Protecting consumer data and privacy is paramount these days. To ensure this is achieved, the Payment Card Industry Security Standards Council (PCI SSC) has developed a standard which the primary objective is to protect consumers against the misuse of their personal information shared during a cash, credit, or debit card transaction – the PCI Data Security Standard (PCI DSS).
Why PCI DSS Compliance Matters?
Being PCI DSS compliant means that your call centre operations keeps its customer’s valuable information safe and secure and out of the hands of people who could use that information in a fraudulent way.
Six Major Objectives of PCI DSS and Their Corresponding Requirements
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors.
PCI Compliance Best Practices
Here are the best tips make your offshore call centre operations PCI DSS compliant:
- Ensure that remote agents and supervisors use a two-factor authentication process in all transactions involving customers.
- Limit the amount of time that card information is kept on the quality assurance (QA) or recording server and CRM solution databases (both voice and screen recordings) and ensure encrypted at all times
- Use a Redaction software to automatically pause the recording when account numbers, security codes, and other sensitive information is spoken by the customer. With this tool preventing you from recording sensitive information, the calls recorded are also not in scope for a PCI audit.
- Ensure robust network security. This includes an effective firewall and router that could filter traffic from unsafe networks and hosts. More importantly, there should never be any direct connection between any equipment containing cardholder data and the internet.
- Enforce role-based log-in to limit the number of staff that can access sensitive data.
- Identify the points where a call centre agent comes in contact with sensitive data to ensure proper security and compliance.
- Make sure that all call centre agents understand the rules and regulations specified in the PCI DSS policies for call centres. Provide remote agents with continuous training focused on PCI DSS compliance and measure their progress over time.
- Limit the physical storage of customer details by requiring agents to use a whiteboard instead of pen and paper.
- Enforce a “No Phone Allowed” policy within the call centre premises to avoid unauthorised data capture through an agent’s personal device.
- Use 256-bit encryption to ensure secure cardholder information storage. It’s also wise if your organisation does not have access to the key. In case that decryption is needed, there must a be a documented set of procedure that details information such as key distribution, storage, and specific key custodians.
With a number of security threats present in the call centre industry, it’s only imperative to partner with a reliable and competent offshore call centre provider. By partnering with a PCI DSS compliant offshore call centre provider such as Global Outsourcing, your customers’ information remains safe against fraud and your reputation intact within your industry.