PCI DSS Compliance Training for Enterprise Contact Centers

Guest Blog

Guest Blog:  By Tim Critchley, CEO, Semafone

Even in today’s digital age of chatbots and voice-powered e-commerce, consumers still prefer to speak with a live person when making a purchase. In fact, a study by Google showed that 61 percent of mobile users believe it is important to be able to call a business during the purchase phase of the buying cycle. Clearly, enterprise call and contact centers remain a hyper-relevant channel for customer service, purchases and bill payment.

Unfortunately, the contact center is also often one of the most overlooked areas of the business when it comes to security. As the primary point of contact for customer engagement, contact centers naturally collect, process and store a wealth of personally identifiable information (PII), from payment card numbers, to social security numbers, addresses, bank account details and much more. Yet, despite their frequent handling of sensitive information, many contact centers continue to rely on outdated and insecure practices – particularly when it comes to accepting payments.

A survey of contact center agents conducted by Semafone revealed that more than 70 percent still require callers to read their payment card information aloud over the phone, despite the availability of technologies that can take payments through a more secure method. This exposes the caller’s sensitive payment card information to the agent on the line (who could jot down the information and use it to make fraudulent purchases), as well as to call recording systems (which can be breached by hackers). In an era when a single data breach can cost an organization an average of $3.86 million, there is no time to waste for addressing security and compliance weaknesses in the contact center.

Building a Strong Training Program for Data Security and Compliance

Because call and contact centers more often than not accept payments, they are subject to the Payment Card Industry Data Security Standard (PCI DSS). Applicable to any organization that handles cardholder data, the PCI DSS is organized into six distinct categories with 12 broad requirements, and outlines more than 400 security controls that every merchant must implement to achieve compliance. Many of the provisions deal with the way employees handle and store payment card information, which makes it essential to have a robust training program in place. Here’s how to begin:

Thoroughly Vet Employees

The first step begins even before employees are hired. It is important for contact centers to conduct thorough background checks on all employees – even temporary employees, third-party contractors and remote workers. There should be no exceptions and no excuses. Remember, these workers will have access to payment card information, account numbers, social security numbers and more – you must be sure they are trustworthy.

Educate Employees

At the foundation of every training program is employee education. The PCI DSS is a fairly complex standard, so it’s important to distill the requirements down for employees in a way that’s easy for them to understand and relevant to their everyday responsibilities. Take into account any processes and procedures that have been put into place for compliance purposes and help employees understand why they exist. People are more apt to follow compliance procedures if they understand the reasons behind them.

Break down the training material into smaller modules and shorter sessions so it’s more manageable and employees don’t lose interest. And, use various types of media in your training materials. Consider using short videos, in-person briefings, written documents or a mixture of all three. Find what works best with your employees and don’t be afraid to experiment with different approaches to see what works best.

Track Progress Through Assessments and Ongoing Updates

Training should be ongoing, not a one-time course. Track the progress of employees through assessments that can provide an objective record of each employee’s understanding and completion of the program. This will help you determine which parts of the material employees are truly understanding and where you may be falling short. Provide regular refresher courses – at least annually, if not quarterly – to ensure that data security and privacy practices stay top-of-mind and  provide employees with the latest updates and developments to PCI DSS compliance.

Enlist Help from Experts

A Qualified Security Assessor (QSA) and experts in PCI DSS compliance training like CFISA can help you save time and effort by adapting programs and best practices specifically for your company and its unique needs. Partnering with such an organization can help ensure that your employees are receiving the best training possible, compliant with all the latest updates and requirements.

Reduce the Complexity of Your PCI DSS Compliance Training Program by Descoping the Contact Center

Of course, if your contact center employees don’t have to worry about completing PCI DSS compliance payments in the first place, the amount of training they need will be dramatically reduced. Enterprises can reduce the scope of PCI DSS compliance by adopting technologies that keep sensitive payment card information out of the contact center’s IT infrastructure from the get-go.

Dual-tone multi-frequency (DTMF) masking technologies enable customers to make payments over the phone while obscuring the payment card numbers from the agent on the line and from call recordings. With these solutions, the customer simply enters their card number (PAN) and three-figure security code (CCV) into the telephone keypad, and the touch tones (DTMF tones) are replaced with flat tones. The card data is encrypted and securely routed directly to the payment service provider, meaning that it never enters the contact center’s infrastructure.

By keeping payment card information out of the contact center in the first place, neither employees nor the contact center’s business infrastructure are exposed to cardholder data, thus leading to less time, money and effort dedicated to achieving PCI DSS compliance. With fewer applicable PCI controls for your contact center to comply with, the less you’ll have to train everyone!

Maintaining PCI DSS compliance not only helps organizations strengthen data security and reduce the risks of a data breach in their contact centers; it also provides other benefits. For one, implementing a PCI DSS training program helps impart a mindset of security awareness throughout the entire organization. This approach to data security and privacy extends beyond PCI DSS compliance into other aspects of cybersecurity and can also help the organization comply with other regulations, such as the EU’s General Data Protection Regulation (GDPR).

Lastly, ensuring the that employees are properly trained on PCI DSS compliance can save the organization a tremendous amount of money by avoiding non-compliance fines. Payment card brands can impose penalties ranging from $5,000 to $500,000 per month on a merchant’s acquiring bank if the merchant suffers a data breach, and the bank typically passes those costs along to the merchant. For repeat offences, the payment card brands can even revoke the rights of the merchant to process transactions using their cards. But, the most important benefit is that strong adherence to PCI DSS compliance will help protect your most valuable assets – your customers, their personal data and your company’s reputation.

About Tim Critchley – Chief Executive Officer, Semafone

Tim is an experienced director of technology start-ups in both product and service focused sectors. Tim has been the CEO of Semafone since 2009 and has led the company from a UK start up to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups including the BGF and Octopus. Under his leadership, the company has secured global partnerships and won clients that span a range of industry sectors including major brands such as AXA, BT, Capita, Harley Davidson, Next, Rogers Communications, Santander and Sky. Prior to joining Semafone, Tim was COO at KnowledgePool Group, the UK’s leading provider of managed learning services where he helped complete a successful turnaround in 3 years. Tim graduated from the London School of Economics and has an MBA from Manchester Business School.