PCI compliance is a must for contact centers that accept payment cards, as compliance secures not only your customers’ sensitive data, but also your customers’ confidence in your business. A PCI-compliant contact center is one that follows every requirement issued in the Payment Card Industry Data Security Standard (PCI DSS 3.2) in order to protect cardholder data.
The road to compliance is easy to navigate once you make some systemic changes to your day-to-day operations.
First, your contact center must establish information security policies that specify how the company will protect data. Such policies should clearly state how data (even backups or hardcopy data) is secured, accessed, stored, and encrypted in your system’s network and security devices (e.g., firewalls, routers, etc.), servers, virtual infrastructure (e.g., virtual desktops), internal and external applications, and backup infrastructure and recovery sites.
Policies should outline more restrictive requirements for where credit card data is stored or transmitted, and the scope of handling cardholder data should be limited as much as possible. Just as important as having security policies in place is having a plan for how to make this information available and enforce it. Establishing and following security policies is the backbone of any compliance effort.
Ideally, your call center solution should be independently certified for PCI DSS 3.2 compliance. PCI-compliant contact center software should have built-in tools that keep your customers’ data hidden. Any data that might be exposed to the agent should be encrypted and/or masked. A compliant solution, for example, can automatically mask text (e.g., credit card numbers, CVV codes, etc.) in live chats, divert a caller to an IVR to enter payment data, and mute the sounds of customers punching in numbers on their phone’s dialpad.
Next, ensure that your contact center avoids storing cardholder data in call recordings, chat transcripts, voice transcripts, databases, interaction records, and so forth. In the off chance that it is, access to it should be restricted on a need-to-know basis (i.e., agents shouldn’t be able to view or change it).
Every agent and supervisor should be trained to know how to handle cardholder data during customer interactions. Having a well-stocked Knowledge Base with your contact center’s information security policies, training docs, approved responses, and forms for collecting such data can help.
Remember that it only takes one data slip-up to annihilate your customers’ confidence in your business. Gaining their trust starts with compliance. For more tips, check out our PCI compliance checklist for contact centers.