Encoded Offers

Secure payment solutions
PCI QSA partner – Blackfoot UK
Level 1 PCI DSS compliant card payments

Encoded Offers

Secure payment solutions
PCI QSA partner – Blackfoot UK
Level 1 PCI DSS compliant card payments

PCI DSS Compliance

Secure payment solutions from Encoded. Independently certified as a level 1 PCI DSS compliant provider

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to enhance the security of payment account data. Created by Visa®, Mastercard®, JCB®, Discover® and American Express® it is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data. It is meant to protect consumers and merchants against security breaches.

Card Data Security – The Buck Stops with the Merchant

Card accepting contact centres understand the importance of protecting customer data from fraud and cybercrime. However, it might be news to many that in the event of a security breach they will be the ones fined.

What are the major issues with PCI DSS and contact centres?

It is not easy to become a PCI DSS compliant contact centre because:

R

Handling Details

Allowing Agents live access to card payment details can lead to a high risk of those details being exposed. There are countless examples of Agents writing down information and sending it in emails etc. Therefore the risk from security breaches is high due to both human error and dishonesty.

R

Storing Details

A significant investment in infrastructure, security systems, as well as policies and procedures is required when storing payment card details on-site. Data storage for recurring payments leads to potential high levels of risk. Call recordings are also a major problem as they are likely to record and store sensitive card information, particularly in regulated industries.

R

Training Agents

The need to training agents to understand what PCI DSS compliance means and what their responsibilities are introduces additional costs.

How can Encoded Help?

Encoded has invested in achieving the top level of PCI DSS compliance. It has a Level 1 Attestation of Compliance (AOC) which applies to organisations that store, process and/or transmit more than 300,000 Visa transactions per year.

The high cost of going through full PCI DSS Level 1 accreditation with an external Qualified Security Assessor (QSA) is leading to some vendors claiming to be compliant when in fact they have not been through the whole process. This is putting contact centre organisations at risk.

To find out more about our PCI DSS compliant contact centre solutions, take a look at Five Things Every Card-Accepting Contact Centre Should Know about PCI Compliance or call us on 01293 229 700.

Look up Encoded on the Visa Europe Merchant Agent Weblisting PDF.

Encoded is certified.

Frequently Asked Questions

What is the meaning of PCI DSS?

PCI DSS stands for The Payment Card Industry Data Security Standard (PCI DSS) and was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data. It was developed to protect consumers and merchants against security breaches. Today PCI DSS is issued and updated by the Security Standards Council (PCI SSC).

What is the PCI Data Security Standard (PCI DSS) and PCI Security Standards Council SCC?

The official PCI Security Standards Council Site details information about PCI Compliance, Assessors and Solutions, Training and Qualification. The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

Why do I need PCI DSS compliance?
For customers to transact with an organisation either via a contact centre or online they need to be confident that their payment cards will not be compromised, their personal details are secure, and their identities cannot be stolen. PCI DSS compliance means that merchants and service providers meet their obligations to ensure customer payments are secure.
Is PCI DSS compliance necessary in the UK?
PCI DSS is mandatory worldwide. It applies to any organisation, without regard to size, value, or number of transactions, if that organisation collects, transmits, maintains, or transfers card data. Anyone who transacts with one of the major credit card companies such as Visa, Mastercard, American Express or Discover, must comply with the data security standard. In other words, if credit card information touches your secure network at any point, you must comply with these PCI standards.
I don’t take payments over the phone, does PCI DSS still apply to me?
The PCI DSS regulation applies to card payments over all channels, including in store and online.
I only accept credit cards over the phone, does PCI DSS still apply to me?

Every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS (Payment Card Industry Data Security Standard) compliant. PCI DSS requirements cover a great many areas and touches almost every aspect of an organisation’s operations.

Even if your contact centre does not record telephone calls, it does not make you compliant – you will only have met a single requirement out of hundreds. Manual ‘pause and resume’ on calls is also not compliant. Download Encoded’s booklet – The Truth about PCI DSS in Contact Centres for more information.

Can I record calls and still be PCI compliant?
PCI DSS prohibits the recording or storing of any CAV2, CVC2, CVV2 or CID codes after authorisation even if the recording is encrypted. The standard states, “It is a violation of PCI DSS to store any sensitive authentication data, including card validation codes and values, after authorisation even if encrypted.”
What happens if I am not PCI DSS compliant?

