Risk & Economy » Regulation » Look out for the payment card trap

Look out for the payment card trap

Compliance with payment regulations can be expensive. Don’t let security become a protection racket, warns Graham Thompson

THE DIRECTOR of any business that accepts credit or debit card payments, from the manager of the local corner shop to head of a 5,000-seat contact centre, needs to be aware of the regulations associated with Payment Card Industry Data Security Standards, known in the business as PCI DSS.

PCI DSS regulations make sense. They are designed to prevent credit card fraud and they place restrictions on how card data is handled. At the most basic level they require anyone handling card data to make sure their systems are secure and to carry out regular checks on this. Guidelines instruct organisations about how card numbers must pass through a computer system, the conditions under which they are stored and which inspections are required to ensure that security measures are up to scratch.

The reality, however, is that compliance with PCI DSS regulations too often presents senior executives with an overwhelming flood of expensive demands, particularly where telephone payments are concerned. When agents are taking customer card numbers verbally, a whole range of issues arise. The agent must be prevented from writing down anything they hear, and where telephony and data systems and networks process card data they have to meet all 286 stringent PCI controls.

These activities, however, are sometimes just the tip of the iceberg. The vigilant finance director should be aware that PCI DSS compliance can be synonymous with “opportunity” in the eyes of some department heads. For the IT department, the prospect of continuous checks on the entire IT infrastructure is likely to signal the possibility of increasing headcount, always a welcome prospect for a manager in the current economic times. For the Customer Service Director, PCI DSS compliance may finally provide the reason to upgrade the call recording system which was previously unjustifiable in terms of cost.

Attempting to seal every possible point of entry in a technologically complex contact centre is already like trying to cut the heads off a hydra; for every one you remove, another two appear. If the ongoing business of security checks and remedies is also becoming one of the principal activities of your IT team, you have still more problems.

The only way to become PCI DSS compliant without embroiling yourself in the vast myriad of demands and costs is to remove the credit or debit card data from your company’s contact centre altogether. It is now possible to allow customers to enter their card details into a telephone handset without cutting them off from the call itself. These details can then be sent directly to the bank for verification without ever passing through the corporate IT or telephony network.

This approach has a threefold advantage. Firstly, no card data is held on your systems, thereby removing these systems from the scope of PCI regulations and at the same time, the need for all the checks and controls. Secondly, the person taking the call does not hear any of the card details, even via the sound of keypad tones. This avoids any risk of fraud from your own staff and means that you don’t have to subject them to strict security measures such as “clean rooms,” in which mobile devices and even pens and paper are forbidden. Finally, the fact that the voice call continues during the payment process means that your customer is far more likely to complete the transaction because they have a human on the end of the line to help them with any difficulties.

Don’t fall into the PCI trap. Be aware that the most complex solution may not be the best for you, and look for a simple way to avoid the cost and effort. Even if it means disappointing a few members of your senior team.

Graham Thompson, Semafone

Comments are closed.