PCI DSS Compliance
Secure payment solutions from Encoded. Independently certified as a level 1 PCI DSS compliant provider.
- Secure payment solutions
- PCI QSA partner – Blackfoot UK
- Level 1 PCI DSS compliant card payments
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to enhance the security of payment account data.
Card Data Security – The Buck Stops with the Merchant
Card accepting contact centres understand the importance of protecting customer data from fraud and cybercrime. However, it might be news to many that in the event of a security breach they will be the ones fined.
Why Encoded?
Encoded is a Level 1 PCI DSS accredited supplier – which means that contact centres and their customers can rely on Encoded’s technology with absolute confidence.
What are the major issues with PCI DSS and contact centres?
It is not easy to become a PCI DSS compliant contact centre because:
Handling Details
Allowing Agents live access to card payment details can lead to a high risk of those details being exposed. There are countless examples of Agents writing down information and sending it in emails etc. Therefore the risk from security breaches is high due to both human error and dishonesty.
Storing Details
Training Agents
How can Encoded Help?
The high cost of going through full PCI DSS Level 1 accreditation with an external Qualified Security Assessor (QSA) is leading to some vendors claiming to be compliant when in fact they have not been through the whole process. This is putting contact centre organisations at risk.
To find out more about our PCI DSS compliant contact centre solutions, take a look at Five Things Every Card-Accepting Contact Centre Should Know about PCI Compliance or call us on 01293 229 700.
Need help?
Frequently Asked Questions
What is the meaning of PCI DSS?
PCI DSS stands for The Payment Card Industry Data Security Standard (PCI DSS) and was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data. It was developed to protect consumers and merchants against security breaches. Today PCI DSS is issued and updated by the Security Standards Council (PCI SSC).
What is the PCI Data Security Standard (PCI DSS) and PCI Security Standards Council SCC?
The official PCI Security Standards Council Site details information about PCI Compliance, Assessors and Solutions, Training and Qualification. The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
Why do I need PCI DSS compliance?
Is PCI DSS compliance necessary in the UK?
PCI DSS is mandatory worldwide. It applies to any organisation, without regard to size, value, or number of transactions, if that organisation collects, transmits, maintains, or transfers card data. Anyone who transacts with one of the major credit card companies such as Visa, Mastercard, American Express or Discover, must comply with the data security standard. In other words, if credit card information touches your secure network at any point, you must comply with these PCI standards.
I don’t take payments over the phone, does PCI DSS still apply to me?
The PCI DSS regulation applies to card payments over all channels, including in store and online.
I only accept credit cards over the phone, does PCI DSS still apply to me?
Even if your contact centre does not record telephone calls, it does not make you compliant – you will only have met a single requirement out of hundreds. Manual ‘pause and resume’ on calls is also not compliant. Download Encoded’s booklet – The Truth about PCI DSS in Contact Centres for more information.
Can I record calls and still be PCI compliant?
What happens if I am not PCI DSS compliant?
What are the UK PCI DSS requirements?
Becoming compliant means taking measures regularly. No one size fits all – every organisation is set up differently and therefore needs to be assessed on an individual basis and depending on the kinds of security risks that the business faces.
How can I take payments at my contact centre and be PCI DSS compliant?
What are the different PCI compliance ‘levels’ and how are they determined?
There are four PCI compliance levels, which are determined by the number of transactions an organisation handles each year.
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
I am a Level 1 Merchant, what do I have to do to achieve PCI DSS compliance?
What is the PCI DSS compliance checklists?
To become compliant there is a PCI checklist of 12 requirements, consisting of 258 controls, which must be implemented and the cost of this to a business can vary significantly. To many, the costs involved can be prohibitive but there is money to be saved by undertaking a programme of reducing the scope of the cardholder data environment (or de-scoping). The 12 high level requirements fall into the six categories below:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
The type of audit you must undergo, and your exact PCI DSS requirements will vary depending on your merchant or service provider level.
To truly understand the best practices for each of the 258 boxes that should be ticked takes a real specialist; however, looking at the key vulnerabilities, namely staff and the choice of third-party payments supplier, will result in large reductions in both PCI DSS scope.
