We now live in a security conscious era where consumers are cautious when using payment cards online or over the telephone. In fact almost half (44%) of consumers now rank security as their number one priority when choosing an online or over the phone payment method.
Contact centers need to respond to this and demonstrate to their customers that they take payment security seriously and take every step possible to protect customers sensitive payment details. Ensuring that you are compliant to PCI DSS is the most effective way of doing this, showing that you are following best practice, winning customer trust and ultimately loyalty.
But what is PCI DSS compliance? How do contact centers follow this best practice? We have put together answers to the most common questions we are ask about PCI compliance.
What is a PCI compliance definition?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to protect cardholder account information. It sets out consistent data security measures for all businesses that take card payments to follow. It applies globally to any company that accepts credit or debit card payments, online, over the phone or in person.
When did PCI compliance start?
The first version of PCI DSS was launched in December 2004. Since then, there have been several updates with the current version, PCI DSS 4.0, launched in March 2024.
The standard continues to evolve to cater for new and emerging threat as well as taking into account new technology adoption such as AI which was not around or commonly used when PCI DSS was first introduced back in 2004.
Who needs to be PCI DSS compliant?
Any organization, of any size, that captures, holds or processes cardholder data has a need to be PCI DSS compliant.
But PCI DSS isn’t a law, it’s a security standard. It is made mandatory through the agreements businesses sign with card providers, for example MasterCard and Visa, and the banks that process the payments.
How do you obtain a PCI DSS compliance certification?
There isn’t a certificate for PCI compliance, instead organizations complete an attestation of compliance (AOC) – a self-assessment that proves compliance.
You can pay a third-party vendor, a certified Qualified Security Assessor, to conduct a PCI DSS assessment for you and obtain a report of compliance (ROC). If you’ve suffered a breach of security violation, you may need to get an ROC to prove that your systems are secure.
You can obtain an AOC by meeting these requirements:
- Maintain a policy that addresses information security
- Protect your systems
- Develop and maintain secure systems and applications
- Install and maintain network security controls to prevent unauthorized access to systems and defend against malicious software
- Apply secure configuration to all system components
- Identify users and authenticate access to system components
- Regularly test security systems and processes
- Protect the data you store and access
- Use strong cryptography when transmitting cardholder data across open, public networks
- Restrict access to cardholder data by business need-to-know
- Restrict physical access to cardholder data
- Log and monitor all access to network resources and cardholder data
Can I descope PCI DSS compliance?
Yes, the most effective way of descoping your contact center from PCI DSS compliance is to ensure that no sensitive payment information enters your contact center. That means that your agents do not hear or see any card payment data or any of this data enters your contact center systems. This is best achieved by utilizing a cloud-based secure payment systems such as PCI Pal that if fully PCI DSS Level 1 compliant and ensures that you can take payments from customers in a secure way without any of these details entering your contact center environment.
To find out more about how PCI Pal can help you will this process, please reach out to our team, we’d be happy to help.
