Call centre payment compliance: 5 PCI DSS myths BUSTED
Call centre managers: are you confused by the PCI DSS standard? Kick the bad advice to the curb with our myth-busting payment compliance guide.
So you manage a call centre, or you're planning to start one. You've heard about the PCI DSS, but you're not sure exactly what it requires from you.
Totally understandable. The PCI DSS is complicated. It's no wonder many businesses rely on professional help to make sure they're ticking all the boxes for compliance.
And with complexity comes misconceptions. There are many myths floating around the internet that only make the PCI DSS more difficult to get to grips with.
Today, we're going to tackle five of the most common myths and misunderstandings. Because by understanding what the PCI DSS
isn't, you'll soon have a better idea of what it
is.
But first, the basics…
What is PCI compliance?
PCI DSS stands for "Payment Card Industry Data Security Standard".
It lays out baseline security criteria for companies that process credit card information. If you accept, store, transmit or otherwise use card data, then the standard applies to you.
The standard launched in 2006 and was developed jointly by six major credit card companies – MasterCard, VISA, Discover, American Express and JCB. It is administered by the PCI SSC ("Payment Card Industry Security Standards Council").
PCI DSS is a global standard. Whether you're in Cambridge, Kansas or Kathmandu, the rules still apply.
You can access the
latest version of the standard here.
Myth 1: the PCI DSS standard is just a guideline
A wise individual once said, "rules are meant to be broken, and guidelines are meant to be ignored".
Well, when it comes to PCI compliance, this so-called wise person is doubly wrong.
The PCI DSS is
not a set of guidelines. It's mandatory for ALL businesses that process card information.
And if you don't play ball? See myth number five…
Myth 2: PCI standards don't apply to us
This is a common myth that comes in countless flavours. Let's examine a few of them.
"It doesn't apply to us because we only take a handful of credit card payments each month". WRONG. If you process card data
at all, you have to abide by the standard.
"...because we work on behalf of a non-profit". WRONG. The PCI DSS applies to all organisations, commercial or otherwise.
"…because we don't store card data". Doesn't matter. You're still
processing the data in some form or another.
"...because we're only a small contact centre". You could be a ten-year-old with a lemonade stand and the standard would still apply.
That last one comes with a teensy caveat. If you process fewer than 20,000 credit or debit card transactions per year, you
might not be required to seek validation of your compliance. But you must
remain compliant, whatever the size or shape of your business.
Myth 3: PCI compliance is a one-and-done job
So we just have to fill in a questionnaire, right? So we can just let IT worry about it and then carry on as normal… right?
Uh… no and no.
The PCI validation procedure involves completing a self-assessment questionnaire, sure. But this is designed to help you implement processes for
continuing card data and payment security.
And as for IT doing all the work… well, they'll have to do
some of it, but assuming it's mostly a technical job is plain wrong. The fact is, PCI compliance requires action and buy-in from all members of staff, whether they're high-level IT managers or the agents who take the calls.
For instance, one requirement is that card data is stored securely – it must
never be written down on paper. This means all staff –
especially customer-facing agents – must undergo appropriate training to ensure ongoing compliance.
Another requirement states that access to cardholder data must be restricted on a need-to-know basis. To implement this, you'll need to maintain a card security policy and update it regularly as staffing structures change.
Sorry, but IT can't just wave a magic wand to make it happen. (Though IT
is pretty magical, if we do say so ourselves.)
Myth 4: applying PCI standards makes my systems secure
The PCI DSS requirements are pretty comprehensive, so it's easy to think they provide all-around security for your call centre and its data.
Nope.
Card security should be considered one facet of a wider security policy. The vast majority of modern companies need an internet connection to do business, and the very fact this connection exists means that myriad potential vulnerabilities exist too.
You could have rock-solid card security in place but remain vulnerable to email phishing attempts, website DDoS attacks, and bad-old-fashioned phone scams. For call centres, where multiple internet-connected systems work in tandem, it's especially important to remain vigilant.
While some of the PCI requirements – like installing antivirus software –
do help with business-wide security, it would be foolish to think they automatically turn you into an impenetrable fortress.
(Psst. We can help you strengthen your
cybersecurity. Just saying.)
Myth 5: it doesn't matter if I'm not compliant
LOL.
Sorry, that was a wee bit insensitive. But, honestly, have you seen the fines you could face for non-compliance?
If you're found to be in breach of the PCI DSS, you could be fined between $5,000 and $100,000 (around £4,000 and £75,000)…
PER. MONTH. Until you fix the problem.
What's more, failing to comply could see you bumped up to a higher compliance level. This would likely mean forking out for an on-site QSA assessment… call that another £15,000 to £75,000.
And if you
experience a breach, that's a whole other kettle of cash. Then you have to consider potential lawsuits, legal fees and payouts to affected customers. Not to mention the reputational damage your company could suffer.
So… yeah. We think you'll agree – non-compliance is not a tightrope worth walking.
How we can help
Our cloud-based call
centre software boasts some pretty nifty features, ranging from omnichannel contact management to high-tech AI chatbots.
But one of its most useful features is its processing payment solution.
This lets you do all sorts of things, like take payments via web chats and automated IVR. And best of all,
it's PCI compliant, right out of the box.
Now, to be absolutely clear – this won't automatically make your call centre compliant. You'll still have to implement all the required standards, such as installing antivirus software and maintaining a security policy.
But it does mean there's one less hoop to jump through. And with something as complicated as the PCI DSS, that can be a big help.
Interested? Click to learn more about our cloud
contact centre software.
Want more useful tech tips? Sign up for our
Knowledge Hub newsletter. (It's spam free – promise.)
