PCI DSS – Competitive Advantage for Contact Centre Outsourcers

Introduction

Over the past few years I’ve worked with a number of organisations who provide contact centre outsourcing solutions to their clients, often there will be a discussion around how to deliver a PCI compliant solution to their clients.

In todays competitive market as a contact centre outsourcer your ability to protect your customers brand is a key differentiator. If your business takes payments over the phone on behalf of customers, you are no doubt concerned about the risk of payment fraud, as well as having the headache of PCI DSS compliance to contend with.  You also have to balance the protection of your clients brand with controlling cost to ensure you remain competitive.

While many firms have taken steps to protect sensitive data in the bricks and mortar and online environments, the telephone is a vulnerable contact point for potential security breaches, which could damage your clients brand along with your own.

However I believe you should see this as an opportunity.  The very fact that it’s a complex area is in itself an opportunity for any organisation that can demonstrate it’s ability to deliver a solution.

One possible approach

The aim should be to remove the contact centre from scope and secure what remains, reducing the cost of gaining or maintaining compliance, protecting your clients brand and giving you competitive advantage.

It should be fairly simple to remove as much as possible of the contact centre from the scope of PCI-DSS – typically I find it’s normally possible to reduce the impact by around 75% and in some cases totally remove the contract centre from scope. 

This is done by separating the voice and credit card transaction paths while maintaining constant verbal communication between agent and customer:

It is entirely possible to create an environment which shields all cardholder data from agents, call recording and screen recording platforms.  Agents would not see or hear sensitive card data, call recordings do not capture either PAN or CVC, screen recordings only capture asterisks and the last four digits of the PAN.  This approach removes the physical contact centre, PC’s, servers and the network from the scope of PCI-DSS.

With some forethought and careful planning a solution can be deployed in such a way that it can be charged out on a per client basis giving both competitive advantage and an incremental revenue stream.  

One such example and solution can be found here.

In summary

• Remove as much of the infrastructure from scope as possible
• Work out what remains within the scope of PCI-DSS and then put in place technologies and controls to mitigate the risk
• Finally implement technologies that will ensure your systems remain secure and that you can prove “everything has been done”.  Simply put, protect yourself from being fined in the unlikely event of a security breach.

This will

• Reduced the cost of gaining or maintaining compliance
• Create competitive advantage
• Per client deployment model introduces an additional revenue stream

I hope you found this information useful, if you have any information drop me a line at matt.keen@celuis.com

About the author

Matt Keen is a published information security expert specialising in compliance and specifically PCI DSS.  As a Director of Celuis Network Systems one of the worlds leading specialists in the field he spends his day working with companies on their security and compliance requirements and his evenings trying to become a better cyclist!  For more information please visit www.celuis.com or Matt Keen’s Brandyourself.com profile. Please contact Matt at matt.keen@celuis.com if you have any questions.