Achieving PCI Compliance Without Compromising Operational Efficiencies by Geoff Forsyth, CISO at PCI Pal

For any company that handles cardholder-not-present (CNP) payments – no matter what the size or type of organisation – achieving and maintaining PCI Compliance needs to be considered at all times. Failure to comply with the requirements of PCI DSS can result not only in security vulnerabilities but has the potential to incur financial penalties.  

No one wants a reputation damaging data breach on their hands – particularly if sensitive payment data has not been handled in the most secure way – so it’s important to take steps to ensure year-round compliance is achieved.

This is all well and good, however achieving this without impacting operational efficiencies or the customer’s overall experience is paramount and can prove a tricky balancing act for some! 

Firstly, what does PCI Compliance look like?

The Payment Card Industry Data Security Standard (PCI DSS) was originally set-up by Visa, MasterCard, American Express, Discover and JCB.to help organisations that take card payments reduce the risk of fraud. 

PCI DSS is now regulated by the Payment Card Industry Security Standards Council (PCI SSC) and is made up of a set of 12 mandatory requirements – these are all designed to protect data that is processed, transmitted and stored during manual or electronic payment transactions.

For any organisation operating a contact centre that takes card payments from customers over the phone, SMS, IVR or via digital methods, they are responsible for keeping that data as secure as possible. Adhering to PCI DSS guidelines should therefore be a priority if organisations are to thrive, within the countless external threats that exist towards customers’ personal data. 

Is seamless PCI compliance possible?

While organisations need to focus on security and compliance, it must not be at the expense of providing a quality experience and a seamless customer journey.   After all, studies have shown that customer experience is becoming one of the main drivers behind brand loyalty and repeat purchases. Customers who feel they have experienced a positive service are more likely to return, refer or even pay a premium in the future.

In today’s world, where competitors are just a click away, providing a seamless service via all customer engagement channels is a must and adherence   to regulations, such as PCI DSS, should not detract from this.

A good starting point is to map out the existing customer and agent journey.  How quickly are customers resolving their queries? How long does a typical transaction take? How satisfied are customers with the outcome of their interactions with your organisation?  What would your customer change about your service? How high is your abandonment rate? 

Making contact centre agents’ processes simpler improves the customer journey tenfold – the quicker and easier agents can access information, the less time customers are kept waiting.

In a recent Verizon whitepaper, it examined the challenges contact centres face in achieving sustainable PCI DSS compliance. It reported that 60 percent of organisations are still using inefficient ‘pause-and-resume’ technologies to avoid storing sensitive data on phone call recordings. 

Instead, consider switching to Dual Tone Multi Frequency (DTMF) masking technology; it prevents agents from being exposed to sensitive  payment card data, as customers instead input their payment details using their telephone’s keypad. This avoids any data from being verbally shared and also means calls don’t need to be routed to a payment card system. 

Agents can instead continue speaking with the customer while they make the payment, improving overall efficiency, drastically reducing the scope of PCI Compliance. 

Operational efficiencies via the cloud

Opting for cloud-based solutions can also provide an answer. The problem with premise-based solutions is time can be taken up with IT issues rather than actually focusing on the customer experience. Instead, time is spent on planning, budgeting, training, maintenance, integrating and fixing existing in-house systems.  

For those currently using in-house solutions to deal with payment processing, it creates a burden to remain ahead of new emerging threats. They also require constant testing and updating to maintain ongoing PCI Compliance as well as pass any interim or annual assessments.

Using a trusted cloud-based third-party supplier can therefore remove this operational burden. With access to a unified system – which collates all customer interaction history in one place for easy analysis – it frees up the time that would have previously been spent running an in-house solution, creating efficiencies all round.  So, while it may appear daunting at first glance, achieving PCI DSS Compliance really needn’t be feared.  

Make sure you don’t miss Intelligent Automation Nordics, taking place on 18-19 March in Copenhagen. The event will be packed with all things AI, digital transformation, robotics, and much more. 

If data is more your thing, be sure to check out the Data Innovation Summit 2020. Hosted in Stockholm on 19-20 March, it’s set to be the biggest and the most influential data and advanced analytics event in the Nordics!