Four years after the Payment Card Industry Data Security
Standards were introduced, retailers and financial institutions are
starting to get to grips with the requirements. Paul Golden reports
on the path to compliance for credit card call centres, which is
made trickier because of FSA requirements.

 

Security standards: Survey - UK retailer responseDespite the potential costs of
a security breach, compliance with Payment Card Industry Data
Security Standards (PCI DSS) within contact centres remains patchy.
Several observers suggest misinformation is still a major
problem.

The PCI DSS details the processes
by which businesses which handle card data can minimise the
potential for fraud. Contact centres are particularly impacted by
PCI DSS because of the way they transmit, process and store payment
card data. They also face greater compliance challenges because of
the unique way they are regulated – and many are simply avoiding
the issue.

The PCI security standards council
encourages such businesses to comply with the standard to help
lower the brand and financial risks – including hefty fines –
associated with account payment data compromises.

According to Dani Briscoe, the
Corporate IT Forum’s services manager, many find the standard
difficult to comply with due to an initial lack of information –
even though this has improved during the four years since the
standard was introduced through the many consultancy firms
established specifically to help organisations achieve
compliance.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

 

High levels of
risk

The exact level of contact centre non-compliance is impossible
to determine, but anecdotally it appears to be running at
alarmingly high levels. For example, data collected during a Sabio
UK seminar series last year revealed that one-third of respondents
believed their contact centre operations were still non-PCI
compliant, while a similar number were uncertain of their current
status.

Eliminating sensitive
authentication data from call recordings has proved very difficult
because of the variety of telephony, IT and payment systems in use
throughout the industry, said Cameron Ross, managing director of
call recording software vendor Veritape.

“Until recently, contact centres
have either ‘done nothing’ or had to commission expensive bespoke
implementations to meet the requirements of PCI DSS,” said Ross.
“These centres have been increasingly targeted in recent years
because of their weaker security.’

The obvious solution is to simply
turn off the recording, but this means losing all the benefits of
recording and in FSA-regulated environments this is illegal.
According to Peter Galloway, head of voice self-service at contact
centre solutions provider Sabio, PCI DSS compliance has always been
subservient to FSA compliance because the later is more vocal, has
stronger powers and is clearer on the implications of being in
breach.

“Companies have been unsure about
the impact of non-PCI DSS compliance, whereas the requirements and
implications for FSA compliance are much clearer,” said Galloway.
“There are multiple technology solutions that can be delivered in
many ways and the interpretation of what you need to do in the call
centre has been varied. For instance, some companies have been
advised that if there is no easy search facility for CV2 numbers,
they are compliant.”

Galloway claims to have only
recently visited a credit card company that did not understand its
responsibilities in this area.

“One of our clients said the FSA
had told it that it needs to record 100 per cent of every call,
which conflicts with the PCI DSS,” he said. “Clearing houses are
starting to put pressure on companies, but at individual account
level rather than in a concerted fashion.”

 

Unclear on
compliance

Sarah-Jane Heber-Hall, operations director at ComputerTel –
which develops call recording and contact centre agent evaluation
software – is another who is convinced that there are contact
centres that are still not clear on their responsibilities or do
not consider that they process enough transactions to require PCI
DSS compliance. She reckons some vendors have done their contact
centre customers no favours.

“While there are a number of
equipment suppliers claiming they provide PCI DSS-compliant
equipment, this is misleading customers into believing that if they
simply buy ‘compliant equipment’ it will be enough,” Heber-Hall
said. “A contact centre can only be deemed complaint by a qualified
security assessor and based on the processes and procedures in
place at that particular site.”

Patrick Botz of call recording
solutions firm VPI claims that in order to comply with the new PCI
DSS call recording regulations, many organisations will be forced
to delete all their verbal receipts because the process of
listening to the contents of potentially hundreds of thousands of
call recordings would be too labour intensive and therefore
prohibitively expensive.

“Unfortunately, the many calls that
do not contain sensitive data will also be deleted – calls that
should be retained for quality assurance purposes and liability
management,” he added.

With Ross putting the cost of
achieving compliance at anything from tens of thousands to several
hundred thousand pounds, getting the right system is crucial.

Apart from turning off the
recording, other solutions include transferring the customer to an
external interactive voice response system during payment, but Ross
describes this as very expensive and technically difficult to
implement as well as interrupting the conversation between the
agent and the customer.

If pausing is implemented it must be automatic, which leaves a
solution using DTMF – the tones generated by pressing the phone
keypad – where card details are filtered out of the call recording
system and are automatically captured and entered into the payment
system.