Call centres routinely handle payment data such as credit or debit cards, CVVs and PIN numbers. This kind of sensitive data is a prime target for cybercriminals worldwide, which makes it imperative for call centres to implement robust security measures that protect access to this data.
Enhanced call centre security will also reduce a company’s fraud exposure (internal & external risks).
PCI DSS compliance is the globally mandated security standard for securing credit card numbers. When call centres achieve PCI DSS compliance, they reduce the risk of data loss by a data breach and also when done correctly can improve operational efficiencies that enhance the customer experience.
PCI DSS standards are governed by Payment Card Industry Security Standards Council,, which is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
So how can call centres remain PCI compliant and instill customer confidence that data is being protected?
Here are 5 key ways to achieve Call Centre PCI Compliance:
- Maintain a secure network.
Nearly 80 percent of companies that experience a data breach doesn’t have a reliable firewall in place. Avoid putting your customers at unnecessary risk by investing in robust security controls for your online network. If you’re unfamiliar with industry standards for establishing a safe network, hire a reputable IT firm to help you get started. Understand where all your access points are. Document your data flows and ensure there are measures to protect the data at rest and in transit.
- Establish role-based security.
One of the basics of PCI DSS compliance is limiting who can access your customers’ financial information on a strictly need to know basis. That’s why it’s essential to implement role-based credentials in your contact center. Follow a Policy of Least Privilege. This will ensure that each team member has only the access needed to adequately perform their job duties without unduly exposing them to sensitive consumer data.
- Redact and protect recorded calls containing sensitive information.
You would be surprised at the number of companies recording calls that never think about the protected data on those recordings. While call recording is an invaluable training tool, it can also put the security of your organization and your customers’ data at risk. Recorded calls are subject to the same PCI DSS standards as any other method of capturing private consumer information, so consider investing in a call monitoring system that will allow redaction of financial information on the recording. Also, ensure recordings themselves are protected through proper encryption methods and access controls.
- Do not allow mobile devices in secure work areas where Protected data is present and/or displayed.
While it’s important to hire and train contact center agents who are ethical and trustworthy, you also need to accept the reality that a data breach could begin with a someone importing sensitive customer data onto their mobile device. Reduce the risk by prohibiting personal mobile device use in secure areas. If mobile devices are part of your employee working toolset, ensure you have robust MDM (Mobile Device Management) and DLP (Data Loss Prevention) policies in place.
- Encrypt all sensitive data.
We have all heard the saying, “There are two types of organizations, those that have been breached, and those that don’t know they’ve been breached”. If data becomes compromised, can the malicious actors do anything with it? A fundamental element of PCI compliance is shielding customer personal and financial information with strong cryptography. Cryptographic controls are important for data at rest as well as data that is in transit. You should be utilizing a minimum encryption key strength of 256 bits, and for an extra security safeguard, if you utilize a third party to store your customers’ data, they should not have access to the encryption key.
In today’s digital world, large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and complying with TCPA safe harbour is important in instilling customer confidence in your business. Following PCI best practices is paramount for better customer trust, but don’t forget following first-call resolution best practices is also essential for building customer loyalty and trust.
Ivrnet is in the business of helping businesses achieve security compliance and ensuring they protect sensitive customer data. A leader in payment security, Ivrnet is a Level 1 PCI DSS certified Service Provider. Visit ivrnet.com to learn more, watch a webinar or request a demo of our Call Centre PCI compliant solutions for online and over the phone credit card payments.