PCI DSS was originally conceived by the world's major payment card brands (Visa, Mastercard, American Express) as a way to standardise security practices across all organisations that take, process and store sensitive payment card data. It has come a long way since its first appearance in late 2004 and the latest version – PCI DSS 3.0 – sets out 12 very clear requirements that all relevant organisations must adhere to in order to be deemed PCI compliant.
Perhaps unsurprisingly, PCI DSS is often met with mixed reactions. Many see it as an unnecessary bureaucratic exercise or an annual check box task. However, these organisations are missing the point entirely. PCI DSS is not about bureaucracy, it is about the safety of highly sensitive customer data. Irrespective of PCI DSS, if organisations aren't doing their utmost to keep this data safe, they need to take a good hard look at themselves.
Whilst heavy fines can be levied against organisations who suffer data breaches and are found to be non-compliant, the monetary loss usually pales into insignificance compared to the reputational damage sustained as the result of a high profile breach. As such, PCI DSS compliance should be considered a by-product, rather than a primary driver, of securing customer data within an organisation.
PCI DSS covers all forms of payment collection, processing and storage. For many businesses, the telephone remains one of the primary channels for taking customer payments, usually via dedicated customer contact centres. But they can be noisy and chaotic places, where data security often slips down the list of priorities. So how can PCI compliance be achieved (and importantly, maintained) in this kind of environment?
Choosing the path that's right for your business
The good news is that there are a number of different paths to compliance, offering something for nearly every scenario. Some organisations choose to receive, process and store sensitive card data in-house. This can be a good option for those that have already made significant internal security infrastructure investments. However, for those that haven't already got the necessary infrastructure in place, dealing with it in-house can be a costly exercise, carrying a great deal of ongoing (and unnecessary) risk to the organisation. An alternative way to achieve PCI compliance is to utilise specialist technology to ensure the sensitive data never enters the contact centre environment in the first place. If it's never there, it can't be breached or stolen, meaning any risk to the security of the data is immediately minimised.
In this scenario, when a customer comes to make a phone payment, rather than divulge the card details directly to a contact centre agent, they are routed through an external secure payment platform. The customer then enters their payment details via the telephone keypad to complete the transaction. The contact centre agent can see the transaction taking place and can still engage with the customer if required, but they have no visibility of the sensitive card data at any stage. This further reduces overall risk to data by removing the agents themselves from the security equation. Furthermore, when there's no payment data on site, the contact centre's obligations with regard to PCI-DSS are significantly reduced, leaving just one of the 12 requirements for PCI DSS in scope; Requirement 12 – ‘Maintain a policy that addresses information security'.
Achieving and maintaining PCI compliance can be painful at times, but organisations should focus less on the pain points, and more on the bigger picture, which is keeping customer data (and company reputation) safe. For an industry so reliant on phone payments, securing this channel should be a top priority for all collections agencies. Furthermore, there are a host of third party experts out there who can all but remove the stress of PCI compliance, and boost the quality of collections services offered to customers. So what are you waiting for?
Contributed by Matthew Bryars, CEO of Aeriandi