How to Master Call Center PCI Compliance (So It Won’t Cost You!)

If you fail to comply with payment card industry (PCI) standards, you risk data breaches, financial penalties, and loss of customer trust. So for the sake of call center security and to avoid financial penalties, PCI compliance must be a top priority if you handle credit card data.

Just look at what happened to Wawa, Inc. in 2019. Found guilty of violating PCI guidelines, the company’s lawyers settled for $8 million to resolve its data breach issues.

So yes, PCI compliance will cost you if you ignore it.

But you can’t just turn on a feature and become compliant. Instead, you must understand which levels apply to you and learn how to always stay in the green.

What Is PCI Compliance?

The PCI data security standard (DSS) is a set of security standards that guides any business that accepts credit card payments. Its goal is to ensure that businesses securely process, store, and transmit credit card information to prevent fraud and data breaches.

The PCI DSS dictates that contact center agents must:

• Never store full cardholder data
• Use secure payment processing systems
• Be trained in identifying and preventing credit card fraud

Based on the number of card transactions processed each year, your call center will fall into one of four PCI DSS levels:

• PCI Level 1: 6 million transactions or more
• PCI Level 2: 1 million to 6 million transactions
• PCI Level 3: 20,000 to 1 million transactions
• PCI Level 4: fewer than 20,000 transactions

PCI compliance can be one of the most expensive contact center compliances to fall foul of. Even slight noncompliance can lead to many potential issues damaging your brand and bottom line.

Why PCI Compliance Matters for Call Centers

It instills customer trust

Customers trust businesses that protect their sensitive information, including basic information like names and addresses. However, credit card information is particularly sensitive and prone to hacking and theft.

By protecting sensitive customer information and clearly stating that your business will take the necessary steps to do so, you can ensure customers feel secure during transactions.

It reduces risk

If you follow rigid processes to look after your sensitive data, you reduce the risk of data breaches and minimize the potential impact on your business and customers. When everything on your systems and software flows smoothly, the rest of your business can, too.

It ensures you adhere to legal PCI compliance requirements

The most important reason to ensure your business is PCI compliant is the fact that it’s law — PCI compliance has been mandatory for businesses since 2004.

Failure to stay compliant can result in significant repercussions for your business. If you are not PCI compliant, you could face substantial fines, lawsuits, and the loss of payment processing privileges.

Examples of Noncompliant Payment Interactions

Before you invest heavily in ensuring your business is compliant, it’s important to understand what constitutes noncompliance. Here are the main scenarios responsible for noncompliance:

Unencrypted payment details

The guidelines state that agents must never store credit card data. Even with the best intentions, the simple process of writing down cardholder information means it can be photographed, photocopied, or stored outside your encrypted payment processing system.

Likewise, entering payment card details into an online whiteboard, notepad, or CRM software means the details are retained on those systems, which are potential avenues for loss or theft. One of the PCI criteria is ensuring agents are fully trained. This goes a long way toward breaking bad note-taking habits and preventing agents from forming new ones.

Overheard payment calls

When contact center agents are situated near one another, there’s the chance agents may overhear when one repeats card details to a customer (for confirmation).

This could also be true for colleagues or visitors passing through your office. To mitigate this risk, you could remove the repeating of card information from your processes (for example, by using a PCI-compliant payment processing system).

Screen sharing or insecure emails

When it takes multiple attempts to complete a card payment if a customer has given incorrect information or an agent has misheard, it’s tempting to ask the customer to type out the details and send them.

Agents are measured based on metrics like average handle time and first call resolution, so speed and efficiency are important to them. However, cutting corners like asking customers to type out and send their information exposes your business to insecure platforms and the potential for data loss or replication.

Examples of Compliant Payment Processing

There are three main ways to ensure compliance in your business’s payment processing. These might be standalone or built into a single tool to make processes more efficient.

Tokenization

Tokenization, which is similar to encryption, replaces sensitive payment data with a nonsensitive equivalent, reducing the amount of stored data that could be compromised.

Rather than complete masking, however, payment card information gets swapped with plain text random characters while the payment is processed. Once processed, the party receiving the payment “detokenizes” the data and sends it to their payment processor for credit card processing.

So, instead of sending 1234 5678 0123 across multiple systems and through different parties, the credit card numbers get changed to a random string like DJDHWBFM DHDHDK RPWNYH during transit.

