Burning Questions: PCI Compliance in the Contact Center

The news cycle is full of stories about data breaches and cybersecurity threats, including massive attacks on well known enterprises such as Marriott, Equifax and Yahoo. In most cases, it is personal information that is leaked, but those problems compound for both users and companies when payment information is exposed.

If your contact center handles any kind of financial transactions, whether via phone, email, chat, or SMS, having a PCI Compliance plan is essential. PCI Compliance can sound daunting to a smaller contact center, or one that is new to taking payments. But you’re not alone – Although Verizon’s latest PCI DSS compliance report said that PCI compliance has increased 167% since 2012, it also found that 80% of all organizations are still not compliant with the data security standard.

Achieving PCI compliance starts with understanding the PCI DSS and the responsibility taken on by companies that handle transactions via one or more of their channels. Here we take a look at the burning questions surrounding PCI compliance in the contact center:

1. What is PCI DSS?

   The Payment Card Industry Data Security Standard is a set of accepted policies and procedures designed to protect cardholders and the financial transactions that they execute as well as their personal information. In 2004, four major financial institutions – Visa, Mastercard, Discover, and American Express – came together to develop the set of standards. The standard is built on six major objectives:

1. Transactions must occur on a secure network with robust firewalls
2. Cardholder information must be stored in a secure location
3. Systems that process payments must use up-to-date anti-malware and anti-virus software
4. Access to system information must be restricted and controlled
5. Networks must be constantly monitored
6. A formal security policy must be in place, with regular audits and penalties for non-compliance

1. What is the difference between PCI Level I and Level II

   PCI Level I compliance means that the company processing the transactions has been verified by a third party, known as a Qualified Security Assessor (QSA). The company hires the QSA to perform regular audits in 12 different categories, with multiple sub-categories within them.

   PCI Level II compliance means that those same audits are performed and requirements met, but the company does a self-assessment internally. This is done using a self-assessment questionnaire (SAQ) and is administered by an Internal Security Advisor (ISA).

   It is often a misconception that Level II is better than Level I, or vice versa, but that isn’t true. The most important thing for contact centers is to ensure that the requirements are met and vetted by either a third party or internal expert.

2. Is there a specific benefit to being both PCI Level I and Level II compliant?

   There is no security benefit to achieving both levels of compliance. There is a perception some may have that working with a company that has been audited by a third party provides an unbiased opinion and therefore greater peace of mind.

3. Does working with a PCI compliant vendor make you PCI compliant?

   As a company that provides PCI-compliant contact center solutions to companies of all sizes, we get this question all the time. The answer is no. PCI compliance on the part of a vendor or subcontractor does not innately grant a company compliance as well. It is up to the company to perform their own audits or use a QSA to ensure compliance.

4. In terms of the contact center, what does it mean to be PCI compliant?

   For a contact center to be PCI compliant, it requires every element of the transaction to follow all the PCI rules. Consider a transaction where a customer is paying for something over the phone and using the contact center voice channel. The voice lines must be secure and untappable. Often, contact centers will use a tool that masks the credit card number as its being read, so it can be recorded but the agent doesn’t personally hear the number.

   Then there is the issue of storage – that data must be secured by the vendor, and the recorded call must be equally secure in their cloud storage. There have even been cases where companies were deemed not PCI compliant because of the level of background noise in their contact centers, which allows callers to overhear agents engaged in other customer conversations.

   It can all seem like a lot to manage, which is why most enterprises operating transactional contact centers rely on a cloud-based provider of contact center services that is PCI compliant as opposed to managing it themselves.

5. What challenges do contact centers run into when trying to be PCI compliant?

For one, it is very had to pinpoint the scope of PCI Compliance within a contact center because there are many moving pieces. The Payment Card Industry standard was primarily created for any company that performed a financial transaction by swiping a credit card.

But within a contact center, those transactions can be made via different channels – voice call, chat, SMS, email, and more. Customer information, even if it not the actual credit card number being entered, still falls under PCI compliance. Unlike a physical retailer, who receives credit card information via a physical swipes, the compliance scope for the contact center must expand to cover the omnichannel approach.

Get help with contact center PCI compliance

If your contact center has a need for enhanced PCI compliance, NICE can help. Our Trust Office provides a team of PCI compliance experts that can provide the security your contact center needs to drive compliance and protect your customer’s information. Even if PCI compliance doesn’t fall under the scope of your contact center requirements right now, it is a best practice to work with a cloud-based software partner that provides a high level of security & compliance to allow your company to scale in the future.

For more information on how NICE security protocols drive compliance for contact centers, visit our Trust Office page.