Call Center PCI Compliance
Call centers’ elevated role in maximizing business value through seamless customer experience (CX) makes collecting Payment Card Information (PCI) securely an imperative.
Call center PCI compliance is required for on-site contact centers and work-from-anywhere (WFA) environments. However, handling PCI data is always a risk, regardless of where agents work—and post-COVID WFA models have only served to further increase data security and PCI compliance concerns.
One reason is that remote work has made it increasingly difficult for agents to receive proper PCI compliance and clean desk policy training or guidance from co-workers and supervisors, rendering agents vulnerable to fraud and manipulation.
Key PCI Compliance Statistics
- SQM predicts that the contact center industry’s post-COVID workforce model will be 60%-80% of agents working from home and 20%-40% of agents working in-center.
- Two out of three enterprises are not PCI compliant, and PCI compliance has been trending downwards since 2016.
- The cost of PCI non-compliance is staggering:
- Financial penalties range between $5,000 to $100,000 per month until compliance is achieved.
- Average cost per data breach involving a remote worker is $5 million, according to the IBM Cost of a Data Breach 2021 report
- $161 million is the average cost per million customer-sensitive records breached, states the report.
Call Center Security
Factor in the irreversible damage to brand reputation, decrease in company valuation and market capitalization, revenue drop because of customer churn, legal fees in the tens of millions, and employee attrition, and you begin to understand the severity of the problem.
PCI Compliance Trends and Challenges
PCI DSS v4.0, released on March 31, 2022, places more emphasis on risk analysis and organizational governance, including continuous compliance activities, not merely once per year.
PCI Compliance Trends
The cost-of-living crisis has increased levels of fraud and collection issues. U.S. Federal Trade Commission data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30% over the previous year. CIFAS, the U.K.’s fraud prevention service, reported an 11% rise in fraud cases in 2022 due to “economic uncertainty.”
PCI Compliance Challenges
Alternative PCI compliance solutions are not effective in WFA environments for the following reasons:
- Companies can’t enforce clean desk policies in WFA environments due to a lack of monitoring or surveillance capability.
- There is no control over agents’ use of mobile phones, a high-security threat.
- Agents may have family or friends present while speaking to customers.
PCI Compliance Cost
Current tech-led marketplace solutions are inefficient, inadequate, and cost-ineffective:
- Pause-and-resume method for PCI compliance. The scope is only for call recordings, not live calls, meaning the live voice agent-led risk is enormous.
- DTMF suppression can help redact PCI information from agents but requires customers take additional steps. DTMF also increases metrics, such as average handle time (AHT) and overall cost per resolved contact (CPRC).
- Transferring voice calls to a secure IVR line with automatic speech recognition (ASR) requires agents to initiate the process, increasing AHT and costs.
- Digital payments via secure forms. The agent sends a form to the customer’s smartphone and the customer completes the payment on their end—another manual process resulting in higher AHT and costs.
Call Center PCI Compliance Frequently Asked Questions
Why is call center PCI compliance important?
PCI call center compliance is a set of security standards established by the Payment Card Industry Security Standards Council (PCI SSC) that aim to protect cardholder data. The goal of contact center PCI compliance is to ensure secure handling of credit card information to prevent data breaches and protect consumers from credit card fraud. Failure to comply with PCI DSS can result in severe consequences, including hefty fines, reputational damage, and business loss.
What does PCI DSS mean for a call center?
A call center that handles credit card information must be PCI DSS compliant. This means the call center must adhere to strict security standards to safely handle sensitive customer data. The contact center PCI compliance standards require call centers to implement security measures such as access control, network security, clean desk policies, and credit card data encryption. Call centers must also regularly test and monitor their security measures to ensure effective data breach prevention.
Is PCI compliance unique in call centers?
PCI compliance is not unique to call centers, but they face unique challenges in maintaining compliance due to the nature of their work (i.e., requiring a human to facilitate PCI compliant payment transactions over the phone). Call center agents handle credit card information daily, which makes them more susceptible to security breaches. Additionally, call centers often have a large workforce, which makes compliance even more challenging.
Is PCI compliance required for credit card processing?
To maintain credit card PCI compliance, call centers must implement secure methods for handling sensitive customer information. Compliant PCI credit card processing can include encryption of credit card data during transmission, safe credit card information storage, and limiting credit card information access only to authorized personnel.
Is PCI compliance necessary for phone payments?
Phone payments are a standard payment method in call centers. However, handling payment information over the phone presents a significant security risk. Call centers must train agents in proper PCI telephone payment protocols and procedures, including using PCI phone systems, verifying customer identities, asking for only the necessary information, and never writing down payment card numbers, expiration dates, and CVV codes.
Call Center PCI Compliance Solutions
The solution to call center PCI compliance challenges lies in implementing secure payment processing systems that allow customers to share their payment card information safely. Audio-sensitive call redaction is one method gaining traction. Redaction prevents the agent from hearing sensitive information. This approach reduces the risk of data breaches and fraud while simplifying call center PCI compliance requirements, improving AHT, and ensuring a seamless customer transaction.