standard mandates how organisations must take payments over the phone to safeguard data from potential fraud or misuse. Failure to comply with this standard can lead to a monthly penalty between $5000 to $100,000. The PCI Security Standards Council is responsible for developing and driving the adoption of data security standards to achieve safe and secure payments worldwide.
A rigorous and comprehensive security framework must be established and reviewed on an ongoing basis to ensure Payment Card Industry (PCI) compliance.
What Does PCI Compliance Mean for Contact Centres?
When call centre agents take payments over the phone, they handle sensitive customer data such as the cardholder’s name, expiry date and the Card Validation Value (CVV).
Contact centres that store, process or transmit cardholder data are mandated to adhere to PCI compliance standards. To ensure credit card transactions are taken securely, organisations must invest in a PCI DSS compliant payment tool for their contact centre to use throughout the payment process.
With more contact centre employees working from home, it is difficult to restrict physical access to payment card industry data as a means of enforcing security to achieve pci compliance and avoid a data breach. Therefore, a better way to ensure PCI dss compliant behaviour is to ensure agents don’t have access to details of credit card payments in the first instance. You can achieve this through technology such as PaySCAPE which facilitates the input of credit card information through the dial pad (to process credit card payments), all while maintaining voice connectivity between the agent as customer.
The Role of PCI DSS in Protecting Cardholder Data
To safeguard cardholder data (payment account number, cardholder name & expiration date) and sensitive authentication data (CVV, CVC2, CAV2 or PIN), organisations must encrypt transmissions, set role-based permission access and segment their networks to mitigate the risk of any breach.
Understading PCI DSS and its requirements
As of this publish date, there are 12 PCI DSS requirements which include:
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by ‘business need to know’ basis
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all employees and contractors
Organisations that use contact centre software to take payments over the phone must ensure they completely understand the PCI DSS guidelines and implement all requirements to safeguard card data and operate in a compliant manner.
Why PCI Compliance is Crucial for Contact Centres
PCI DSS compliance ensures customer data is safeguarded and reflects your organisation’s stance and commitment on data security, fostering customer trust and loyalty.
The Risks of Non-Compliance
There are various risks that can eventuate from non-compliance with PCI DSS. These risks include security breaches compromising the cardholder data environment, potentially irreversible damage to the company’s brand reputation, legal fees and penalty costs.
Protecting Your Customers and Your Business
Data breaches can be devestating for customers to endure. Organisations hold the responsibility to protect personal data from exploitation through implementing the 12 requirements.
Steps to Achieve PCI Compliance in Your Contact Centre
Step 1: Assess Your Current Compliance Status
Evaluate the compliance framework and understand the security controls and risks. Document network security controls, review payment processors and implement an internal security assessor to own the maintenance and execution. Often this role will then provide regular updates to the chief information security officer and lead an annual self assessment questionnaire as part of maintaining compliance.
Step 2: Implement Strong Access Control Measures
Authenticate access with MFA (Multi-Factor Authentication) to system components, adding extra layers of security onto digitally accessible accounts and maintain controls to actively prevent account takeover attacks.
Step 3: Protect Cardholder Data with Encryption
Organisations should not store cardholder data unless it is necessary to meet business requirements and in this case, this sensitive information such a credit card data should be encrypted.
Step 4: Maintain a Secure Network Environment
Critical to preventing data breaches and cyberattacks, you need to install and regularly maintain a firewall configuration to operate in a secure network.
Step 5: Conduct Regular Security Assessments and Scans
How Contact Centre Software Can Help Achieve PCI Compliance
It is imperative for organisations that take payments over the phone to protect data and satisfy the requirements that form PCI DSS. Cloud contact centre software enables organisations to interact with their customers across multiple communication channels, allowing their frontline staff to accept secure payments while speaking over the phone.
Strong Access Control
IPscape’s cloud contact centre platform provides PaySCAPE, a financial institution agnostic payment solution that enables organisations to accept secure payments over the phone, meeting PCI DSS standards.
How does PaySCAPE work?
This solution utilises tokenisation throughout the payment process, which involves encrypting the payment card data and substituting the vulnerable details with a non-sensitive equivalent, referred to as a ‘token.’
The typical payment process includes:
The agent on the call with a customer can see a visual status of what stage the customer is up to in filling out their payment details. However, the agent cannot view the credit card digits entered or hear audible tones. Encrypting all sensitive data enables any payment taken over the phone to comply with the PCI DSS requirements.