Failure to meet PCI compliance and protect customer data adequately can result in financial penalties and charges, damage to a business’ reputation and loss of customer trust, as well as potential stolen customer funds or identity. You may also be subject to fraud losses, diminished sales, reputational damage, possible legal costs, settlements and judgements.

What are the UK PCI DSS requirements?
To be PCI compliant, organisations have to demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non-PCI compliant organisation.

Becoming compliant means taking measures regularly. No one size fits all – every organisation is set up differently and therefore needs to be assessed on an individual basis and depending on the kinds of security risks that the business faces.

How can I take payments at my contact centre and be PCI DSS compliant?
To be PCI compliant your organisation must demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non-PCI compliant organisation.
What are the different PCI compliance ‘levels’ and how are they determined?
There are four PCI compliance levels, which are determined by the number of transactions an organisation handles each year.

  • Level 1: Merchants that process over 6 million card transactions annually.
  • Level 2: Merchants that process 1 to 6 million transactions annually.
  • Level 3: Merchants that process 20,000 to 1 million transactions annually.
  • Level 4: Merchants that process fewer than 20,000 transactions annually.
I am a Level 1 Merchant, what do I have to do to achieve PCI DSS compliance?
Level 1 Merchants are required to complete quarterly network scans by an ASV (approved scanning vendor), and are required to undergo an annual ROC (Report on Compliance) completed by a QSA (Qualified Security Assessor).
What is the PCI DSS compliance checklists?

To become compliant there is a PCI checklist of 12 requirements, consisting of 258 controls, which must be implemented and the cost of this to a business can vary significantly. To many, the costs involved can be prohibitive but there is money to be saved by undertaking a programme of reducing the scope of the cardholder data environment (or de-scoping). The 12 high level requirements fall into the six categories below:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.

The type of audit you must undergo, and your exact PCI DSS requirements will vary depending on your merchant or service provider level.

To truly understand the best practices for each of the 258 boxes that should be ticked takes a real specialist; however, looking at the key vulnerabilities, namely staff and the choice of third-party payments supplier, will result in large reductions in both PCI DSS scope.

What is a PCI DSS policy template?

The SCC publishes the latest details and documents on PCI DSS compliance on its website, including reference guides, policy templates and forms and FAQs.

How can I demonstrate PCI DSS certification?

Merchants and service providers can demonstrate their compliance with the PCI DSS by completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard. The types of audit are:

  • An RoC (Report on Compliance) completed by a PCI QSA (Qualified Security Assessor) organisation such as IT Governance or by an ISA (Internal Security Assessor).
  • An Self-assessment Questionnaire (SAQ) signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.
  • An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).

The type of audit you must undergo, and your exact PCI DSS compliance requirements will vary depending on your merchant or service provider level, based on the number of card transactions processed per year.

What is scoping and how often must it be carried out?
To implement the PCI standard you must start with scoping your organisation. This process involves identifying all system components that are located within or connected to the cardholder data environment (comprised of people, processes, and technology that handle cardholder data or sensitive authentication data).

Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.

What is de-scoping?
De-scoping is the process to reduce the number of requirements (tick-boxes) for PCI compliance. This can be achieved by passing the responsibility of handling card data to a third party. As the merchant account agreement is between the merchant and the acquirer, the responsibility for PCI compliance cannot be entirely removed, however the amount of time and work required demonstrating compliance can be dramatically reduced.
Can I just buy a PCI DSS compliant solution?
There is no such thing as a PCI DSS compliant product. Only companies and other legal entities can be PCI compliant, not products or software. Products are often incorrectly marketed as PCI DSS compliant. To advertise this claim is to miss the point that PCI DSS is trying to achieve, ie to maintain a unified security standard to which merchants must adhere.
How should I select suppliers that are PCI compliant for my contact centre?
Only select suppliers that appear on the VISA Merchant Agent Website List. Not all payment solution providers are created equal. Contact centres typically use multiple technologies so it is becoming increasing important to understand just who does what and who needs to be PCI compliant. The Website list details Level 1 and level 2 Service Providers (refer to What is the difference between a Level 1 and Level 2 Service Provider?).
Do organisations using third-party service providers have to be PCI DSS compliant?

The amount of time and work required demonstrating compliance can be dramatically reduced when working with a third-party payment solution provider. However, the responsibility for PCI compliance cannot be entirely removed. PCI DSS covers the entire trading environment, which means all third-party partners and vendors that handle card data on their behalf or supply services where card data is transmitted, must also comply before full PCI DSS compliance is achieved.

