- More than £1.6 million worth of fraud occurs on UK credit and debit cards every day.
- A fraudulent transaction takes place every eight seconds.
- One in five of the 200+ UK contact centres that took part in a recent ContactBabel survey are not fully PCI compliant.
It’s not often we’re bowled over by stats at WeAnswer Towers, but these are pretty earth moving. Contact centres process millions of card-based transactions every day and are highly exposed to fraud – mitigating this risk to your customers and business is vital. To combat this threat the leading card operators joined forces in 2007 to create a set of industry-wide requirements and PCI DSS, the Payment Card Industry Data Security Standard, was born.
We won’t delve into the nitty gritty of the PCI-DCC guidelines as these can be found in all their long-form glory on the official pages. We will, however, furnish you with a handy checklist to help ensure your business and customers are compliant and protected.
PCI DSS Compliance Checklist
Get your ducks in a row. Create a detailed plan of where your sensitive data is stored, who has access to it and who is accountable. What external parties are involved, if any? Consider whether it is truly necessary to store the data and who requires access to it. Ensure all processes and responsibilities are documented and stakeholders understand the importance of their role. Security training across all staff is highly recommended.
Put processes in place to ensure sensitive card data is processed and stored securely. Customer PINs and CVV2 numbers must be muted on audio and excluded from screen recording. As with most contact centre technologies, there are a variety of solutions available. At WeAnswer we offer clients a choice of our own internally developed software which halts call recording once the agent moves to the credit card fields and picks up again after card validation. Alternatively we can integrate seamlessly with our client’s systems.
In situations where data must be stored, do so securely following industry best practice guidelines and ensure stringent access controls are in place.
Install and maintain a firewall on any network which processes card data. Again, there are a plethora of options on the market and it is important to remember that it is the configuration of the firewall that is compliant, not the product you opt for. Access to the configuration must be closely monitored, especially with external service providers. No FirstName_MyBirthday access codes! Again, consider who has access to this and if it is really necessary.
Build and maintain secure systems
Your contact centre’s PCI DSS responsibilities don’t end with data processing. Cyber criminals are resilient creatures and committed to devising ingenious ways of hacking your systems.
Responsible businesses must protect all systems against malware and regularly update anti-virus software or programs. Security systems and processes must also be checked regularly.
What are the penalties for non-compliance with the PCI data security standard?
Non-compliant operations may lose the right to accept credit card transactions or be fined. Mastercard recently updated its merchant compliance plan, with fines for a fourth PCI DSS violation now ranging up to $400,000 for non-compliant merchants.
In February 2015 an online travel insurance company was fined £175,000 for storing data in a manner that breached PCI DSS requirements. The data including names, payment card details (including CVV and expiry dates), dates of birth, address, email addresses, phone number, travel dates and destinations and medical screening was stolen by hackers.
Also in February, Islington Council was reprimanded for three serious data breaches in the course of a year; one resulting in a £70,000 fine. The ICO found that the Council failed to disable call recording when bank details were being given. They also identified failures in protecting staff access to sensitive data and discrepancies in server access requests.
Future standards of PCI DSS will undoubtedly be more stringent, with concomitant naming and shaming of non-compliant brands in the press. Avoid these headaches and make sure your business has robust processes in place to protect your profits and customers.