Organisations can select between two options to implement PaySCAPE, which is described below:
Enable customers to use the touch-tone keypad – When notified during a phone call, a customer can use the touch-tone keypad to input their credit card details by pressing the relevant digits. The agent’s voice connection is maintained throughout the payment process and will see asterisks appear in real-time, indicating a customer is inputting their details. This functionality can assist the agent in providing the customer with guidance, enhancing their experience. To facilitate payments over the phone during out-of-business hours, PaySCAPE can be integrated into your IVR, enabling customers to access self-service to make their payments, without human assistance.
Trigger an SMS to the customer – While on a phone call with a customer, an agent can send an SMS to the customer’s phone number, which contains a link to a form for the customer to make a payment. The agent can view the status of where the customer is up to in completing the form, which allows the agent to provide any assistance based upon which step they are up to. Once the form is completed, the agent can verify the customer’s card details by viewing the last four digits of the credit card and identifying the merchant, e.g. your Mastercard ends with the last four digits of 1234.
Ultimately, when utilising either option of PaySCAPE, your organisation will meet PCI compliance requirements.
Maintaining PCI Compliance: Best Practices
1. Conducting Regular Scans
Importance:
Vulnerability Detection: Regular scans help identify vulnerabilities in the payment card environment that could be exploited by attackers.
Requirement Adherence: PCI DSS mandates vulnerability scans (Requirement 11.2), including quarterly external scans and internal scans after system changes.
Proactive Risk Management: Regular scans provide early detection of configuration issues, outdated software, and exploitable weaknesses, minimising the risk of breaches.
Audit Preparation: Demonstrating regular scans is key to passing compliance audits and avoiding penalties.
Evolving Threats: Scans ensure systems remain secure against new threats as they emerge.
2. Staff Training on Secure Payment Handling
Importance:
Human Error Reduction: Staff are often the weakest link in security; training reduces the likelihood of accidental data exposure.
Compliance Requirements: PCI DSS emphasises the need for staff education (Requirement 12.6) to ensure employees understand security policies and procedures.
Detection and Response: Well-trained staff are better equipped to recognise suspicious activity, phishing attempts, and signs of potential breaches.
Customer Trust: Employees who handle payment data securely enhance customer confidence in the organisation’s security practices.
Policy Enforcement: Training ensures consistent adherence to security protocols and reduces variability in payment handling processes.
3. Incident Response Plans
Importance:
Quick Containment: A well-documented and tested incident response plan (Requirement 12.10) ensures rapid containment and mitigation of breaches.
Minimised Impact: Effective plans reduce downtime, financial loss, and reputational damage caused by incidents.
Regulatory Compliance: PCI DSS requires organisations to have a defined process for responding to security incidents, ensuring compliance and avoiding penalties.
Improved Coordination: Incident response plans ensure clear roles and responsibilities, streamlining communication during crises.
Continuous Improvement: Post-incident reviews improve the organisation’s ability to prevent and handle future security events.
Training Staff on PCI Compliance
1. Monitor Updates from PCI SSC
Stay Informed: Regularly visit the official website of the Payment Card Industry Security Standards Council (PCI SSC) for announcements, new standards, and guidance documents.
Subscribe to Alerts: Sign up for email updates and newsletters to receive notifications about changes in PCI DSS requirements.
Engage with Community: Participate in PCI SSC webinars, forums, and industry events to stay connected with the latest developments.
2. Conduct Regular Gap Assessments
Identify Compliance Gaps: Perform periodic internal reviews to compare your current security practices against the latest PCI DSS requirements.
Engage Qualified Assessors: Work with a Qualified Security Assessor (QSA) to validate compliance and identify areas for improvement.
Proactive Planning: Develop action plans to address new requirements before they become mandatory.
3. Maintain an Agile Security Program
Adopt Flexible Policies: Design security policies and procedures that can be easily updated to align with new requirements.
Continuous Improvement: Regularly review and enhance your security measures to stay ahead of evolving threats and compliance standards.
Automation: Use tools for vulnerability management, logging, and reporting to streamline compliance processes.
4. Invest in Ongoing Staff Training
Educate Employees: Ensure staff are updated on changes to PCI DSS and their roles in maintaining compliance.
Role-Specific Training: Provide tailored training for IT teams, compliance officers, and employees handling data.
