PCI DSS and payments in your contact centre

PCI or Payment Card Industry is an acronym associated with the highest levels of security for managing financial transactions in a contact centre.

What does PCI mean for your business and how can you accomplish compliance?  More importantly do you need to as there are providers who can help!

This article is targeted at contact centre managers with no technical background but who need to understand the requirements.

  • PCI helps not hinders
  • Financials
  • Technically tricky
  • Wrap up

[read more=”Read more” less=”Read less”]

PCI DSS helps not hinders

Why do you need PCI DSS?

Firstly the term PCI is often used synonymously with  PCI DSS. Payment Card Industry Data Security Standard (PCI DSS).

If you facilitate customers paying bills or buying products using their credit card then PCI DSS compliance applies to your business.

For IT managers and those who seek to ensure the highest levels of security for the provision of your service PCI DSS provides great guidelines to follow.

So what’s involved in this standard?  What needs to be secured?

 

 

Security

Security is more about managing risk that it is about building a perfectly secure system.  Every system can be broken.  How much damage occurs when that happens is the risk?

The challenge of data security extends through every business not just contact centres.

However if your business deals with managing financial transactions, i.e. taking and making financial contacts then suddenly security is very much to the forefront of discussions.

 

The primary concern stems from credit cards.  When criminals steal your details the credit card company covers the amount stolen.

In the US, federal law limits the liability of card holders to $50 in the event of theft of the actual credit card, regardless of the amount charged on the card, if reported within 60 days of receiving the statement.  Wikipedia

So credit card companies in 2006 wanted to do everything in their power to limit their risk.  For them to limit their risk they state that you as the merchant must follow their security rules in order to use their service.  The most widely known brands are Visa, MasterCard, American Express, Discover and JCB which came together to form the PCI council.

This council passed the Payment Card Industry Data Security Standard (PCI DSS) as a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

 

Scope

Scope is a key word in risk.  Some things in life are just out of your control.

Events and situations which can’t be controlled or have no bearing on risk are “out of scope”.

If it’s out of scope there’s nothing you can do about it, so there is no point worrying about it or spending time on it at the moment.

 

Requirements

Just handing out the PCI standard doesn’t happen.  A business must invest in ongoing work and security reviews.

The original single PCI standard was far above what some operators could afford to implement.  As a result of encouraging better adoption the PCI Council divided the standard into 4 merchant levels again based on risk.

  • The top tier, Level 1 considers where a business processes more than 6 million transactions per year.
  • Level 2 is for 1 to 6 million transactions.
  • 20,000 to 1 million for level three and level 4 everything below.

Businesses suffering a breach consequently risk forcing a higher validation level on themselves.

Compliance allows you process credit cards when you sell your products or services.

 

 

 

Variations on a theme

There are other security standards besides PCI as a result even if you don’t have payment cards to process putting good security in place is sensible.

ISO 27001 is a data security standard with ISO 27002 being a risk standard.  Frameworks such as ITIL and COBIT also review monitoring and management of computer systems.

GDPR or the General Data Protection Regulation of Europe specifies the retention of personal information only for approved purposes.

What all of these standards, laws and regulations have in common is that they require you to consider the security of your data and your systems to minimise risk.

 

Financials

The two primary scenarios

Scenario 1 a customer wants to buy something in a once off fashion, a one-off payment.

The customer redirects to a secure website or handed a secure terminal.  They enter their details and job done.

The person enters their details, they’re processed and then removed from the system.

 

The complication arises in scenario 2, recurring payments.  You log into your favourite website and the company wants to make it easy to buy many products over time.

They keep your credit card details on file so that when you decide to “check out” you don’t have to repeatedly type in your details.

This practice encourages shoppers to buy more and facilitates the payment of regular  by credit card.

In scenario 2 there is definitely more data storage and as a result compliance is a lot harder.

 

Making it someone else’s problem

ApplePay, GooglePay, PayPal are all in the market of storing your details and enabling you to have electronic purchases with the minimum of hassle.

