Call Center Compliance: PCI DSS

Call centers today must adhere to the fluctuating compliance regulations put in place to protect customers and their private data. The rules are put into place to prevent consumer fraud, protect customers privacy and avoid abuse. These rules must be balanced with maintaining the best Customer Experience and help elevate call center KPIs. The Payment Card Industry Data Security Standard (PCI-DSS) is one such collection of compliance rules.

General Call Center Risk Factors

Call centers are especially vulnerable to compliance issues because they are the front line in communications with customers. In most call center situations, there are many opportunities for agents to make mistakes due to the sheer volume of calls. High agent turnover also increases the odds for mistakes to happen because new agents are not as facile in their conversations as more experienced agents are. Call center agents and their supervisors have the best intentions when it comes to customer conversations, but sometimes they simply aren’t completely informed on legalities. Most centers conduct pristine call techniques like problem-solving and sales but they simply don’t invest in education related to fundamental legal obligations. Some basic learning in consumer protection regulations and rules goes a long way in protecting customers and call centers alike. It’s no secret that call center employees are under high pressure to make their sales goals and that type of environment is rife for inadvertent mistakes. The rush to make sales can create a harried atmosphere where errors occur and important steps may be omitted. Sometimes wanting to please the customer can also lead to problems.

Payment Card Industry Security Standards Council (SSC)

There are several regulations and laws regarding consumer protection and the Payment Card Industry Data Security Standard (PCI DSS) is a critical one. The Payment Card Industry (PCI) is a segment of the financial industry that governs the usage of all electronic forms of payment. There is a PCI Security Standards Council (SSC) that oversees all the policies and technology backing up non-cash payments such as debit cards, credit cards, point-of-sale cards, e-purse and ATM cards. The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work. The PCI SCC is responsible for developing and managing the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card industry established strict rules around credit cards, PIN numbers and other identifiers in 2006. The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. Call centers can avoid trouble by assuring that access to encrypted confidential information requires multi-factor authentication. They should also upgrade or replace recording software that doesn’t hide sensitive authentication data on agent screens. Any recording solutions should provide end-to-end multimedia encryption where data is encrypted at the point of capture and remains so throughout its lifetime. Software should not store sensitive authentication data like CID numbers and supervisors should make an effort to make sure that agents don’t carelessly jot down card numbers or repeat them out loud for others to hear.

Getting started with PCI DSS compliance is easy with a series of six steps.

1. A secure network is a must for transactions. This includes robust firewalls available for wireless networks which are especially vulnerable to hacker attacks and eavesdropping. Authentication data such as PINs and passwords must be easily changed by customers.
2. Customer cardholder information has to be protected wherever it is stored. That includes birth dates, mothers’ maiden names, social security numbers, mailing addresses and phone numbers. This data must be encrypted properly when transmitted via public networks.
3. Call centers must use updated anti-virus software, anti-spyware programs and other anti-malware options to protect against hackers. All apps must be free of bugs to prevent manipulation or theft of customer data.
4. Operations and access to system information should be controlled and restricted. Every person using a computer in the system must have a unique and confidential identifier to gain access. Also, cardholder data needs to be protected both electronically and physically. Acceptable methods include using document shredders, avoiding unnecessary document duplication and locking dumpsters to discourage theft.
5. Networks must be continually monitored and tested on a regular basis to make sure that security measures are updated and working properly. Anti-spyware and anti-virus programs need the most current definitions and signatures for the optimum performance. Scanning of exchanged data, apps, random access memory and all storage media should occur continuously.
6. Each call center should develop a formal information security policy which must be maintained and adhered to at all times. In some cases, audits and penalties for non-compliance may have to be enforced.

How To Drive Business and Avoid Non-Compliance

Avoiding penalties and fines related to compliance issues is a substantial effort for call center leaders but there are some tactics which will help make the job a little easier.

• Conduct periodic agent training
• Focus on laws and regulations affecting your industry
• Provide scripts to keep agents compliant - digitize scripts and workflows for 100% adherence
• Police agent areas to make sure customer information is secure
• Enforce encryption of personal information
• Maintain a digital and auditable trail of interactions, documents and signatures
• Utilize technology that makes compliance easier for customers and agents

Rules are in place for a reason. We are all consumers and want to know that our information is secure—whether it’s financial information or medical files. It is up to those in call centers to be the champions for their customers. Call center leaders must look for technology that keeps them 100% compliant 100% of the time.