Phishing and Threat Awareness: Train employees on evolving attack methods, such as phishing, to enhance security awareness.
5. Leverage Technology and Security Tools
Update Systems Regularly: Keep software, firewalls, and intrusion detection systems up to date with the latest patches and updates.
Implement Strong Access Controls: Ensure user access is limited to what is necessary and regularly reviewed.
Use PCI-Approved Solutions: When deploying new systems or tools, ensure they are PCI DSS-compliant and meet the latest version requirements.
6. Engage Third-Party Vendors Carefully
Vendor Compliance: Ensure that third-party vendors handling cardholder data are PCI DSS compliant and keep up with new requirements.
Regular Audits: Perform due diligence and audits of third-party services to confirm adherence to the latest standards.
Document Agreements: Maintain contracts that outline each party’s responsibilities for compliance.
7. Test Security Controls Frequently
Regular Penetration Testing: Perform tests to identify vulnerabilities in your systems as new standards emerge (Requirement 11.3).
Quarterly Scans: Conduct internal and external vulnerability scans (Requirement 11.2).
Test Incident Response Plans: Update and test your incident response plan to ensure it aligns with new compliance requirements.
8. Plan for Transition Periods
Understand Timelines: Familiarize yourself with the timeline for implementing new PCI DSS requirements.
Prioritise Updates: Address high-priority or mandatory changes first to avoid last-minute non-compliance.
Allocate Resources: Ensure budget and staffing are aligned with the demands of transitioning to new standards.
10. Engage in Industry Collaboration
Share Knowledge: Participate in industry groups and forums to learn how others are handling changes in PCI DSS.
Learn Best Practices: Benchmark your practices against peers to identify potential improvements.
Leverage Partnerships: Work with service providers and consultants to stay compliant with minimal disruptions.
Ongoing Monitoring and Incident Response
Common PCI Compliance Myths Debunked
Myth 1: PCI Compliance is a One-Time Process
Myth 2: Smaller Contact Centers Don’t Need to Worry About PCI Compliance
FAQ
What is PCI compliance, and why is it important for contact centres?
PCI Compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements designed to protect payment card information and ensure secure processing, storage, and transmission of cardholder data. PCI DSS was developed by major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) and is maintained by the Payment Card Industry Security Standards Council (PCI SSC).
Key Goals of PCI DSS:
Protect cardholder data.
Prevent data breaches and fraud.
Ensure the secure handling of payment transactions
How do I know if my contact centre needs to comply with PCI DSS regulations?
Do You Handle Payment Card Data?
Cardholder Data: If your contact centre collects, processes, transmits, or stores payment card information (e.g., card numbers, expiration dates, CVV codes), you must comply with PCI DSS.
Channels: This applies regardless of how cardholder data is handled—whether over the phone, via chat, email, or web forms.
Examples:
Agents inputting customer card details into a system for payment.
Processing payments through IVR systems or automated channels.
Storing recordings of phone calls where card data is mentioned.
2. Are You a Third-Party Service Provider?
Service Provider Role: If your contact centre operates as a third-party vendor handling payments on behalf of other businesses, PCI DSS compliance is required.
Shared Responsibility: You and your clients share responsibility for ensuring that cardholder data is protected.
Contractual Obligations: Many businesses explicitly require their service providers to comply with PCI DSS as part of the contractual agreement.
3. Does Your Business Use Systems That Touch Payment Data?
Technology Systems: If your systems handle or transmit payment card information (e.g., CRM systems, IVR platforms, call recording tools), compliance is necessary.
Call Recordings: If your contact center records calls, you need to ensure that sensitive data like card numbers or CVVs is not stored, as this would trigger PCI DSS requirements.
4. Do You Have Access to Cardholder Data?
Direct Access: Even if your agents don’t process payments, but have access to customer card details (e.g., customers read their card numbers aloud), PCI DSS applies.
Remote Work Considerations: If your agents work remotely, the same standards for protecting cardholder data apply to their home environments.
5. Are You Contractually Required by Your Clients?
Client Requirements: Many businesses include PCI DSS compliance as part of their service-level agreements (SLAs) with contact centres.
Audits: Clients may require proof of compliance, such as a self-assessment questionnaire (SAQ) or an attestation of compliance (AOC).
