PCI DSS Compliance

To protect customers, organisations taking credit card information over the telephone are required to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). This ensures compliance with the requisite security standards deemed necessary by the major credit card brands.

Recent studies show that 54% of contact centres consider compliance to be either unattainable or years away. According to the Connected World: “Contact centres that operate on behalf of customer organisations could suffer severely should they be exposed as non-compliant.” Non-compliance can lead to substantial fines and the lost of trust with the customers.

Obtaining Compliance

Legacy recording systems can be a barrier to compliance as they may store card security codes after authorisation. Even if this data is encrypted, it is not acceptable.

Manually pausing and resuming call recording is also not an acceptable method of protecting card-holder data. Agents may forget to pause the recording of sensitive card-holder data, or they might forget to resume recording, resulting in the failure to capture details of customer transactions.

ADDCOM Wave provides a state-of-the-art recording system which automates PCI DSS compliance. It helps to build higher levels of trust with existing and new customers through the assurance that their credit card information is safe.

PCI-DSS Solutions

ADDCOM Wave PCI DSS solutions provide a seamless, integrated and compliant process ensuring that card data is never recorded or stored by agents.

PCI de-scoping is available as an alternative. In this instance, calls are transferred to an automated credit card payment system, using Interactive Voice Response (IVR), or customers use their telephone keypads to enter the card data whilst on the telephone phone to an agent.

If you outsource payment channels to a compliant service provider this does not automatically equate to PCI DSS compliance. ADDCOM Wave will review your current processes to determine the most cost-effective option and the best routes to take from a compliance perspective.

A range of approaches are offered by ADDCOM Wave for obtaining PCI DSS compliance as listed below:

Designated Handsets

For organisations that take a small number of payments in may be appropriate to have a number of non-recorded handsets next to payment terminals. When agents take payments they transfer the calls through to the non-recorded extension. This extension can be answered either by a dedicated payment team or by the agents themselves.

Payment IVR (Assisted)

Instead of taking sensitive information over the phone, agents can conference in an automated IVR system where caller enter the payment details using their telephone keypads with the assistance of agents if required. The tones being entered by callers are clamped (removed from the audio) to ensure they are not recorded or overheard by agents.

Automatic Silencing

An application is run on the agents’ PC desktops that monitors for a payment portal being loaded. When a payment portal is detected, the current call recording for the agent will be silenced and when the payment portal is closed, the call recording will be un-silenced. Alternatively, ADDCOM Wave has a PCI DSS silencing API that can be called from applications to silence or un-silence calls at the appropriate time.

Payment IVR (Unassisted)

Instead of agents taking sensitive information over the telephone, they can transfer calls to an automated IVR system where callers enter their payment details without being recorded.