PCI DSS: what’s the right compliance path for your business?

The Payment Card Industry Data Security Standard (PCI DSS) sets out clear guidelines for merchants regarding the protection of sensitive customer payment data. However, for those entering the world of PCI DSS for the first time, achieving and maintain compliance can seem like a daunting prospect.

But what many don’t realise, is that there are numerous different paths to compliance, catering for businesses of all shapes and sizes, as Tom Harwood, Co-Founder and CPO of Aeriandi explains.

PCI DSS is an acronym all businesses that take customer card payments should be familiar with. Created in 2004 by the major global payment brands (VISA, American Express, MasterCard etc) as a way of standardising the way customer payment card data is protected, PCI DSS is a security benchmark to which all merchants should measure themselves against.

> See also: How the 7 myths of PCI-DSS are holding back compliance

However, achieving compliance isn’t always straightforward and to newcomers it can seem like a long and difficult road. The standard has been through numerous iterations over the last ten years and the latest major version, PCI DSS 3.0, (released in November 2013) consists of 12 core requirements that must be achieved and maintained by any business wishing to be considered fully compliant.

Businesses that take security seriously will not be starting from scratch

The 12 requirements of PCI DSS may sound like a lot, but any business that takes the security of customer payment data as seriously as it should be will likely already be ticking many of these 12 boxes.

Those such as Requirement 2; ‘Do not use vendor supplied default security passwords’, or Requirement 5: ‘Protect all systems against malware and regularly update anti-virus software or programs’, are less about complex data security and more about good business sense.

This highlights one of the key things to remember about PCI DSS compliance; it’s not about bureaucracy, it is about the safety of highly sensitive customer payment data. If every business was nailing it already, PCI DSS would quickly become redundant, but they aren’t.

Data breaches still regularly fill the newspaper headlines, providing a stark reminder that for many, data security is still not a top priority.

Any business that isn’t doing its utmost to keep customer payment data safe is on a slippery slope. Although fines for data breaches can motivate businesses to take data security more seriously, what really should be motivating them is the reputational damage that is almost guaranteed to ensue following a major data breach.

Often, this can have far greater ramifications than any kind of initial monetary loss through fines.

As such, irrespective of PCI DSS compliance, businesses should always be doing their utmost to ensure data security. If done correctly, chances are PCI DSS compliance will be achieved as a by-product of a comprehensive data security strategy. 

Securing the call centre should be a major focus

PCI DSS covers all forms of payment collection, processing and storage, and one of the biggest hurdles comes at the ‘collection’ part of this. This is because call centres used by many companies to handle the large volume of telephone payments they deal with are one of the hardest environments to secure.

Not only are they noisy and chaotic, but staff turnover can be high and security practices regularly fall by the wayside in favour of fast call handling times. As such, any business looking to achieve PCI compliance should place major emphasis on securing this environment first and foremost.

But what’s the best approach?

One of the best and fastest ways to deal with the call centre security conundrum is to remove it from PCI DSS scope by preventing sensitive data from ever entering it in the first place. If it’s never there, it can’t be breached or stolen, meaning the risk to the security of the data is immediately minimised.  

There are various ways to do this, ranging from rudimentary pause/record solutions, through to more comprehensive secure payment platforms. Pause/record is a simple solution that allows contact centre agents to manually pause a call recording at the moment a customer payment is being made, and resume it again once complete.

However, whilst ‘ticking the compliance box’, this kind of solution is manually intensive, open to human error and does not guard against the insider threat. Contact centre agents often forget to either pause before the payment or resume again afterwards, resulting in an incomplete (and therefore non-compliant) call recording.

Furthermore, there is nothing to stop them writing the information down manually when it is given, even if the recording has been paused. A more effective alternative is to use a secure telephone payment platform that prevents sensitive data from ever entering the business.

At the point of payment, customer calls are rerouted via the secure platform to a PCI DSS compliant third party service. The customer then keys in payment details via their telephone keypad. The agent remains connected to the customer throughout the process but plays no part in the payment itself, removing the risk of human error and helping to protect against insider fraud.

> See also: The six steps to third-party compliance heaven

This type of solution can ease the burden of storing and protecting confidential customer data from the business by outsourcing the payment processing to a secure and compliant third party. Doing so ensures all PCI obligations related to phone payments are removed from the original business, barring Requirement 12 – ‘Maintain a policy that addresses information security’.

Although achieving PCI compliance may not seem simple at the outset, it is crucial to remember what it is all about; keeping valuable customer data safe. There are many operational aspects to a business that should be examined when considering compliance but the call centre is generally a very good place to start.

If dealt with effectively, just securing this one area will bring the company as a whole a large step closer to compliance and securing the long term reputation of your business.

Matthew Bryars, CEO, Aeriandi

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Risk Assessment