When we hear the phrase “payment compliance”, it is often our natural tendency to associate the term with the retail sector. When we think of recent headline breaches, retail and even hospitality organisations are some of the first to come to mind. However, this doesn’t exclude other sectors from the risks associated with non-compliance. If a business, in any sector, is handling credit card data in person, online, or over the phone, they are responsible for meeting and maintaining the requirements of PCI compliance and protecting their customers’ sensitive card holder data.
The utilities sector is a prime example of companies heavily dependent upon online and contact centre payments. Contact centers in the Utilities sector are handling high volumes of customer credit card and personal data over the phone and through digital contact centre channels such as webchat. As they handle this data, PCI DSS compliance should remain a top priority, and those involved in the compliance strategy should have a full understanding of the flow of this customer data through their telephony, desktop, back end systems, and storage.
We’re in an age where organisations are no longer preparing for if they are breached, but rather preparing for when they are breached. PCI DSS Compliance is an incredibly effective way to ensure that an organisation’ data is not at risk in case of a breach. The 12 PCI DSS compliance requirements are a great place to start when taking a look at alternate requirements such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) as the requirements for PCI DSS Compliance are often overarching across other compliance regulations.
To begin the compliance checklist, a company must accurately map out the flow of credit card data through the organisation. This piece often takes input from multiple departments, especially for larger organisations, or those similar to Utilities that utilise contact centres, both internal and external, to capture this information. This flow should include any spoken card data passing through networks, telephone platforms, call recording systems, agent desktop environments, back end processing, CRM systems, and storage. This flow is referred to as the CDE (card data environment). The CDE is comprised of a variety of different components unique to the organisation, all of which need to be analysed individually in addition to the flow as a whole to ensure they are all as secure as possible.
It is important to start at the beginning, by setting a solid foundation. Building and maintaining a secure network is key. A strong firewall configuration and network switches must be fully patched and running the latest firmware to be able to best protect credit card data. In addition, PCI DSS has strict regulations on which items of credit card data can be stored and how it must be protected and requires encryption of the data. In the most recent telephone regulations release from PCI DSS, they go as far to encourage a descoping method, which ensures that none of the credit card data is stored anywhere within the CDE.
PCI Compliance is not a one and done activity. The systems that organisations take the time to ensure are PCI compliant should be maintained, updated, and monitored to ensure that all continues to run at its best. This includes regular patches and updates. The Verizon Payment Security Report 2019 states that only 36.7 percent of organisations actively maintained PCI DSS programs throughout 2018. As the systems are maintained, consider employees as part of your CDE. Allowing employees to only have access to the data they need reduces scope for PCI compliance.
In conjunction with routine updates and maintenance, an organisation’s network and infrastructure should be regularly tested. These tests should always be run against the latest regulations as they continue to evolve as do threats. The regulations and requirements were created to help give organisations a guide, standard, and template to protecting both themselves and their customers. Limiting the amount of data coming into environment not only reduces the systems and flows that the organisation will need to maintain to PCI Compliance standards, but it also reduces risk. By not storing or handling the card data through their environment at all, they are not liable for its protection. This makes descoping the contact centre a main objective for many organisations. This can be done through DTMF masking and other PCI Compliant contact centre technology offerings.
Last, but certainly not least, is education. While we see compliance now falling into job titles in larger organisations, PCI Compliance is a topic that should not be foreign to anyone in the organisation. As individuals are points of vulnerability as well as systems, continued education for employees on compliance and best data practices is key. Data security is much easier to maintain when it is an organisational focus, rather than a single department’s action item.
As PCI Compliance isn’t optional and is a standard that must be maintained, now is the time to find a way to maintain that compliance in the most effective and secure way. As the regulations lead towards de-scoping, there is no time better than today to begin your card data flow and see where your vulnerabilities lie. While it’s a new frontier for many organisations, PCI Compliance is not simply just an insurance policy. With the right tools in place, compliance done correctly can lead to enhanced customer trust and a greater customer experience. It’s truly an investment in the company’s success, security, and brand.