When a merchant uses a validated third party to capture the payment information from their own website, the actual process of data capture bypasses their systems. In this way, they need not hold client data in-house and thus alleviate some of the risk and obligations associated with PCI compliance.

One of the latest versions of PCI DSS introduced a new requirement for service providers to supply a “Responsibility Matrix” which defines who is responsible for each of the 300+ PCI controls; namely the client, the supplier or both.

How can I be assessed for PCI DSS Compliance?

Every organisation is set up differently and therefore needs to be assessed on an individual basis. What you’ll need to do to become compliant is dependent on the kinds of security risks that your business faces.

Many small- and medium-sized businesses can prove their compliance with PCI DSS by filling out a Self-Assessment Questionnaire (SAQ). You can also choose to have your payment environment assessed by an accredited Qualified Security Assessor, but this usually applies to larger organisations due to the costs and volume of transactions involved.

What is a Self-Assessment Questionnaire?

Known by the acronym SAQ, a Self-Assessment Questionnaire is a form that organisations must complete to confirm compliance with each requirement of the PCI DSS necessary.

A Self-assessment Questionnaire (SAQ) is signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.

What about recurring payments (continuous authority payments)?
Recurring payments can help to reduce the scope and cost of PCI DSS compliance audits. Once an initial transaction is verified the card used becomes trusted and any repeat uses will not require details to be taken again. On average 40% of customers will opt to have their card details stored for future use. However, there may not always be funds available on the stored card and therefore payments can be declined.
How does Tokenisation fit into PCI DSS compliance?
Tokenisation, recurring and stored card payment solutions mean that organisations with contact centres can vastly reduce the scope of their PCI audits. Tokens can only be used through specific payment gateways and if they are stolen or written down then the token is completely useless to anyone outside the payment environment.

Some third-party payment solution providers (such as Encoded) have a tokenisation feature to enable card holders to validate and amend stored cards when something goes wrong; avoiding fines, fees and interest charges by self-managing the details held on file.

How can my organisation/contact centre remain PCI DSS compliant?
The best way to minimise future costs as the standard evolves is to minimise exposure to the primary risk areas such as staff and infrastructure. Invest in training and education on the PCI DSS standard in order to have the talent in house and work with payment organisations that are themselves Level 1 PCI DSS compliant.
Definitions
t

What is defined as ‘cardholder data’?

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements: Cardholder name, Expiration date, Service code. Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.

t

What is the definition of ‘merchant’?

A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.
t

What is a Service Provider?

A Service Provider is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.

This also includes companies that provide services that control or could impact the security of cardholder data.

Examples include managed service providers that provide payment solutions, managed firewalls and other services, as well as hosting providers. (Source: PCI Security Standards).

There are two types of service provider, Level 1 and Level 2. Level 1 service providers must pass a PCI DSS audit in place by a Qualified Security Assessor (QSA). Level 2 service providers must evaluate themselves annually with the Self-Assessment Questionnaire, SAQ-D.

t

What is the difference between a Level 1 and Level 2 Service Provider?

Like merchants, service providers have different levels based on the volume of transactions they handle annually.

Level 1 Service Provider
These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.

  • PCI Requirements validated
  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan by an Approved Scanning Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance (AOC) Form

Level 2 Service Provider
These are service providers that store, process, or transmit less than 300,000 credit card transactions annually.

  • PCI Requirements validated
  • Annual Self-Assessment Questionnaire (SAQ) D
  • Quarterly network scan by an ASV
  • Penetration Test
  • Internal Scan
  • AOC Form

Download Encoded’s PCI DSS Certificate

Ensure that all service providers involved with card holder data have a valid PCI DSS certificate.

Want to find out more?

Contact us now to learn more about how Encoded can improve your business efficiency.

Type of enquiry

7 + 1 =

PCI DSS articles you may like

PCI DSS: Why it pays to comply

For customers to buy from an organisation either in person, online or via a contact centre they need to be confident that their payment cards will not be compromised, their personal details are secure and their identities cannot be stolen. PCI DSS was created to...

Card Fraud Reduction

Card Fraud Reduction in Contact Centres: Take Your Pick Rob Crutchington at Encoded recommends asking three simple questions when deciding which fraud control method to use. Many methods of taking card payments have emerged over the years as companies strive to be PCI...

GDPR – What happens next?

