PCI DSS Compliance Solutions

PCI Pal’s secure cloud payment solutions are certified to the highest level of security by the leading card companies. We’ll help you find the best PCI solution for your contact centre.

Secure payment solutions for Cardholder Not Present (CNP) payments

If you work for a company or contact centre who takes card payments from customers over the phone, you are responsible for keeping that data as safe and secure as possible – not just to protect your customers but to protect your business as well.

The Payment Card Industry Data Security Standard (or PCI DSS) is a set of 12 binding requirements that are designed to ensure complete data protection for merchants who take card payments from the major card schemes, such as VISA, MasterCard, AMEX, Discover and JCB.

Our pioneering Level 1 PCI DSS certified solutions are built around your contact centre and processes, so your customer service operation will remain exactly as you want it to be. Customisable, scalable and reliable, with 24/7 global support and 99.999% uptime.

Our Integrations

PCI Pal works with any payment gateway, major cloud carrier platforms and all leading phone and CRM systems.

Frequently Asked Questions

What is PCI DSS and how does it work?

Why is PCI Compliance important?

What level of PCI protection do I need?

What are the risks and penalties of non-compliance?

Set up in 2004 by VISA and MasterCard, and now regulated by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS is a set of 12 mandatory rules designed to protect data that is processed, transmitted and stored during manual or electronic payment transactions.

Any organisation that stores, processes or transmits cardholder data from the major card schemes must comply with PCI DSS requirements. The PCI compliance standards work to protect against card fraud by ensuring every business that handles cardholder information does so in a way that keeps customer data secure and protected.

If a contact centre wants to handle card payments from any of the major schemes they must comply with the following 12 requirements:

  1. Install and maintain a secure firewall
  2. Use unique passwords (rather than defaults)
  3. Encrypt stored data
  4. Encrypt data during transmission
  5. Keep anti-virus software current and updated
  6. Regularly check systems and applications are secure
  7. Ensure access is restricted to only those who need it
  8. Make sure those with access have a unique user ID
  9. Ensure physical access to data is restricted and controlled
  10. Make sure access to network and data is tracked and monitored
  11. Regularly test security systems and incident response plans
  12. Have a clear information security policy

Adhering to each of these requirements will ensure PCI DSS compliance for your contact centre, but remember: PCI compliance doesn’t automatically reduce risk or make you more secure.

The PCI DSS requirements are designed to combat card fraud by keeping cardholder data safe from hackers and other security breaches, but it’s not just your customers’ safety that is protected.

By ensuring your contact centre is PCI DSS compliant, you are also protecting your business – both financially and legally. A single data breach is now estimated to cost a company £3m on average, while the loss of connectivity caused by a breach or DDoS attack can prevent businesses operating for long periods of time.

Not only can this negatively affect or even ruin a company’s reputation, it also damages confidence in the industry as a whole.

While PCI DSS compliance is not a legal requirement, it does ensure compliance with the Data Protection Act – protecting you legally should the worst happen.

If you take card payments for goods or services via any of the 5 members of the PCI SSC (Payment Card Industry Security Standards Council), you will be required to meet one of four levels of compliance as part of your PCI DSS assessment.

Known as “merchant levels”, your compliance requirements will vary depending on several factors, including the number of transactions you process annually and your history of processing transactions. Although compliance with the rules laid out by these merchant levels is not a legal requirement, any company (including contact centres) which accepts card payments from the big 5 will need to comply or risk potential financial penalties.

There are four different categories that your organisation may fall into, defined primarily by the number of transactions you process, but also by the security risks you might be facing. These criteria allow the PCI SSC to determine the possible risks your customers might face when transacting with you, and thus, informs which level of security they need to enforce in order to improve their safety.

The following guidelines will help you decide which merchant level applies to you and which steps you need to take to ensure PCI DSS compliance:

Merchant level 1

  • You process 6,000,000+ transactions annually
  • You have been the victim of a data breach which compromised account data
  • You have been identified by any card association as merchant level 1

Validation requirements:

  • Undergo an annual on-site security assessment by a PCI SSC-accredited Qualified Security Assessor (QSA)
  • Conduct annual penetration testing via an Approved Scan Vendor (ASV)
  • Complete an attestation of compliance form

Merchant level 2

  • You process between 1,000,000-6,000,000 transactions annually

Validation requirements:

  • Undergo an annual Self-Assessment Questionnaire (SAQ)
  • Conduct annual penetration testing via an Approved Scan Vendor (ASV)
  • Complete an attestation of compliance form

Merchant level 3

  • You process between 20,000 and 1,000,000 ecommerce transactions annually

Validation requirements:

  • Undergo an annual Self Assessment Questionnaire (SAQ)
  • Conduct annual penetration testing via an Approved Scan Vendor (ASV)
  • Complete an attestation of compliance form

Merchant level 4

  • You process fewer than 20,000 ecommerce transactions annually
  • You process fewer than 1,000,000 non-ecommerce transactions annually

Validation requirements:

  • Undergo an annual Self Assessment Questionnaire (SAQ)
  • Conduct annual penetration testing via an Approved Scan Vendor (ASV)
  • Complete an attestation of compliance form

As mentioned above, PCI DSS compliance is not a legal requirement, but it is mandatory if your contact centre wants to process transactions with the major card schemes.

If a system is compromised and the company is found not to be PCI DSS compliant, the business could face severe penalties, such as brand damage, lawsuits and legal costs, share price drop, job losses, insurance claims, regulator fines, higher banking fees, and potentially, the loss of ability to accept card payments.

These, coupled with the fraud losses, the cost of replacing cards, loss of customer confidence, and the ensuing decrease in sales can all lead to a company suffering huge financial losses or even going out of business entirely.

9 out of 10 large organisations suffered a security breach last year; can you afford to be one of them? If the answer is “no”, then get in touch with PCI Pal today to see how we can help.

For more information about our secure payment solutions and the way we do things, please download our corporate factsheet.

How can we help you? Get in touch today to discuss our solutions and your specific requirements.