What is a PCI DSS policy template?
The SCC publishes the latest details and documents on PCI DSS compliance on its website, including reference guides, policy templates and forms and FAQs.
How can I demonstrate PCI DSS certification?
Merchants and service providers can demonstrate their compliance with the PCI DSS by completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard. The types of audit are:
- An RoC (Report on Compliance) completed by a PCI QSA (Qualified Security Assessor) organisation such as IT Governance or by an ISA (Internal Security Assessor).
- An Self-assessment Questionnaire (SAQ) signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.
- An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).
The type of audit you must undergo, and your exact PCI DSS compliance requirements will vary depending on your merchant or service provider level, based on the number of card transactions processed per year.
What is scoping and how often must it be carried out?
Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.
What is de-scoping?
Can I just buy a PCI DSS compliant solution?
How should I select suppliers that are PCI compliant for my contact centre?
Do organisations using third-party service providers have to be PCI DSS compliant?
The amount of time and work required demonstrating compliance can be dramatically reduced when working with a third-party payment solution provider. However, the responsibility for PCI compliance cannot be entirely removed. PCI DSS covers the entire trading environment, which means all third-party partners and vendors that handle card data on their behalf or supply services where card data is transmitted, must also comply before full PCI DSS compliance is achieved.
When a merchant uses a validated third party to capture the payment information from their own website, the actual process of data capture bypasses their systems. In this way, they need not hold client data in-house and thus alleviate some of the risk and obligations associated with PCI compliance.
One of the latest versions of PCI DSS introduced a new requirement for service providers to supply a “Responsibility Matrix” which defines who is responsible for each of the 300+ PCI controls; namely the client, the supplier or both.
How can I be assessed for PCI DSS Compliance?
Every organisation is set up differently and therefore needs to be assessed on an individual basis. What you’ll need to do to become compliant is dependent on the kinds of security risks that your business faces.
Many small- and medium-sized businesses can prove their compliance with PCI DSS by filling out a Self-Assessment Questionnaire (SAQ). You can also choose to have your payment environment assessed by an accredited Qualified Security Assessor, but this usually applies to larger organisations due to the costs and volume of transactions involved.
What is a Self-Assessment Questionnaire?
Known by the acronym SAQ, a Self-Assessment Questionnaire is a form that organisations must complete to confirm compliance with each requirement of the PCI DSS necessary.
A Self-assessment Questionnaire (SAQ) is signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.
What about recurring payments (continuous authority payments)?
How does Tokenisation fit into PCI DSS compliance?
Some third-party payment solution providers (such as Encoded) have a tokenisation feature to enable card holders to validate and amend stored cards when something goes wrong; avoiding fines, fees and interest charges by self-managing the details held on file.
How can my organisation/contact centre remain PCI DSS compliant?
Definitions
What is defined as ‘cardholder data’?
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements: Cardholder name, Expiration date, Service code. Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.
What is the definition of ‘merchant’?
What is a Service Provider?
A Service Provider is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.
This also includes companies that provide services that control or could impact the security of cardholder data.
Examples include managed service providers that provide payment solutions, managed firewalls and other services, as well as hosting providers. (Source: PCI Security Standards).
There are two types of service provider, Level 1 and Level 2. Level 1 service providers must pass a PCI DSS audit in place by a Qualified Security Assessor (QSA). Level 2 service providers must evaluate themselves annually with the Self-Assessment Questionnaire, SAQ-D.
What is the difference between a Level 1 and Level 2 Service Provider?
Like merchants, service providers have different levels based on the volume of transactions they handle annually.
Level 1 Service Provider
These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.
- PCI Requirements validated
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by an Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
- Attestation of Compliance (AOC) Form
Level 2 Service Provider
These are service providers that store, process, or transmit less than 300,000 credit card transactions annually.
- PCI Requirements validated
- Annual Self-Assessment Questionnaire (SAQ) D
- Quarterly network scan by an ASV
- Penetration Test
- Internal Scan
- AOC Form
.
