PCI Pal’s CTO, Geoff Forsyth, features in Local Government News. Read the full feature here.
At every council across the country, payments for services are handled in a number of ways; face to face, direct debit, online and over the phone.
When handling payments over the phone, it is important to be aware of the rules around handling sensitive card payment details to make sure your organisation is compliant with the payment card industry rules, but to also reduce the overall risk resulting from a data hack in the future.
Sadly, in today’s modern world, significant data breaches are all too common and so it is important that councils safeguard contact centres to mitigate the related risks.
In a recent survey conducted by PCI Pal, over 2,000 people were polled and almost a third said that they feel that government organisations or departments are ‘the least secure or most prone to a data breach’, demonstrating that trust certainly needs to be built in this area.
With this in mind, here are some tips to consider on securing incoming payments to provide the assurances that consumers are today asking for:
1. Firstly, what is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle payments by debit or credit card. It was created by the Payment Card Industry Security Standards Council (PCI SSC), which is a conglomerate of the five major card brands globally, namely Visa, Mastercard, American Express, Discover, and JCB.
The PCI DSS was created to reduce the amount of card fraud globally, due to mishandling of the sensitive data associated with payment cards. It is a set of 12 standards for merchants and service providers on how they handle this data while taking payments either for themselves or third parties.
2. Descope your contact centre
Payment card data is the ultimate prize for hackers, so the first step is to identify how to stop your organisation from being on a target list. Rather than trying to keep hackers out, instead focus on encrypting your data and, where possible, ensure there is no data for them to take in the first place.
If de-scoping technologies are used for payments handled via a contact centre, sensitive payment card data never enters the enterprise and therefore the risk is removed.
It also means your organisation is compliant with the PCI DSS, which ultimately improves the ongoing security of all telephone, IVR, web and SMS financial transactions.
3. Remove outdated ‘pause-and-resume’ controls
In a whitepaper we recently produced with Verizon, it examined contact centre challenges in achieving sustainable PCI DSS compliance. We found that 60% of organisations are still using outdated ‘pause-and-resume’ technologies to avoid storing sensitive data on telephone call recordings.
Instead, consider switching to using modern Dual Tone Multi Frequency (DTMF) masking technology; it prevents contact centre agents from handling any payment card data, as instead payment details are keyed in to the customer’s telephone keypad, avoiding any information from being verbally shared.
This also means calls no longer need to be routed to a payment card system, meaning the agent can continue speaking with the customer while they make the payment, improving the overall experience.
4. Look to the cloud
By opting for PCI compliance solutions that are available via the cloud, there is no requirement to integrate card payment software directly into your organisation’s desktop environment. Instead, via smart cloud-based integrations with existing telephony and payment infrastructures, the process is seamless and creates no additional IT burden or management.
5. Assess your people processes
According to the PCI Security Standards Council, people typically represent one of the highest risks when it comes to the security of data, whether intentional or accidental. For example, compromises can originate from inside an organisation from any person who handles calls or may have access to systems and processes where telephone-based payment transactions are managed.
Remove this layer of risk by not exposing your staff to payment card details, when handling transactions over the phone.