Share this content

An Introduction to PCI Compliance

1st Feb 2016
Share this content

Many people think PCI compliance is as simple as pausing and resuming a call recording at the time that sensitive credit card details are captured. In fact, there is much more to it than that. Payment card industry (PCI) compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands. The Payment Card Industry Data Security Standard (PCI DSS) defines the need to secure cardholder data that is stored, processed or transmitted by merchants and processors. Key goals and requirements are outlined below.

Goals of PCI DSS

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

PCI DSS Requirements

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications 
  • Restrict access to cardholder data by business need to know 
  • Assign a unique ID to each person with computer access 
  • Restrict physical access to cardholder data 
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes 
  • Maintain a policy that addresses information security for all personnel ​

Why is it important to be PCI compliant?

Being compliant with PCI DSS demonstrates that a business is doing its best to keep customers’ information safe and secure and out of the hands of people who could use that data fraudulently. Not holding on to data reduces the risk that customers will be affected by fraud.

If a business loses card data i.e. suffers a data breach and it is not PCI DSS compliant it could incur fines and be liable for the losses incurred against these cards and the operational costs of replacing the accounts. In 2015, for example, staysure.co.uk, an online travel insurance company that stored sensitive payment card details in breach of PCI DSS requirements was fined £175,000 by the UK's Information Commissioner's Office (ICO) after the data was stolen by hackers.

Reputational damage is also a consideration if a business loses card data. Unfortunately, data breaches occur regularly and e-commerce sites are a frequent target for hackers who often succeed in compromising them. It is imperative that businesses ensure they implement all the relevant controls.

Which sectors need to worry about PCI compliance?

The PCI security standards exist to help organisations protect cardholder data no matter what their size, location or industry vertical. PCI is not a government law – but if an organisation wants to process credit cards as a convenience to their customers, failure to abide by PCI and the brands regulations can directly impact the organisations ability to do so - and adversely impact their business as a result.

All organisations are required to be compliant with PCI DSS every year. This includes organisations whose credit card processing is handled entirely by a third party.

How do I become PCI compliant?           

A good initial step is to engage with your bank and understand their expectations. PCI DSS compliance is an ongoing activity, not a one-off exercise. The payment transaction process has to be assessed each year. A simple rule is – if you don’t need to store it, don’t store it.

To meet PCI compliance the following actions need to be completed every year. 

  • Complete the annual Risk Assessment on the environment where the card data is handled or touches the cardholder environment.
  • Ensure third parties that store, process and/or transmit card data or are connected to the cardholder environment provide evidence that they have maintained their PCI-DSS compliance and are still registered with the card schemes.
  • If using a third party payment application in your environment, ensure the product and particular version you are using is PA DSS compliant and the guidelines provided by the supplier are adhered to.
  • If you use an integrator to bring the products together, ensure they are certified to do so.       
  • Train staff to follow PCI-DSS procedures.
  • Make sure that you are only keeping data that is essential and ensure it is encrypted and/ or masked.
  • Monitor and control access to your e-commerce environment (i.e. make sure you have security controls for your e-commerce environment).
  • Protect your data network – make sure that you are using not only a firewall but also compliant and up-to-date anti-virus software.
  • Ensure that the shopping cart application is patched with the most up to-date version available
  • Network scans have to be undertaken on a quarterly basis. Scans will need to be undertaken by an Approved Scanning Vendor (ASV).
  • Discuss security with your web hosting provider, to ensure that they have secured their systems appropriately. Web and database servers should be hardened to disable default settings and unnecessary services.
  • Annual PED tests need to be run and, also, after any significant chance to the environment.
  • With any software or hardware that you choose to use to process transactions, the vendor should have product approval from the Payment Card Industry Security Standards Council (PCI SSC).

What to watch out for when becoming PCI compliant

Do not be complacent.  Compliance is not a single exercise, but an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. You need to constantly monitor and tweak what you have in place as fraudsters will always be on the lookout for weaknesses in an organisation’s approach. Best advice is to work with your auditors and legal teams to ensure that you are continuously on top of the issue. Ideally, you should employ a full time member of staff, dedicated to ensuring the PCI compliance is maintained at all times.

What are the consequences of not being PCI compliant?

The consequences of not being PCI compliant include significant fines levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines.

It’s important to note also even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder breaches can result in the following losses for a merchant.

  • A significant fine per cardholder data compromised
  • Suspension of credit card acceptance by a merchant’s credit card account provider
  • Loss of reputation with customers, suppliers, and partners
  • Possible civil litigation from breached customers
  • Loss of customer trust which affects future sales

How much should I budget for achieving and maintaining PCI compliance in the contact centre? This should factor in any staffing and set-up costs.

PCI compliance is not a single action and is therefore difficult to provide a fixed expense around.  An organisation needs to deploy correct processes as well as appropriate tools to ensure data is held and captured appropriately.  Achieving PCI compliance should not be a one occasion activity but an ongoing practice.

It is difficult to be precise here as the cost of becoming PCI DSS compliant depends on a number of factors including the business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. 

You need to remember though that these PCI DSS specific costs are just part of the story. Organisations should not look at this in isolation. Instead they need to consider the issue of quality of service and PCI compliance as part of their wider performance quality obligations and requirements across the whole contact centre and even the entire organisation. It should be part of overall quality management, call recording and speech analytics approach in the contact centre. 

This is certainly the case for one Scotland-based outsourced contact services provider to which Enghouse Interactive delivers its Quality Management Suite. One of the key benefits of the solution and approach that QMS supports is its ability to help ensure the outsourcer and its agents remain fully PCI-DSS compliant throughout all of their interactions with customers. When sensitive information i.e. credit card details are being taken by the agent, the provider can, thanks to the Enghouse Interactive QMS system, ensure that the recording is paused (an action that is automatically triggered when the agent reaches a certain point in the process) and then resumed at the right point.  It effectively introduces silence during the period that the credit card details are being taken. This in turn allows them to clearly ascertain how long its agents take to carry out the credit card processing and rectify any issues with the process.

They were also sensitive to the need to provide access to appropriate recordings only in order to satisfy the demands of the PCI compliance auditors – in particular that individual agents are only permitted to listen to recordings relevant to their specific campaigns. Enghouse Interactive therefore worked closely with the outsourcer to adapt the QMS solution for its customer to ensure that agents were not only able to pause the recording while sensitive information was being taken but that the company was also able to restrict recordings that supervisors and agents alike had access to.

For further information about the company, please visit the Enghouse Interactive website – www.enghouseinteractive.co.uk

Twitter:              @EnghouseInterac

LinkedIn:           Enghouse Interactive

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.