GDPR – What happens next? 3 Steps to contact centre compliance Rob Crutchington at Encoded looks at the impact of GDPR on contact centres and discusses three ways to help them remain compliant using technology. Contact centres are challenging places. There is...

5 Reasons why Cloud is best

Why Cloud is best What lies behind your payment solution? Contact centres are often seen as the front line service of a business. They are at the forefront of customer service and therefore the long-term profitability of any organisation. Contact centres need to...

GDPR Compliance

GDPR Compliance – Take a lead from PCI DSS in your contact centreRob Crutchington from Encoded explains how applying the same principles as PCI DSS can help to meet the challenges of the new data protection legislation. With the General Data Protection Regulation...

Know more about PCI DSS compliance

Want to know more about PCI DSS compliance and how to achieve it? Robert Crutchington at Encoded takes a closer look at the truth about PCI DSS in a new compilation of blogs on the subject We have just published our new booklet “The Truth about PCI DSS compliance in...

Ditch the CVV

Are the three-digits on the back of a payment card really relevant? Is it time to ditch the CVV code? There are a number of myths around the three-digit card verification value (CVV) code found on the back of a MasterCard or Visa card (four-digits on the front if...

Whose responsibility is it anyway?

PCI Compliance: Whose responsibility is it anyway? The Payment Card Industry Data Security Standard (PCI DSS) was originally the brainchild of the world’s five largest payment card providers VISA, MasterCard, American Express, Discover and JCB International. Today, it...

Wise up on PCI DSS and Save a Fortune

PCI Compliance: Wise up on PCI DSS and Save a FortuneEvery contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS (Payment Card Industry Data Security Standard) compliant. However the process of becoming and staying compliant...

White paper – Telephone Payments and PCI DSS

PCI Compliance: The Ultimate White Paper Making payments via a credit or debit card is now largely common place but the regulations around accepting card payments over the phone remains a mystery to most organisations. This is your chance to read the ultimate white...

Five things you should know about PCI DSS

PCI Compliance: Five things you should know about PCI DSS but are too afraid to ask The Payment Card Industry Data Security Standard (PCI DSS) remains surrounded by confusion and misinformation. For example many call centres do not appreciate that PCI DSS covers the...

Three Ways to De-scope and Save Money

PCI Compliance: Three Ways to De-scope and Save Money Every business or merchant that accepts payment via debit and credit cards has a contractual obligation with its bank/acquirer to be PCI DSS compliant. The Payment Card Industry Data Security Standard (PCI DSS) is...

Why your customers should know about PCI DSS

PCI Compliance: Why your customers should know about PCI DSS If you were to ask shoppers in the street to name an online payment protection process the chances are they would know about Verified by Visa, 3D Secure, Mastercard SecureCode or even Safekey from American...

View Encoded’s Inner Circle Guide

View Encoded’s Inner Circle Guide to Fraud Reduction & PCI Compliance.

Our clients include

Latest News

Read all our latest news articles on payment services

PCI DSS: Why it pays to comply

PCI DSS: Why it pays to comply

For customers to buy from an organisation either in person, online or via a contact centre they need to be confident that their payment cards will not be compromised, their personal details are secure and their identities cannot be stolen. PCI DSS was created to...

read more

“Encoded is a dream to work with. They are efficient, reliable and totally professional with highly flexible technology to match. Always open to new ideas, they truly listen to what we want and go the extra mile to achieve it. That’s what makes them different and sets them apart from the competition.”

- Head of Customer Contact, Park Group.

“The people at Encoded blended well with our own team and understood our culture perfectly. They appreciated our requirement for a user-friendly solution that reflected Virgin’s own unique sense of style.”

- Operations Analyst, Virgin Holidays.

“Encoded has enabled us to build a truly round-the-clock operation without the need to increase our customer service headcount. To deal with the calls currently handled by IVR we estimate we would need to increase the existing number of agents by around 20%.”

- Managing Director, Green Star Energy.

About Encoded

Encoded is a leading PCI DSS compliant provider of secure interactive voice response payment solutions. Encoded’s products are designed to fulfil three key objectives; Reduce costs by automated business processes, Increase sales by offering new fulfilment channels, Improve customer service by maximising resource efficiency.

Accreditations

iso 27001 badge white

Contact Encoded

Head Office:
Encoded Ltd
Spectrum House
Beehive Ring Road
Gatwick
West Sussex
RH6 0LG.

Tel: 01293 229 700
Email: sales@encoded.co.uk

Call Me Back

Enter your details below for a quick reply.