Companies such as Global Payments can provide you a secure online payment portal for your business to process your customer’s payments.

Realex Payments started in Ireland in 2000 and in 2015 were bought by Global Payments in a €115m deal.

Their service means you don’t have to sort out PCI compliance as they take that headache on and provide you easy to use interfaces.

 

 

Building your own Fort Knox

Fort Knox  is an army post adjacent to the US Bullion Depository, home of the American gold reserve and is widely reputed to be one of the most secure places on Earth.

 

When meeting PCI compliance standards it can feel like you’re trying to attain the same level of building security.

Recurring payments as a business process leave you with two approaches.

Option 1.  You can store the credit card details yourself and interact with a payment provider in one-off payment style.  This requires you to fully meet the standard.

Option 2.  More recently payment solution providers like Global Payments offer wallets.  You don’t keep the details yourself. Global Payments keep the details securely for you.  As you need you ask Global to process the payment for you.  This can massively reduce the security overheads on your business.

 

Technically tricky

Data Systems

The data systems part is relatively simple.  Predominantly because “tried and tested” is the motto.

Most data storage involves redirection to secure webpage.  So the data system, like bxp software, integrate Global Payments into the operational processes.

An agent or the customer enter and process details on this secure page.  What returns is an authorisation code.

 

So the process is:

  • Send a unique reference code which identifies the transaction and the amount to charge to a secure processing solution
  • Processing solution takes the details and performs the payment
  • The processing system generates an authorisation code
  • The whole process bounces back to your data system now with an authorisation code so you know it worked.

You are not keeping any credit card details on your system, just the auth code and the unique reference.

 

The biggest challenge is the phone

Consideration

Your computer system does not store payment card details anywhere.

However there is still the interaction between your agent and the customer.

Most contact centres record phone calls for quality and training purposes as a result the call recording itself is a risk.

Mishandled or abused call recordings and customer interactions lead to breaches.

 

A clean-room

In science a clean-room has little to no dust in the air that could affect the science.  In contact centres a clean-room is a data secure room.

You can ban pens and paper in the contact centre and also hope that agents don’t have photographic memories but really these are still weaknesses.

Creating and maintaining “clean rooms” is exceptionally challenging and operationally expensive.

Getting people to part with USB keys, mobile phones and treating the centre like an extension of a government facility can affect staff morale.

The ideal scenario is that your agent stops chatting to the customer altogether and the customer only chats to secure systems.  Ideal but how do you do that?

 

Smart phone technology

Smart phone systems offer easy to use technical solutions.  Solutions like ones from Ultracomms uses DTMF “dual tone multi frequency” masking. 

  • The customer types the card numbers into their phone keypad.
  • When you press a number on the keypad it makes a unique sound which is how the number is sent.
  • Smart phone systems play the same tone to the agent even though the numbers change to further secure the process.
  • The system takes the numbers dialed in and sends them straight to the payment provider

 

This approach cuts out the agent consequently they don’t have access to the data.

As the data never reaches the agent, so the entire contact centre’s operations become out of scope and are not subject to the same security rigor.

So you don’t need to have super secure contact centre and yet still meet the demands of PCI compliance.

 

Wrap up

Getting help

Getting support in an area like this requires a broad range of skills and experience.

There are some really good technical teams working in Ireland in 2018 who can save you a lot of headaches.

Andrew Yoakley Nick Wheeler David Cooke
Andrew Yoakley of Global Payments (formerly Realex Payments) and his team cover all your payment processing needs. Nick Wheeler and the bxp team implement solutions for contact centres that in combination with Global Payments and Ultracomms deliver PCI compliant solutions. David Cooke of Ultracomms knows all about PCI phone solutions.

It doesn’t hurt to chat.  Especially to people who’ve “been there done that”.

 

If there’s anything in this article you’d like to chat to me about you can contact me here or on social media.

[/read]

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.