PCI Compliance From Home
While no one can predict the longer-term global impact of COVID-19, the immediate changes to our daily lives are apparent, specifically – homeworking. Indeed, the advice from almost every Government is unanimous – work from home if you can. The concept of working remotely is nothing new, around 4 million UK employees currently do this regularly, and in the US, roughly 50% of businesses offer remote working patterns. In the current climate, those businesses who have not considered homeworking are having now having to, and fast. On the face of it working from home seems relatively easy to implement, but it’s not without its challenges. A prime example of this and a question the PCI Pal team are increasingly being asked is ‘Can we take payments remotely and securely?’ In order to answer this, we need to first look in detail at the challenges working remotely can present when trying to achieve and maintain PCI Compliance.
What are the challenges of achieving PCI compliance remotely?
At any given time, you may have agents making inbound and outbound calls, and some of these interactions with customers could involve taking payments. There are several ways contact centres can achieve PCI compliance within the contact centre, but not all of them are appropriate for remote working. Using compensating controls such as a cleanroom environment or pause and resume will only limit a small amount of credit card data being exposed within the contact centre environment.
When faced with working remotely, however, it’s clear that these solutions are not suitable. A contact centre manager cannot ensure a cleanroom environment where the agent is working from home. Another is the use of pause and resume, which only stops credit card data from being recorded and stored. It can still be heard and seen which means that it can easily be exposed and used unlawfully. The PCI Security Standards Council (PCI SSC) acknowledges this issue in the information supplement ‘Protecting Telephone Based Payment Card Data.’ This document advises businesses to ‘evaluate the additional risks associated with processing account data in unsecured locations and implement controls accordingly.’ Taking steps such as multi-factor authentication, only to use business hardware and devices, and training staff to understand the risks associated with working remotely do go some way to securing credit card data, but much like using compensating controls, they are not enough as credit card data can still be seen and heard.
what can businesses do to ensure that PCI Compliance is achieved and maintained?
Contact centres using solutions such as Agent Assist do not have the same constraints as organizations relying on compensating controls. Our cloud based platform means that agents can log in from home and continue to take payments safely and securely. Customers key in their credit card information and the tones are masked both audibly and visually which means they cannot be stolen. Organizations that do not employ such solutions need to seriously consider doing so, especially when it appears the current situation isn’t going to change for a long time.
Speak to one of our team to discuss how PCI Pal can assist your business in enabling secure payments from home whilst adhering to PCI DSS.