Call centre PCI compliance: a checklist

Call centres collect, process, and transmit high volumes of customer data in order to offer good service. This includes (though is not limited to) payment card numbers. And the sensitive nature of such data underscores the need for call centre PCI compliance.

Call centre PCI compliance, taken as a whole, is a broad and multi-faceted challenge. You need stringent compliance over individual contact channels – live chat, email, telephone, etc. But compliance also extends to the full internal call centre tech stack and internal company processes.

 So, correctly handling customer payment data goes beyond simply masking card details in a live chat session, or implementing secure call recording procedures. (For example.)

In that case, what do you need to consider and achieve to ensure call centre PCI compliance?

What is PCI compliance?

PCI DSS, short for the payment card information data security standard, is a worldwide industry requirement for keeping cardholder data safe and secure.

PCI compliance, then, means complying with this necessary data protection standard. You MUST be PCI compliant if your organisation, business, or service stores, processes or transmits card data. This includes any VISA, MasterCard, American Express, JCB, or Discover card.

In short, any business or operation that deals with payment card information needs to be PCI DSS compliant. So, if part of the call centre duties includes managing payments, setting up payments, or any other collection or use of cardholder data, then you need to ensure you’re PCI compliant.

N.B: Recorded calls are just as subject to PCI DSS rules as any other method of obtaining and storing cardholder information.

The core pillars of PCI (the checklist)

With all this in mind, what are the core pillars of PCI compliance? Here’s the headline checklist.

1.      Secure networks

Any organisation that stores or processes cardholder data must secure its network. For instance, you should have a firewall set up as part of your cardholder data protection. You should also keep strict security controls, such as avoiding the use of default passwords and practising good password hygiene.

In a call centre setting, you might collect the cardholder data over the phone, but you’re likely storing and processing it on an internet-connected computer. These systems must exist on secure networks.

2.      Encryption

Encryption is the process of encoding information. It scrambles data so that only authorised persons can understand it. As part of PCI compliance, you need to encrypt card data/the transmission of cardholder data.

In terms of call centre PCI compliance, encryption can come in in a few ways. For example, you can encrypt your phone calls, as well as encrypt any data then stored about those phone calls — including payment card information.

For a call centre, redaction is another staple when it comes to card information. That is, in cases where the card details are being spoken over the phone, you pause the recording so that none of it stays in your call logs.

3.      Security software/vulnerability management

Anyone striving for PCI compliance should make efficient use of software to bolster your security. You should also take time to consider any potential vulnerabilities of your IT systems. (And how you’ll mitigate them.) For instance, have you got the most robust software to protect against viruses and malware, or online calls being intercepted?

When considering the security of your software and hardware processes, also factor in any point where a team member might come into contact with cardholder data. Then, think about how you can ensure the safety of that information. For instance, are employees using 2FA logins for your systems? Are you keeping on top of shadow IT? Are staff running the latest software updates on their machines?  

Any physical vulnerabilities to the privacy and safety of card data should also be considered and mitigated.

4.      Restrictive access rights and strict authentication

To be PCI compliant, your need to be able to identify all users of your systems — and anyone that has access to or accesses cardholder data. You also need to restrict this access to only those that need it to complete their jobs. This includes restricting any physical access too.

Call centre PCI compliance here means much the same as anywhere else. Beware of privilege creep (too many people having access rights they don’t need) and make sure that access is trackable, identifiable, and restricted.

Customers should also be reminded not to share their card information with call centre agents.

5.      Monitored networks

It’s not enough to set up secured networks and compliant systems and forget about it. Compliance means regularly monitoring, maintaining, and improving the security of your systems related to cardholder data.

You need to be able to detect security incidents, keep up with updates, and stay on top of your security.

6.      Clear, well-documented security policy

Last, you need to have a mapped-out policy that addresses how you’ll keep sensitive data safe. And everyone involved needs to know these policies and how to comply with your PCI data protection strategy.

This means having an easy to access guide for your team to refer to.

Call centre PCI compliance

In a 2020 study from SecurityMetrics, just 43% of PCI DSS requirements were met at the time of a data breach. Clearly, it’s all too easy for a call centre to be insufficiently prepared for PCI DSS requirements. But that doesn’t negate the need for compliance.

Indeed, non-compliance is costly. You can expect financial penalties from anywhere between $5,000 and $10,000 a month or more for violations of PCI compliance rules.

So, does your call centre comply? We hope this checklist outlining the core goals of PCI compliance has served as a handy tool.