Guest Post: How to Ensure PCI Compliance in Your Call Center 

Tom Laird is the Founder and CEO of Expivia, a USA-based, 500+ seat omnichannel contact center located in Pennsylvania. He shares how call centers can safeguard critical customer data, giving customers peace of mind while reducing risk to your organization. 

Cyber security is important now more than ever with cyber-attacks becoming more and more common. As a call center operator, it’s essential for you to protect sensitive cardholder data. Specifically, need to safeguard customer credit card payment data.  

By ensuring your call center is PCI-DSS compliant, you’ll safeguard critical customer data, giving customers peace of mind while reducing risk to your organization.  

What Is PCI-DSS Compliance? 

Payment Card Industry Data Security Standard (PCI-DSS) is a security standard for businesses handling major credit cards that are aimed at reducing fraud. It sets a minimum level of security organizations must meet when handling, processing, and storing credit card information.  

From building a firewall to maintaining information security for call agents, there are 12 requirements organizations need to meet to be compliant. And compliance is evaluated either on a quarterly or annual basis depending on the organization.  

How to Establish PCI Compliance 

The first step you need to take is to conduct a risk assessment of your organization. You should also carry out the self-assessment questionnaire. These will help you see where your weak points are and how you can quickly achieve PCI compliance.  

Afterward, you need to establish a policy for compliance that uses strong language like “must” and “will” to ensure follow-through.  

When building out your policy for PCI compliance, you need to cover these areas: 

1. Build and Maintain a Secure Network: Install and maintain a firewall to protect your customer payment data. Establish secure passwords for access. 

2. Protect Cardholder Data: Limit storage of cardholder data to the minimum required and never store data after authorization. Encrypt cardholder data when transmitting it over any public network. 

3. Maintain a Vulnerability Management Program: Update antivirus software regularly and protect devices against malware. Use secure systems and applications. 

4. Implement Strong Access Control Measures: Use strong passwords and only allow agents to access data if necessary (and under surveillance).  

5. Regularly Monitor and Test Networks: Track access to cardholder data and run tests to ensure infrastructure is secure against attacks. 

6. Maintain an Information Security Policy: Keep your entire team on the same page with a detailed policy on how to handle customer data. 

Security Risks to Avoid in Your Call Center 

Security risks are everywhere these days. From unhappy employees to careless agents to hackers, there are many ways your customer data can fall into the wrong hands. While being PCI compliant is a necessary step toward safeguarding this information, it’s not the only thing you can do to protect your sensitive data. 

These are a few extra guidelines to follow in your organization to prevent data breaches:  

1. Restrict Mobile Phone Use: No agent should have access to their mobile phones while on the call center floor.  

2. Remove the Auditory QA Process: Customers should enter their private details (like social security and card numbers) directly using keypads on their phones instead. 

3. Report Unauthorized Practices: Agents should be trained to look for and report any unusual or risky situations that they discover so management can remedy the situation. 

4. Educate Your Agents: Many security breaches happen accidentally due to poor training. Instead, educate your team on best practices to keep your site secure. 

5. Use Cloud-Based Telephony Systems: Reroute vital customer information directly to the payment provider instead of collecting it on site. 

6. Run Penetration Testing Regularly: You should never assume your systems are secure. Instead, you should run tests to pinpoint weaknesses. 

7. Use multiple layers of security: Hackers are continuously looking for new vulnerabilities. Deploy additional security measures to keep your data secure. 

PCI Compliance Myths to Avoid 

While PCI compliance is a great step forward to ensuring your organization is securing customer data, misunderstanding its purpose and what it covers can put you at risk from all sides.  

 Here’s the truth behind several PCI compliance myths to help you out.  

1. It’s only for certain types of businesses: It doesn’t matter if you’re a small company or you don’t focus on e-commerce, if you handle customer credit card data, you need to be compliant.  

2. You only need to be compliant in certain areas: The pass rate for PCI compliance is 100%. Even if you only fail in one area, you fail completely. 

3. Debit card data is exempt: Wrong. Signature debit cards are dual-purpose (functioning on credit and debit cards networks). Both need protection. 

4. I don’t know I needed to be compliant: Your bank is not required to ask you to be compliant. And you can’t opt out of PCI compliance by refusing to sign a contract. The responsibility is on you if your organization handles customer credit card data. 

5. Outsourcing PCI Compliance Removes Responsibility: You are still required to hold customer address data, process returns, and chargebacks. You also need to request compliance certificates from vendors annually to ensure PCI compliance. 

Why Your Call Center Needs to Be PCI Compliant 

As a business that manages sensitive data, you have an obligation to protect customer information. But, there are many additional reasons to make sure your organization is PCI Compliant:  

• Avoid Fines: Banks can fine you $5000 – $100,000 monthly for PCI violations. 
• Decrease Cyber Attacks: Each step in the PCI compliance process is designed to reduce the instance of cyber threats, keeping your business and data safe. 

• Improve Brand Image: Customers want to work with organizations that keep their data safe. Staying compliant helps ensure you’ll gain a reputation for data security. 
• Increased Sales: PCI compliance reduces anxiety for customers sharing sensitive data, meaning more conversions and sales. 

Alternative Solutions for PCI Compliance 

Becoming PCI compliant is not cheap. It can often come with a price tag that’s over 6-figures for the organization. Still, if you handle customer payment data, you need to be compliant. And there can be a lot of anxiety around trying to become compliant. 

As a result, many organizations choose to outsource payment processing to third-party vendors who are already PCI-DSS compliant. This helps them stay secure while avoiding the steep start-up cost. 

Just remember, even if you outsource your credit card data processing, you’re still responsible for protecting your customer data. Work with trusted vendors with a history of top-notch security processes and ask them to share (and update) their compliance certifications regularly.  

Tom Laird is the Founder and CEO of Expivia, a USA-based, 500+ seat omnichannel contact center located in Pennsylvania. He is an author and the host of “The Advice from a Call Center Geek Podcast” where he shares over 25 years of experience in all facets of contact center operations.