6. Are You Processing Transactions?
Payment Processors: If your contact centre acts as a payment processor or interacts directly with payment gateways, compliance is mandatory.
Third-Party Tools: Even if you use third-party tools for payments, you may still be responsible for securing the interaction points.
7. What Is the Volume of Card Transactions You Handle?
Merchant Levels: PCI DSS compliance applies to organisations of all sizes, but the level of compliance and validation required depends on transaction volume:
Level 1: More than 6 million transactions annually.
Level 2-4: Fewer transactions, but still subject to compliance.
Even if you process a small number of transactions, compliance is required.
What are the key PCI DSS requirements that my contact centre must meet to ensure compliance?
1. Build and Maintain a Secure Network and Systems
1.1 Install and maintain a firewall configuration to protect cardholder data
Segment networks to isolate payment systems from other areas.
Restrict traffic to only what is necessary for business functions.
1.2 Do not use vendor-supplied defaults for system passwords and other security parameters
Change default passwords on hardware, software, and systems.
Use strong passwords and leverage multi-factor authentication (MFA)
2. Protect Cardholder Data
Protect stored data
Avoid storing sensitive authentication data like CVV codes after authorization.
Use encryption, hashing, or tokenization for data storage.
Implement strong access controls for data repositories.
3. Maintain a Vulnerability Management Program
3.1 Protect systems against malware and regularly update antivirus software
Deploy antivirus/malware detection tools on all systems.
Update antivirus signatures regularly to address new threats.
3.2 Develop and maintain secure systems and applications
Apply security patches to operating systems, software, and applications promptly.
Conduct vulnerability scans to identify weaknesses in your systems.
4. Implement Strong Access Control Measures
4.1 Restrict access to cardholder data by business need-to-know
Grant access to cardholder data only to those whose job responsibilities require it.
Implement role-based access controls.
4.2 Identify and authenticate access to system components
Assign unique IDs to each user accessing payment systems.
Use strong authentication methods, such as multi-factor authentication.
4.3 Restrict physical access to cardholder data
Secure workstations, server rooms, and other areas where cardholder data may be accessed or stored.
Use badge access or biometric controls to restrict entry.
5. Regularly Monitor and Test Networks
5.1 Track and monitor all access to network resources and cardholder data
Enable logging of all access to payment systems and data.
Monitor for suspicious activities using a Security Information and Event Management (SIEM) system.
5.2 Regularly test security systems and processes
Perform quarterly vulnerability scans and annual penetration tests.
Test network segmentation to ensure cardholder data environments are isolated.
6. Maintain an Information Security Policy
6.1 Maintain a policy that addresses information security for all personnel
Create and enforce security policies that address PCI DSS requirements.
Regularly review and update security policies to align with new threats and PCI DSS updates.
How does contact centre software, like ipSCAPE, help with PCI compliance when accepting phone payments?
ipSCAPE can mask or suppress Dual-Tone Multi-Frequency (DTMF) tones when a customer inputs their payment card information through the phone keypad.
This ensures that agents and call recordings do not capture sensitive cardholder data (e.g., card numbers or CVVs), helping to comply with PCI DSS Requirement 3 (protection of stored cardholder data).
What are the risks and consequences of not being PCI-compliant in a contact centre?
Failing to achieve or maintain PCI DSS compliance in a contact center can have serious risks and consequences, including financial, legal, and reputational damage. Below is an overview of the key risks and consequences:
How can my contact centre protect sensitive cardholder data when processing payments over the phone?
Leverage IPscape’s PaySCAPE technology which is a secure payment solution that maintains voice with the customer while taking payments over the phone. Customers can input their card details using their dialpad, with the DTMF tones masked.
What best practices should my contact centre follow to maintain ongoing PCI compliance?
Avoid storing unnecessary data from customers. If payments details are required to be stored, use tokenisation to ensure security.
Is PCI compliance a one-time process, or does it require continuous effort and monitoring?
Continuous monitoring of security controls is required to ensure your organisation is meeting the PCI DSS compliance standards
How does PCI compliance affect payment processing and the customer experience in my contact centre?
If done correctly, having secure payment processes can build trust and build the customer experience.
If you would like to understand more information about how your organisation can seamlessly accept PCI compliant payments over the phone while maintaining positive customer experiences, contact IPscape.
Organisations use IPscape’s communication technology platform, SCAPE, to unlock growth by building personalised communication with customers at scale, through their channel of choice.
