The Payment Card Industry Data Security Standards (PCI DSS) is a set of regulations mandated by the Payment Card Industry Security Standards Council designed to ensure PCI compliance surrounding credit card transactions and cardholder data.
How does PCI compliance apply to contact centers?
PCI standards make sure that the cardholder data that is shared when making purchases (e.g., card number, CVV codes, and expiration date) is secure. Cardholder data is commonly shared across multiple industries and contact center channels, making it important for companies to assess their PCI compliance continuously.
Breaches and Noncompliance Fines
Fines of noncompliance can range from $5,000 to $500,000 (source: Focus on PCI). Even compliant companies can still have a breach of data, which incurs a fine of $50 to $90 per cardholder data compromised. These fines hurt companies, causing high payout as well as damaged reputation with customers, suppliers, and partners.
One of the most newsworthy PCI lawsuits involved Target and Visa in 2013 after an estimated 40 million credit and debit card accounts were hacked. Target reached a settlement with Visa for up to $67 million.
Bright Pattern’s Tips for PCI Compliance
1. Create Policies and Procedures – Small companies or companies new to PCI compliance need to create clear and easy-to-follow policies and procedures. Because PCI compliance involves everyone in the contact center as well as many systems and technologies, agents must be trained on PCI compliance policies and procedures. These best practices need to be adjusted and documented annually for new threats. Such policies include firewall policy, incident (breach) response, business continuity policy, agent computer and mobile device policy, data security policy, and so forth.
2. Update Documentation – Once you have the needed documentation, it is important to keep it updated. Companies should document all changes to the security environment throughout the year. It may be helpful to schedule monthly time on your calendar to create updates based on agent and management feedback. This information will be very helpful during your annual PCI compliance review.
3. Inform All Employees – As mentioned in Tip No. 1, it is important to train employees on policies and procedures. PCI compliance should be built into the agent training process, and ongoing training and coaching should be provided during the year. Refresher courses can be useful to retrain agents or educate employees on any new company policies. It is important to instill the basics, including locking the computer when leaving a work station, frequently changing passwords, and being aware of surroundings.
4. Partner with PCI Compliant Vendors – You can only be as compliant as your technology vendors. When selecting vendors, make sure they are PCI compliant and have third-party validation of their compliance. Take advantage of these partnerships to improve your own company PCI procedures.
5. Continuously Enforce – Compliance isn’t a project you can complete and never revisit. Compliance needs to be updated on an ongoing basis, enforced continuously, and reassessed on an annual basis. It is also important to stay up to date on the latest PCI regulations, as these change frequently. The most recent version 3.2 was published in April 2016.
Enterprise-grade software requires higher levels of security and compliance to protect all customer data and avoid litigation. As an enterprise provider, Bright Pattern software upholds the highest level of PCI compliance, certified by CompliancePoint.