PCI DSS Compliance: Your Annual Checklist
If you operate a contact centre that takes card payments from customers over the phone or via SMS and web chat, there are certain checks you must perform to ensure the security of cardholder data.
The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for organisations that handle card payments from the major card schemes, including Visa, MasterCard, American Express, Discovery and JCB.
To remain compliant, the following checks must be performed annually to maintain security and mitigate the risks of a compromise of card or personal data. It’s worth noting that if you’re using a hosted solution like PCI Pal then most of the PCI DSS requirements will already be met.
Although the Payment Card Industry Security Standards Council (PCI SSC) sets the security standards, each card provider also has its own programme for compliance, validation levels and enforcement. Compliance is not enforced by the PCI SSC however, but rather by the individual card issuer or acquiring banks.
You can find more information about compliance for each card scheme from the following links:
- American Express – americanexpress.com/datasecurity
- Discover Financial Services – discovernetwork.com/fraudsecurity/disc.html
- JCB International – http://www.jcbeurope.eu/business_partners/security/pcidss.html
- MasterCard Worldwide – mastercard.com/sdp
- Visa Inc – visa.com/cisp
- Visa Europe – visaeurope.com/ais
What is the PCI Compliance 3-Step Process?
There are three continuous steps that should be carried out to ensure PCI DSS requirements are met:
- Assess – You must identify cardholder data and take an inventory of your IT assets and business processes for payment card processing, then assess them for any vulnerabilities that could lead to a compromise of cardholder data.
- Remediate – You must fix any vulnerabilities and not store any cardholder data that you do not need.
- Report – The final step is to compile and submit compliance reports to the banks and card schemes you do business with, along with any remediation validation records if applicable.
Which PCI Standards Do I Need to Maintain?
Your merchant level dictates the standards you will need to maintain for PCI DSS compliance. There are four levels of merchant based on the number of transactions you process every year. This dictates whether you need an annual security assessment carried out by a PCI SSC-accredited qualified security assessor (QSA), or if you can complete a self-assessment questionnaire (SAQ).
What Annual Checks Should I Perform in My Contact Centre?
Regardless of the assessment method required, the following steps must be taken each year:
- Complete an annual risk assessment
- Ensure third parties that store, process and/or transmit card data have maintained their PCI DSS compliance and are still registered with the card schemes
- If you are using a third party application in your contact centre, make sure the product and particular version you are using is Payment Application Data Security Standard (PA DSS) compliant
- If you use an integrator to bring the products together, make sure they are certified to the required standard to do so
- Train your staff to follow PCI DSS procedures
- Make sure you only store data that is essential and that it is encrypted and/or masked
- Protect your data network and make sure you are using a firewall and up-to-date anti-virus software
- Perform network scans on a quarterly basis. These have to be performed by an approved scanning vendor (ASV)
- You should also discuss security with your web hosting provider to ensure they have secured their systems appropriately. Web and database servers should also be hardened to disable default settings and unnecessary services
- Annual pin entry device (PED) tests need to be run to identify any vulnerability
- Any software or hardware you use to process transactions should have approval from the Payment Card Industry Security Standards Council (PCI SSC)
Reduce Your PCI Compliance Concerns
If this all sounds like a lot to deal with, you might like to consider partnering with a hosted PCI solution provider. Our smart PCI solutions, like Agent Assist, can be seamlessly integrated with your contact centre operation to ensure compliance without compromising the customer experience.
For a no-obligation discussion about your specific requirements, please get in touch with our specialist payment security advisers today.
This guide is the ninth chapter of our eBook ‘Starting Your PCI Compliance Journey‘.