High Staff Turnover Threatens PCI Compliance

Kevin Dowd looks at why high staff turnover makes it even more important that you don’t handle customers’ payment details in house.

“When it comes to PCI DSS compliance in contact centres, give the problem to someone else.”

Why so? Well, the call centre is a bit of a perfect storm for PCI DSS compliance, and fraud in general. Many call centres experience relatively high staff turnover and deal with sensitive customer data – including payment card data – in a pressured environment.

Calls are often recorded, and in many cases sessions are recorded as well, meaning that not only must payment card data be controlled in the main line of business systems, but additional measures must be put in place to make recording compliant and to ensure the sensitive card data (PAN & CV2) can’t be stored or compromised in any way.

Call centres need an environment in which the agent, their PC, the software, back-end systems, network, call recording and session recording are in scope of the PCI DSS regulations.

Simplifying PCI DSS compliance in contact centres

The call centre is almost always the most difficult part of the project. There are occasions when the call centre is perfectly straightforward, and these occasions almost always involve the call centre having nothing to do with credit card numbers at all.

This usually means that the call centre has implemented some sort of DTMF payment solution. This enables customers to key in their PAN and CV2 via the telephone keypad while the agent remains in conversation with them on the call (or via a fully automated customer self-service system) with the DTMF tones masked or silenced so that agents or other staff cannot extrapolate the data. This touchtone-captured data is intercepted by the system and sent to the Payment Services Provider (PSP) without the call centre ever being involved.

Ideally this is done as a service, or a cloud-based solution, in order that the call centre has no ‘technical’ PCI DSS scope at all (there will always be supplier management, incident management and policy responsibilities, though, advises Kevin). “The beauty of this, though”, he says, “is that not only does it reduce scope, it minimises risk, as call centre staff need never have access to any card data at all”.

Furthermore, call recordings can be full length too (thus avoiding ‘pause and resume’ complications) as the DTMF touchtone entry of the card numbers by the customer cannot be picked up by recordings any more than by agents.

With thanks to Kevin Dowd, a PCI DSS QSA and also Group Chairman of the CNS Group

For more information on introducing PCI DSS-compliant card payments in contact centres, watch a free one-hour Syntec education webinar recording:

Click here to watch the recording