Call Centre PCI Compliance: Explained | How To Get Compliant

As a contact centre manager, you’re probably well aware of the importance of being PCI compliant.

PCI compliance is no longer a nice to have – it’s a basic requirement of taking credit card payments in the contact centre.

Here’s what you need to know about PCI compliance as a call centre manager.

Note: the following information is not legal advice and is general in nature.

Does PCI compliance apply to my call centre?

Woman making a credit card payment over the phone.

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that accept, process, store, or transmit credit card data.

This includes organisations that use third-party payment processors to take credit card payments.

Therefore, if you receive payments via credit card in your contact centre, PCI compliance applies to you.

What are the consequences of not being PCI compliant?

Organisations can potentially be fined hundreds of millions of dollars in case of a credit card data breach. When card data is stolen, all affected credit cards must be cancelled, the cardholder notified, and a new card issued. It costs $3 on average to reissue a credit card, which is a cost you may be liable for in case a data breach occurs.

You can also be fined for failure to maintain PCI compliance, even if no breach occurs. Depending on the size of your organisation and the number of transactions processed, these fines can range from the tens of thousands up to millions of dollars.

Another important consequence of not being PCI compliant is how this will affect your organisation’s reputation. Customers expect you to maintain their privacy, especially as it pertains to personally identifiable information and financial data. If a breach occurs, this could have massive ramifications for your organisation’s reputation and long-term performance.

Will my payment gateway help me become PCI compliant?

Man making a credit card payment over the phone.

In general, payment gateways do not offer solutions to facilitate PCI compliant contact centre payments, as their focus is principally on the payment itself. Being compliant requires you to consider your whole business process, not just the method of executing the payment.

You can still use your current payment gateway (or one of many others available) and be PCI compliant. However, additional steps are required to ensure compliance, as we will explain a bit below.

What do the different levels of PCI compliance mean?

There are currently four different levels of PCI compliance, relating to the volume of transactions processed.

  1. Level 1: greater than 6 million card transactions per year.
  2. Level 2: 1-6 million card transactions per year.
  3. Level 3: 20,000 to 1 million card transactions per year.
  4. Level 4: less than 20,000 transactions per year.

These levels of compliance determine your obligations under PCI DSS. The higher your level, the more you have to do to prove that your organisation is PCI-compliant.

The size of the transactions processed, in terms of a dollar amount, does not affect the level of PCI compliance. The levels simply relate to the number of transactions your organisation processes each year.

For business process outsourcers, your level is determined by the total number of transactions you process for all customers. To find the total sum of transactions, all merchant “Doing Business As” (DBA) names associated with your organisation are considered.

Also, Visa can choose to escalate specific organisations to a higher compliance level at their discretion. For example, this can occur if the organisation has previously suffered a breach.

How to make your contact centre PCI compliant

Person holding a credit card.

If you take on the task yourself, ensuring PCI compliance can be extremely complex, and often requires massive ongoing investment, even if you’re only classified as a Level 4 organisation under PCI DSS.

If you are directly exposed to credit card data, you need to demonstrate evidence of the measures you use to protect this data, such as your firewalls, your regular agent security training protocols, and your vulnerability management program. You may also need to complete an “Attestation of Compliance” to confirm the security of customer card data to banks or payment processors.

For contact centres, it’s best to remove your operations from the scope of PCI compliance as much as possible, to minimise the cost and complexity of taking compliant card payments.

By doing this, you can eliminate the need to use measures such as regular agent security training, while still maintaining PCI compliance. Your Attestation of Compliance will only require you to detail how you manage around 20 different PCI DSS requirements each year. If you were to take on the task of ensuring PCI compliance yourself, you would likely have to explain how you manage more than 300 different requirements in your Attestation of Compliance.

Removing your contact centre operations from the scope of PCI compliance

Contact centre agent on the phone.

Here at contactSPACE, we help contact centres take PCI-compliant payments using pcipayspace. Here’s how it works:

  1. On the call, the agent initiates the transaction, inputting the amount to be paid, and providing verbal instructions to the customer on how to complete the payment.
  2. The call recording is paused.
  3. The customer types in their credit card details using their keypad. DTMF tones are shielded from the agent.
  4. The payment is completed. If the charge fails, the agent can reset the process.

Essentially, pcipayspace helps you simplify your card payment processes. It plugs into your payment gateway, such as Stripe, ensuring that your organisation is never exposed to credit card details, and allowing you to have the simplest and most secure process available. We manage the technology involved with taking phone payments, removing your organisation from the scope of PCI compliance.

Another benefit of this approach is it can help to enable a much shorter average handle time. Transmitting card details verbally often takes a lot longer than using the keypad, and the chances of errors occurring due to agents mishearing the customer’s card details are much higher. If the agent hears a digit incorrectly, you might not be able to easily reset and reattempt the transaction.

Learn more about pcipayspace.

What if I need to store credit card details?

Stack of credit cards.

Many organisations need the ability to store credit card details for repeat charges. For example, if you’re a charity with supporters who make regular donations.

To do this in a PCI-complaint manner, you can use something called tokenisation.

Tokenisation involves storing credit cards as obfuscated strings. The tokens may contain some part of the credit card detail, such as the last four digits of the card number, but are otherwise unrecognisable.

If the tokens are accessed by hackers, they are worthless. However, you can still initiate a transaction and charge the credit card when you need to.

With pcipayspace, you can store PCI-compliant tokens to allow for easy repeat transactions.

Common PCI compliant payment concerns

Man making a credit card payment over the phone.

Some customers or donors may have concerns about submitting card details using their keypad.

Traditionally, when making phone payments, people have communicated their card details verbally. This has been common practice for decades now, and the change may be difficult for some customers, even though inputting your card details through the keypad is safer for both parties.

Here are some common objections, and some tips to help your agents handle them.

1. “Using the keypad is less secure”

Here are some security benefits of using the keypad that you can use to put customers’ minds at ease.

  • Using the keypad, the agent never “sees” the customer’s card details, which makes the process much more secure. You could have the agent explain exactly what they see in front of them on their screen, to put customers’ minds at ease.
  • Using pcipayspace, card details are transmitted securely, straight to the payment processor. They are not exposed to the organisation the customer is paying, making the transaction more secure.

2. “Using the keypad is difficult”

Person entering credit card details using their phone keypad.

For some customers, using the keypad to transmit card details may seem confusing or difficult.

Fortunately, with pcipayspace, you can have the agent guide the customer through the entire transaction. If the customer has never made a phone payment like this before, you can walk them through the process.

Handling this particular objection is largely down to how prepared your agents are. If you’re finding that many of your customers have never made a credit card payment using their keypad before, then you can prepare agents for this using your CallGuide.

For example, you might create a step by step process that agents can use to guide a first-time customer through the payment. You will want to include some answers to common customer questions, such as:

  • I’m on a mobile phone – how do I bring up the keypad?
  • I put the wrong number in – what do I do?
  • How do I submit my details when I’m done?