Payment solutions for contact centres
Our suite of payment solutions for contact centres include Gateway Services, IVR, Agent Assisted Payments with Fraud Prevention Platform, eCommerce Payments and SMS PayByLink.
IVR Payments
Interactive Voice Response Payments (IVR Payments) is a method that allows callers to enter their card data via touch tones. This self-service process enables debit and credit card payments to be handled 24/7.
PayByLink
Agent Assisted Payments
eCommerce Payments
Gateway Services
Download our guides
Secure Contact Centre Payments brochure
What our customers say about us
“We needed to offer our members both fast and secure Payment Card Industry Data, Security Standard (PCI DSS) compliant payment methods and advanced e-commerce capabilities using automated technology. Encoded had done their homework and cared about our members and our business, even suggesting additional creative ways to use Encoded technology. From the outset, it was clear they were exploring new ideas to help us work even smarter.”
Karen Coates, Chief Operations Officer, The Wine Society
“We handle hundreds of thousands of calls every year that demand a broad knowledge of financial and legal matters as well as general property maintenance issues. Encoded presented a sound proposal that promised to deliver round-the-clock efficiencies in a cost effective package. The final overall approach and sophisticated IVR technology proved to be the perfect answer to our business problems.”
Tracey McCabe, Head of Customer Service, First Port Property Management
“We decided to refresh the online experience in response to customer demand and changes in the industry. It was a moment of clarity – Encoded was already handling our secure payments with data being fed into our billing system. We needed to create a front-end link so that customers could access this information themselves, rather than relying on speaking to an agent every time they wanted to make a payment or a change to their account details.”
Business Optimisation Manager,
Severn Trent Water
“One of the key reasons for choosing Encoded was to improve the team’s experience of managing large scale migrations from legacy payment systems. With Encoded’s in-depth knowledge of data security, PCI DSS compliance and the latest payment regulations, JT had confidence that the integration would be carried out within the project timescales and to budget.”
Tim Peach, Finance Operations Manager, Jersey Telecom
“From the outset, it was evident that Encoded grasped our requirements for an easy to deploy, fully transparent solution that could integrate seamlessly with our own IT systems. What is more, Encoded offered us a solid and highly scalable platform that promised to drive efficiencies whilst delivering the personal touch to those callers who needed it most.”
Collections and Recovery Department, One Savings Bank
“Along with the simplicity and highly configurable nature of Encoded’s solution, we were impressed by everyone’s professional, can-do attitude backed up by excellent support. Encoded offered a truly scalable solution that could grow with our business. In particular we trusted Encoded to support new ventures such as flexecash® which has already been adopted by a number of high street retailers.”
June Potts, Head of Customer Contact, Park Group
“Tens of thousands of calls relating to payment and meter reads are handled by sophisticated technology provided by Encoded. Encoded’s solutions have supported our business from day one, having been selected from a shortlist of four vendors for its ease of use, speedy implementation and cost-efficiency.”
Shell Energy
“Today, around 10% of all our sales are made using credit or debit card transactions. Our job is to make it easy for customers to pay for services swiftly and securely. Encoded listened carefully to our requirements, made sensible recommendations along the way and even adapted the technology to suit us. The whole experience ran smoothly and we were impressed by their level of knowledge and understanding of our business.”
Peter Doyle, Risk Manager,
Health-on-line
LATEST NEWS
Articles you may be interested in
Many predictions have been made over the years but have they come true?
Rob Crutchington at Encoded takes a look back at some of his previous predictions and offers a new one for 2024.At the...
What’s Ahead in 2024 – Encoded’s Top Three Predictions for Payments
Payment technologies are continually innovating to find faster, easier, and importantly, more secure, ways for...
5 Ways to Build a Secure and Effective Payment Environment
Rob Crutchington of Encoded explains how to transform frontline teams into the best defence against card payment...
Speak to the team
To discover how our secure payment solutions can free up your contact centre agents' time allowing them to focus on customer service, more complex enquiries and revenue-generating activities.