Only once the data has been detokenized does the receiving party (and associated credit card companies) process the credit card payment.

Encrypted call recording

In the past, storing call recordings on premises was the only option for some businesses. Today, however, you can opt for a compliant hybrid cloud to encrypt calls during transit while retaining calls for training and compliance purposes.

When it comes to VoIP security, ensure credit card data is not stored when taking payments over the phone by using pause and resume functionality. This way, you receive payment details but actively choose not to store them in your cloud call recordings.

In the screenshot below, you can see that Nextiva offers a Pause/Resume function to keep you PCI compliant when handling payments.

Payment gateways

If you want to take information security even further, opt for a secure IVR system or secure web-based portal to process payments directly, bypassing human agents.

By using payment agent assist, call center agents can remove themselves from the call once they initiate a payment. Instead of listening to a customer dictate their card details, the agent hands off the call to an automated gateway that prompts the customer to enter their card details.

In this way, agents don’t hear or see which numbers are entered. The card information is validated automatically, and then the payment is processed. This totally removes the agent and any potential manual storage of details from the payment process.

Call Center PCI Compliance Checklist

To remain PCI compliant, ensure your business follows the following core processes. Failure at any of these stages could lead to a lack of compliance and potential penalties.

Encrypt customer data

Using a secure call recording platform or payment agent assist, ensure all sensitive credit card data gets encrypted during transmission and storage. When taking payments over the phone, anonymizing data means you’re protected at all stages.

Limit data access

Limiting who can access sensitive payment data reduces the risk of potential noncompliance with PCI standards. Implement access controls and seniority/job role-specific permissions so only those who need to can access payment data.

Don’t store card data

If you haven’t implemented a secure payment gateway yet, the very least you can do is avoid storing full credit card details (e.g., CVV codes) on call recordings or internal databases. However, without a secure payment gateway, you’re forced to rely on manual processes, which could expose you to potential nonadherence and the associated penalties.

Utilize tokenization and masking

Use tokenization and data masking techniques to limit the exposure of payment data during processing. If you don’t choose to remove human agents from the process or encrypt card information, tokenization is the next best solution.

Ensure call recording compliance

Any calls that are recorded must be encrypted, and you should avoid recording sensitive details like CVVs and account numbers. If you’re serious about compliance, this should be the bare minimum you aim for.

Keeping and recording card details leaves you wide open to hackers or internal personnel gaining access to sensitive information that could cost your business.

Use secure payment channels

When considering your next PCI steps, the best advice is to implement a PCI-compliant IVR system or secure web portals to handle payments. This applies to both in-office users and those using mobile phones.

A secure payment channel is by far the best way to minimize agent exposure to sensitive information. Relying on a secure payment gateway removes agents from the entire payment process.

Perform regular assessments and monitoring

Once you’ve set up a payment gateway or call recording system, perform regular PCI DSS compliance audits to ensure that all security measures are up to date.

Run trial payments with agents and ensure your contact center agents receive regular training on how to handle sensitive data securely and recognize potential compliance risks. And if you’re outsourcing payment handling, you must ensure they’re fully up to speed, too.

Maintain a secure network

Network security might not be your domain, but a secure network will pay dividends to your department.

Take a step back from front-end agent interactions and consult with your IT teams to ensure that you’re using firewalls, antivirus software, intrusion detection systems, anti-malware software, and regular vulnerability scans to protect your network infrastructure.

You should also make sure agents aren’t taking payments over a public network. Even when working from home, there are considerations you must check with your IT teams. Working together to look after all components of your contact center systems should ensure the best protection of your business.

Nextiva: Choose a Call Center Solution With Total Compliance

Ensuring PCI compliance can be hard when you rely on manual processes and disjointed, standalone systems.

A much better option is to use a contact center solution that has everything built in.

Nextiva’s secure solution is PCI compliant and allows for quick payment processing. In addition to protecting your agents and business, you get peace of mind thanks to Nextiva’s:

• PCI Certification: Ensures payment security and regulatory compliance with PCI standards.
• Automated Payment Handoff: Transfers customers from agents to a secure IVR system for payment collection, maintaining privacy.
• Secure Data Handling: Uses encrypted touch-tone inputs (DTMF) for customer transactions, and ensures the agent never sees or hears sensitive credit card details.
• Seamless Reconnection: Automatically reconnects a customer to your agent after completing the secure payment process.
• Integration: Works with various credit card gateways for secure payment processing.