The contact center is a rich source of valuable data and insight, documenting the voice of the customer through transaction histories, comments, compliments, and complaints. Unfortunately, that same data represents an irresistible prize for criminals, who have worked all manner of brute force, social engineering, and internet attacks in an attempt to exploit vulnerabilities and appropriate sensitive financial information.
Financial data security standards handed down and ultimately enforced by credit card network processors have turned a keen eye on the contact center. All interaction channels – call, chat, email, video, etc. – that dutifully store the verbatim details of payment card transactions represent a potentially rich vein of illicit account information for thieves, and the payment card industry has responded in clear terms. Capturing sensitive authentication data is expressly forbidden by the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI Compliance?
When the credit card industry moved into the digital space, it quickly realized the need to protect itself from digital fraud. Merchants and those responsible for handling the data needed to protect it in the same way they would protect physical currency.
Credit card handlers knew they had to protect the data, but they didn't necessarily know how. The major credit card companies had a vested interest in helping companies protect the data, and so each developed their own security standards.
At first, credit card companies came up with their own internal information security programs. The introduction of a centralized requirement helped unite these disparate programs under one umbrella, and the Payment Card Industry Data Security Standard (PCI DSS) was born.
Simply put, PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Any organization, regardless of size, that takes payment remotely online, over the phone, or via mail order is responsible for maintaining PCI DSS compliance.
Sounds simple enough, right? But PCI compliance can pose a major challenge to organizations if they're not equipped with the proper knowledge and tools.
The Importance of PCI Compliance
Although the PCI Council itself does not enforce compliance with its rules, its member organizations expect and require that PCI standards be followed. The card networks are not pulling punches. One even actively solicits businesses to inform on their non-compliant vendors and trading partners. In short, if your company is not in compliance with PCI-issued rules, you risk being cut off from the world's most popular consumer and small business payment brands. That is an intolerable risk in any industry, in any economy.
Call center PCI Compliance
Protecting customer data requires more than simply omitting sensitive data from a permanent record. A qualified contact center compliance partner will provide all the tools and insights to guide a complete evaluation of the infrastructure involved in the transaction process. Security audits of both the network and individual payment processing applications are just as important as the safety of the interaction recording system.
Let's take a look at the 6 key requirements to comply with the PCI DSS:
- Build and Maintain a Secured Network A. Install and maintain a firewall configuration to protect cardholder data
- Protect Cardholder Data
- Maintain a Vulnerability Management Program A. Use and regularly update anti-virus software or programs
- Implement Strong Access Control Measures A. Restrict access to cardholder data by business need-to-know
- Regularly Monitor and Test Networks A. Track and monitor all access to network resources and cardholder data
- Maintain an Information Security Policy
B. Do not use vendor-supplied defaults for system password and other security parameters
Cardholder data should NOT be stored unless it is necessary to meet the needs of the business, in this case Cardholder data should be encrypted. Note that Sensitive Authentication Data (including CVV, data from the magnetic stripe, PINs and PIN blocks), may NOT be stored in a digital format even if encrypted.
A. Protect stored cardholder dataB. Encrypt transmission of data across open, public network
B. Develop and maintain secure systems and applications, using strong encryption (e.g. TLS 1.2)
B. Identify and authenticate access to system components including (e.g. MFA)C. Restrict physical access to cardholder data
B. Regularly test security systems and processes
A. Maintain a policy that addresses information security for employees and contractors
NICE Compliance Center Makes PCI Compliance Easy
The Compliance Center is a unique end-to-end compliance solution that assures interactions are recorded, stored, and accessible in adherence with specific regulatory requirements and according to the best practices and policies defined by each organization. The solution leverages automation and analytics for PCI DSS compliance:
- Agents can receive real-time notifications on their recording on demand system, or leverage automation and manual commands to pause & resume recording activities, to ensure they don't record sensitive information
- The IT team can promptly monitor their system's behavior focusing on sensitive data, cardholder data, and encryption
- Compliance officers benefit from mission critical mechanisms for policy definition, management and approval
Thanks to its "Assurance Dashboards" application, the PCI DSS Compliance Center solution offers actionable insights enabling detection of any interaction in violation with the standard.
The "Policy Manager", the second pillar of the Compliance Center, is a mission-critical application enabling users to define policies for extraction in case of audits, as well as other common policies such as playback lock, litigation hold, or deletion. The policies can be applied on a large amount of interactions or on very specific ones to accommodate any use case. With dedicated workflows for approval processes and predefined wizards for policy definition and interactions retrieval, all compliance policies can be managed from a centralized hub.
