PCI Compliance: Wise up on PCI DSS and Save a Fortune
Every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS (Payment Card Industry Data Security Standard) compliant. However the process of becoming and staying compliant can be hugely expensive. The interpretation of the 258 controls often leads to confusion and conflicting advice from PCI Qualified Security Assessors (QSAs).
The answer is to wise up on what compliance really means and what the responsibilities are. PCI DSS covers a great many areas and touches almost every aspect of an organisation’s operations. Compliance in the contact centre should address risk and be achievable for a sensible and realistic cost. To truly understand the best practices for each of the 258 boxes that should be ticked takes a real specialist; however, looking at the key vulnerabilities, namely staff and the choice of third party payments supplier, will result in large reductions in both PCI DSS scope and the price of securing your customers’ valuable information.
There is no such thing as a PCI DSS compliant solution
Get smarter – chose the right payment solution
Continuous authority payments (also known as recurring payments) can help to reduce the scope and cost of PCI DSS compliance audits. Once an initial transaction is verified the card used becomes trusted and any repeat uses will not require details to be taken again. On average 40% of customers will opt to have their card details stored for future use. However, there may not always be funds available on the stored card and therefore payments can be declined. Some suppliers, such as Encoded, have a Tokenisation feature to enable card holders to validate and amend stored cards when something goes wrong; avoiding fines, fees and interest charges by self-managing the details held on file.
Tokenisation, recurring and stored card payment solutions mean that organisations with contact centres can vastly reduce the scope of their PCI DSS audits. Tokens can only be used through specific payment gateways and if they are stolen or written down then the Token is completely useless to anyone outside the payment environment.