Simplifying Contact Centre Payment Security
PCI DSS v4.0 Implications on Payment Security Protocols in Contact Centres
Simplifying contact centre payment security can help organisations achieve PCI compliance and improve both customer and agent experience in the era of PCI DD v4.0. Released earlier this year, PCI DSS 4.0 significantly raises the bar for all organisations accepting credit card payments. The new revision continues with the six goals and 12 requirements related to payment card data protection. The result is a greater level of detail for each security control within the Standard. Contact centres will need to revise their compliance program to adapt to the new clarifications introduced in PCI DSS version 4.0.
Ten new controls directly related to all contact centres include:
- Prevent copy and relocation of Payment Account Numbers (PAN) when using remote access technologies
- Certificates used to safeguard PAN during transmission over open, public networks
- Mechanisms are in place to detect and protect personnel against phishing attacks
- Review all user accounts and related access privileges appropriately
- Maintain the new minimum level of complexity for passwords when used as an authentication factor
- Use multifactor authentication for all access to the CDE (Card Data Environment)
- Determine the frequency of periodic Point of Interaction (POI) device inspections
- Review and update the security awareness program at least once every 12 months
- Include awareness of threats in training that could impact the security of the CDE
- Include security awareness training to provide an understanding of the acceptable use of end user technologies
Simplifying PCI Compliance
Companies need a simplified approach to address so many challenges. The solution needs to expand with the business. It must also prevent data compromise and fraud, improve the CX and CSR/Agent experience, address the cyber and business risks, and consistently be compliant with the DSS.
How do organisations achieve PCI DSS compliance, prepare for growth, reduce risk, and improve the customer and agent experience with one tool?
Benefits of Simplifying PCI Compliance
When it comes to the payment process, there is a simple answer to this question – simplify PCI compliance by reducing the scope of PCI DSS. From a business standpoint, simpler processes allow contact centre employees to provide consistent service to customers. Other benefits of reducing PCI DSS scope include:
- Cost Savings – Descoping increases payment success and reduces average handling time (AHT)
- Improved Security – Since descoping prevents sensitive data from ever entering your contact centre, cybercriminals have nothing to steal.
- Improved Agent Experience – With descoping, there’s no need for clean room environments or pause and resume solutions. Plus, the resulting simplified payment process means customer interactions are smoother and faster.
- Improved Customer Experience – A descoped solution can also provide customers single agent resolution, in turn improving metrics such as AHT time and NPS (net promoter score)
- Omnichannel Payments – Customers can pay on the channel they choose in the way they wish to seamlessly, providing a truly omnichannel experience.
The 3 Key Elements to Simplifying Contact centre payment security
Reducing PCI DSS scope is one of the best ways to lighten the workload associated with the planning, design, implementation, operation, maintenance, evaluation, and improvement of PCI DSS compliance. It drastically reduces the risk of payment card data compromise and significantly reduces the cost of compliance assessment and reporting. This strategy consists of three key elements to simplifying compliance and addressing growing cybersecurity threats.
Stop Storing Credit Card Data
Avoid receiving and storing Primary Account Numbers (PANs) and other sensitive payment data with automated solutions. By removing sensitive payment card information, the CSR/agent can focus on the customer and eliminate the risk of mishandled payments and fraud. This approach supports work in the contact centre, small hubs, and work-from-home arrangements. Ideally, the customer will make payments during the conversation with the CSR. It’s simple and effective and improves the experience for everyone.
Segment Your Work
All the systems and applications within a contact centre are in-scope of PCI DSS when processing credit and debit card payments. Limit the systems and environments within the scope by separating network environments that store, process or transmit payment card data from those that don’t. When contact centre agents do not have access to CHD (cardholder data), the employees are not in scope for PCI DSS 4.0 requirements.
Outsource aspects of card processing and security
Outsourcing can remove some of the burdens of PCI DSS compliance from your organisation and free up resources. Contact centres, log monitoring, access control management, and e-commerce systems are everyday environments that can be outsourced and descoped. Organisations that implement segmentation or outsource the storing, processing and transmitting of CHD (cardholder data) can reduce the size of the CDE (cardholder data environment). Reducing the size of the CDE reduces risk to the organisation and the level of effort to maintain PCI DSS compliance.
Learn how PCI Pal’s cloud-based PCI compliance solutions can help your organisation simplify contact centre payment security today or view the full white paper here.