If your call center is handling payment arrangements of any type on your behalf, that means they’re probably dealing with credit (or debit) card data. Since 2004, PCI-DSS rules have required companies handling credit card information to do so with an abundance of security and caution. Here’s what you need to know about PCI compliance and your call center — and what questions you should ask when vetting a new call center vendor.
When Is PCI-DSS Compliance Important?
PCI-DSS is the payment card industry data security standards. They were adopted in 2004 and created by a joint effort between American Express, Discover, MasterCard, and Visa. PCI-DSS is a response to the increasing number of data breaches that put consumer credit card accounts at risk; companies can help protect their customers’ data by following the security protocols.
Failing PCI compliance can result in numerous fines, loss of consumer confidence and even lawsuits. This is true even if the failure was within a call center and not your own offices, so it’s important to ensure your vendors are PCI compliant if:
- They will take credit/debit card payments or arrangements via phone, chat or text
- They will process payments on existing cards
- They will handle any call questions or communications that might include credit or debit card information
3 Questions to Ask Your Call Center About PCI Compliance
Obviously, you want to ask your vendor if they are PCI-DSS compliant and how they plan to remain so. But here are some specifics you may want to ask, depending on what services the vendor will provide.
- What type of redaction processes does the call center offer, particularly for calls that might include credit card numbers? PCI-DSS strictly regulates how credit card numbers can be stored. Companies cannot store these numbers in unredacted format in digital, audio or paper formats. Even if your system saves a credit card number for future use, it must do so via encryption so employees can never see more than the last four digits. To remain PCI-DSS compliant, call centers that record calls for quality assurance must have a method for keeping credit card numbers from being stored in those audio files.
- How is access to information controlled? PCI-DSS requires multiple levels of security, including need-to-know access and log-in tracking. Ask your call center vendor how it limits access to information and what types of access logs are kept.
- What type of network security is used? Since PCI-DSS is aimed at reducing the exposure of consumer payment information, it requires strict network security. Ask call center vendors what types of protocols they have in place and what their plan is in case of a breach.
Call centers who deal in credit card data should have a detailed PCI compliance process policy manual. One way to ensure your call center is compliant is by requesting a copy of the manual and asking questions to determine whether actual daily processes align with the policies.