PCI Compliance in an Outsourced Customer Care Program: What Do You Need to Know?

by Kim Campbell in Contact Center Outsourcing, Customer Service Outsourcing, Kim Campbell

There’s no doubt that today’s businesses – from SMB to global mega-brands – take data security and data protection very, very seriously. With the ever-increasing rigor around PCI DSS compliance, not to mention the proliferation of legislated protections like GDRP, the landscape is changing quickly and for the better. As a result, for most companies, any relationship with an outsourced customer care partner is going to have to come with stringent PCI DSS standards well-established, as well as robust data security systems solidly in place.

If you are going to RFP for contact center services, insight into consumer credit card data protection – typically either certification or compliance with an established standard – is likely going to be part of the conversation. Let’s dig into the state of PCI as it relates to customer care today.

PCI Compliance Background

Payment Card Industry Data Security Standard (PCI DSS) was designed to protect against data breaches involving credit card data. These security standards apply to every organization – no matter the size – that accepts credit card payments. And the higher the volume of credit card transactions your company processes, the higher your risk of cyberattack and the more concerned credit card companies will be with your level of compliance.

That said, PCI compliance is not a federal requirement – though many states are beginning to create acts that protect consumers against data breaches. In any case, compliance provides a safety assurance both for your customers and for your business itself – as the PCI Security Standards Council itself says, “following PCI security standards is just good business.”

But what happens when you outsource elements of your customer care program that require your outsourcer to collect credit card information? The fact is, your compliance is measured based on your entire credit card data environment, and that may include partners, vendors, and third-party companies you use to process credit card information.

How Contact Centers Interact with Cardholder Data

The most common way an outsourcer interacts with cardholder data is through live agents. Whether the customer is renewing a subscription or purchasing a new service or product, when an agent asks for their credit card information – account number (PAN), security code (CVV, CV2, CVC, CID, etc.), expiration date, and cardholder name – they actively listen, type the information into their software interface, and repeat it back for confirmation. Even when the phone call is taken out of the equation, live agents via SMS and Live Chat also regularly handle credit card transactions.

Most contact center outsourcers do not store client and customer data in their own technical infrastructure – data storage (including the cardholder data in your customer database) falls squarely on your shoulders. But those customer calls are often recorded (and those recordings stored) by the outsourcer for training and quality purposes.

Clearly, there are multiple points of access for data breaches across this entire process. Your outsourced partner should be going to great lengths to protect against this by providing a PCI compliant solution to mitigate your risk.

PCI Compliance in the Contact Center

When your business processes high volumes of credit card transactions, particularly through your customer service team, you should only be engaging with an outsourcer who can meet your data protection requirements. But how they do that can differ from vendor to vendor.

Some outsourcers will choose to become PCI-certified, but it’s important to know that this is not the only option – and, in fact, it may be a very expensive option. PCI compliance can be achieved in other (more affordable) ways.

Essentially, your contact center partner needs a solution that meets the six key elements for compliance, including:

•   Secure Network
•   Encryption
•   Security Software
•   Restricted Access
•   Network Monitoring
•   Documented Security Policy

At Blue Ocean, we’ve joined forces with a PCI-compliant solutions partner to ensure we’re hitting all these factors and protecting both you and your customers. Let’s explore what that looks like.

DTMF for the Win

Blue Ocean partners with a certified PCI-compliant solutions provider that uses Dual Tone Multi Frequency (DTMF) technology to ensure all our agent-handled interactions are secure.

What does that mean in English? It means that when an agent needs a customer’s payment card data, they ask the customer to type the credit card information in their keypad – the unique dial tone of each number key will be masked so it’s undecipherable to the agent. Once it’s entered, the agent is presented with a token code via their software interface, which they will enter into the credit card field of the CRM. The credit card number and the token code are both sent to the payment gateway for dual authentication of the payment.

Essentially, the agent never hears, sees, or types the cardholder data. Neither is it stored in your or your outsourcer’s software system or in call recordings. Finally – and here’s the beauty of this solution – the agent is still on the phone with the customer while they’re entering the information, supporting the customer should they get confused, enter wrong information, or have further questions. In summary, our solution protects both the card holder data and the customer experience.

PCI compliance partners are also able to intercept data in IVR, SMS, and live chat environments.

When partnering with a third-party solution, your outsourcer should also get an attestation of compliance from a qualified security assessor. This way, you can be confident they take security seriously and have a highly secure environment.

Curious about our PCI-compliant customer care solutions? Book an appointment today to learn more.


Book an Appointment

Comments are closed.