A Sponsored Article by Connect First
Most people don’t think about it, but contact centers hold a significant amount of sensitive data, including payment information, credit card data, social security numbers, birthdates and other identifying personal data. Protecting customer payment data has always been a high priority for contact centers, but it has elevated in the last year in the wake of security breaches at high-profile brands like Target and Home Depot, which, combined, compromised over 100 million credit cards and other customer data.
The most common way to build security into any system that handles branded credit cards from Visa, MasterCard, American Express, Discover or JCB is to follow the guidelines outlined in the Payment Card Industry Data Security Standard (PCI DSS).
Easy, right? Well, not always. And, the complexities seem to add up when we start talking about cloud platforms. So, here are some tips for understanding and following the PCI DSS guidelines to make sure that your contact center isn’t the next one targeted for a security attack.
What exactly is PCI DSS and do all call centers need to be compliant?
PCI DSS is a set of standards established by the major payment card brands to protect consumers and their personal data through the payment transaction process—from data input to storage, processing and transmission.
Any organization that handles cardholder information can (and should) become PCI-compliant. And, while it’s not a law, contact centers that do not meet compliance criteria may be subject to large penalties, card replacement costs, restitution for breaches, data audits and much more. The bottom line is, for contact centers, if you handle payment data, you need to be compliant.
Are all PCI vendors created equal?
Many vendors claim that they have PCI compliance when that is not actually true; they rely on a third-party company to run credit card processing though their systems, adding both cost and vulnerability. Some will even lie to you. Make sure that your contact center vendor provides Service Level 1 PCI compliance that is certified by the Payment Card Industry Security Standards Council and gives you the Certificate of Compliance.
I’m moving my contact center to the cloud. How does the cloud impact PCI-compliance?
The best way to become PCI-compliant is to start with a contact center platform that already meets PCI guidelines. The right platform will have all the elements required to build a strong PCI-compliant foundation including data and voice (including audio) encryption, cardholder data access control options, network security, testing and monitoring for abnormalities and vulnerability management.
One of the requirements for PCI-compliance is to document and map the flow of cardholder data (requirement 1.1.2) which turns out to be a similar exercise whether you host your platform internally or in the cloud. But keep in mind that using a PCI-compliant platform does not cover all your bases.
You may need to consider specialized audits of the physical servers and networks that store and transmit card data to ensure that only the right data is being transmitted and that the right encryption is in place from end to end.
Who can help me with PCI-compliance when using a platform in the cloud?
Best practices for PCI-compliance when using a cloud environment have improved over the last two years. If you are new to it, the best way to get help is to make the process a combined effort with your cloud platform contact center service provider, your internal IT team and (in the case of contact center outsourcers) the end merchants you represent. Only by understanding the complete picture of your customer’s data will you be able to create an end-to-end solution that meets all regulations.
A good resource is the PCI Security Standards Council (SSC) Information Supplement, PCI DSS Cloud Computing Guidelines, which helps organizations better understand the impact of cloud computing on PCI regulations.
Need Personalized Advice and Help?
Geoff Mina is the CEO of contact center platform technology provider Connect First which has achieved Level 1 PCI Certification. Connect First and partner Compliance Point work closely with customers deploying cloud-based contact center platforms to evaluate and implement strategies to help meet PCI requirements.
You can also access an archive of a webinar with Geoff and Compliance Point with more hints for PCI management with cloud platforms at http://pa.connectfirst.com/CCP/PCICompliance