How to Choose a PCI-Compliant Call Center Solution

Leor Melamedov

Whether it’s a telecom company, an insurance provider, healthcare company, or something else, a wide variety of industries depend on call centers and BPOs to close deals. Since selling comes with the requirement to collect customer credit card information, that presents a challenge due to standards set by The Payment Card Industry Data Security Standard (PCI DSS). Here, we’ll discuss how call centers can choose a payment collection solution that meets PCI compliance requirements.

call center compliance

What is Call Center PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for businesses that process credit card information from the major card companies.

PCI compliance originated with the credit card brands but is overseen by the Federal Trade Commission (FTC). The regulation was designed to control the collection of, processing, and storage of cardholder data to prevent credit card fraud. While it is not an official regulatory law, it is treated as mandatory due to court precedent.

PCI compliance is a critical aspect of credit card companies’ security efforts and widely discussed in credit card network contracts.

The PCI Standards Council develops the requirements for PCI compliance. These PCI compliance requirements hold companies responsible for abiding by them and apply to both telephone gathering of credit card information as well as internet-based transactions. Other important entities that are involved include The Card Association Network and the National Automated Clearing House (NACHA).

PCI compliance demands that businesses, including call centers, collect credit card information in a secure way to reduce the likelihood of fraudsters stealing consumers’ financial information. Businesses that fail to comply with PCI compliance requirements risk their customers’ credit card details getting exposed to fraudsters, or being used as part of an identity theft scheme.

Key Requirements For PCI Compliance

These PCI requirements are known as the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS has six key objectives, 12 key requirements, and more than 400 test procedures. The six objectives are as follows:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Call centers that collect customer payments must constantly monitor security to ensure sensitive credit card data is not exposed. These call centers must also provide regular compliance reports as part of their PCI-compliance agreements.

All companies that process credit card information are required to maintain PCI compliance as directed by their card processing agreements. Failure to do so can result in heavy fines for non-compliance with agreements, reputational damage, and damage to customers.

There are four levels of PCI compliance, which are based on how many credit card transactions the call center processes each year, as well as other indicators of compliance as determined by credit card companies.

These are the four levels of PCI compliance, which gauges the risk posed by the organization’s handling of payment information — as well as their specific requirements.

Level 1- Over 6 million transactions annually

  • Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  • Complete quarterly network scans by an Approved Scanning Vendor (ASV)
  • Complete the Attestation of Compliance Form​

Level 2- Between 1 and 6 million transactions annually

  • Complete an Annual Self-Assessment Questionnaire (SAQ)
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

Level 3- Between 20,000 and 1 million transactions annually

  • Complete an Annual SAQ
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

Level 4- Fewer than 20,000 transactions annually

  • Complete an Annual SAQ
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

9 Things to Look For in a PCI-Compliant Call Center Solution

Regardless of industry, call centers that collect customer payment details are subject to PCI compliance requirements. Typically, call centers rely on specially designated software to make it easier to stay compliant.

Here are the top capabilities to look out for when deciding on a PCI-compliant payment solution:

  1. Relies on robust firewalls. Wireless networks are especially vulnerable to hacker attacks and eavesdropping, necessitating strong firewalls. Customers must be able to easily change authentication data such as PINs and passwords.
  2. Protects all sensitive customer information. While PCI compliance is most closely associated with credit card information, the regulations also require call centers to safeguard personal information. This includes customer birth dates, mothers’ maiden names, social security numbers, home addresses, and phone numbers. When these data are transmitted over public networks, they must be encrypted just like the credit card details.
  3. Comes with (or integrates with) anti-virus software. A PCI-compliant payment solution should either have anti-virus capabilities baked in, or integrate with such programs to protect customers from hackers. It’s critical that the software is regularly updated to prevent bugs.
  4. Controls access to system information. Every person using a computer in the system must have a unique and confidential identifier to gain access. Also, cardholder data needs to be protected both electronically and physically. Acceptable methods include using document shredders, avoiding unnecessary document duplication, and securing dumpsters to prevent theft.
  5. Regularly monitors and tests networks. The solution should automatically scan data, apps, RAM, and storage media to ensure anti-virus programs are working optimally.
  6. Equally effective from home or call center. Now that many call center agents are working from home (instead of a designated call center), payment solutions must be equipped to support PCI compliance from any location. For example, the solution shouldn’t rely on start/stop software, which ordinarily prevents agents from recording credit card details, as it’s not easily enforced from remote locations.
  7. Fast to deploy. In today’s increasingly stringent regulatory environment, call centers cannot afford to go even a day without PCI-compliant payments in place. The right solution should be quick to deploy, allowing call center agents to immediately collect payment details in a safe way.
  8. Easy to scale. Whether the call center employs thousands or dozens of agents, whether it processes millions or thousands of transactions each year, the payment solution should be built for scale. Companies should be able to expand or shrink their agent workforce according to demand without worrying about whether they can maintain PCI compliance along the way. A simple per-session model can allow companies to pay for the solution based on their volume of transactions.

Seamless for customers. Customers providing payment details should be aware that their transaction is safe and encrypted. But the security features should be seamless and never interrupt the flow of business. While on a call with a call center agent, customers should be able to make easy payments from their smartphone or computer. They shouldn’t have to read credit card information out loud; it’s not the most compliant, and it’s also a hassle.

The Best PCI-Compliant Software is Also Intuitive

The great news for call centers is that the best PCI-compliant solutions are also easy and intuitive for agents and their customers to work with. Cumbersome, start/stop software is limiting, especially as agents and customers are no longer tethered to specific locations.

Lightico offers such a PCI-compliant solution designed for the needs of modern call center agents. While agents are on the phone with customers, they simply send them real-time payment requests through a secure mobile environment that’s shared via text message link. Then, the payment information is safely stored in the digital system for easy future reference.

Call center agents can receive payments from customers in real-time via the Lightico agent console in three simple steps:

1. From the agent console, select Tools, Payment.     

2. Input the required amount, select the currency, and click Send Request 

3. The customer receives a text message which opens a secure collaboration room and instantly completes payment details without exposing payment information to the agent. The payment is processed securely with a fully compliant audit trail, transaction ID, and receipt.

In addition to being highly compliant with PCI requirements, Lightico’s solution is proven to deliver significantly higher payment conversion rates than traditional systems. To learn more about Lightico’s secure payment system, as well as other call center essentials like eSignatures, ID verification, and shared document review, visit Lightico.com.

call center compliance

Call center Compliance