PCI compliance is a must for contact centers that accept payment cards, because having PCI compliance not only secures your customer’s sensitive data but also secures your customer’s confidence in your business. A PCI-compliant contact center is one that follows every requirement issued in the Payment Card Industry Data Security Standard (PCI DSS 3.2) in order to protect cardholder data.
The road to compliance is easy to navigate once you make some systemic changes to your day-to-day operations.
First, your contact center must establish information security policies that specify how the company will protect data. Such policies should clearly state how data (even backups or hardcopy data) is secured, accessed, stored, and encrypted in your system’s network and security devices (e.g., firewalls, routers, etc.), servers, virtual infrastructure (e.g., virtual desktops), internal and external applications, and backup infrastructure and recovery sites.
Policies should outline more restrictive requirements for where credit card data is stored or transmitted, and the scope of handling cardholder data should be limited as much as possible. Just as important as having security policies in place is having a plan for how to make this information available and enforce it. Establishing and following security policies is the backbone of any compliance effort.
Ideally, your call center solution should be independently certified for PCI DSS 3.2 compliance. PCI-compliant contact center software should have built-in tools that keep your customers’ data hidden. Any data that might be exposed to the agent should be encrypted and masked. A compliant solution, for example, can automatically mask text (e.g., credit card numbers, CVV codes, etc.) in live chats, divert a caller to an IVR to enter payment data, and mute the sounds of customers punching in numbers on their phone’s dial pad.
Next, ensure that your contact center avoids storing cardholder data in call recordings, chat transcripts, voice transcripts, databases, interaction records, and so forth. In the off chance that it is stored, access to it should be restricted on a need-to-know basis, meaning agents shouldn’t be able to view or change it.
Every agent and supervisor should be trained to know how to handle cardholder data during customer interactions. Having a well-stocked regularly maintained knowledge base with your contact center’s information security policies, training docs, approved responses, and forms for collecting such data can help.
Bright Pattern’s PCI Compliant Contact Center Platform
Bright Pattern provides a platform for financial service providers to interact with customers securely and efficiently. Bright Pattern has capabilities like omnichannel, CRM integrations, PCI compliance, outbound dialing, and more while staying PCI compliant to ensure that customer data is securely stored and transmitted through the contact center.
Check out the Bright Pattern PCI Compliance page for more information.