Addressing PCI compliance in the contact centre

Many industries today are required to record and store customer calls for compliance reasons. Any organisation that processes, stores or transmits credit card information is required to be in compliance with PCI DSS (the Payment Card Industry Data Security Standard).

Even though the Payment Card Industry defines multiple levels of merchants and services providers – dependent mostly on annual transaction volumes – compliance requirements remain the same for all of these providers. These requirements include; preventing storage of card data on call and screen recordings; protecting the physical contact centre environment; securing the agents’ desktops; and securing the VOIP network.

Failing to protect customer privacy can result in serious fines and reputation issues. For contact centres, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion. When taking payment over the phone, adhering to PCI DSS security requirements is crucial to protecting against fraud and instilling customer confidence in the business.

In March of this year [2016], we were proud to join Semafone’s breakfast briefing addressing PCI compliance in the contact centre. Held aboard the beautiful Silver Sturgeon, docked on the Thames, the briefing kicked off with an introduction from our very own Founder and Chairman: Adam Toop.

Addressing PCI compliance in the contact centre

Graham Turner, Sales Director of Semafone, then provided further insight on the background of the company – and Semafone as a product, including interesting statistics on data breaches within businesses in the UK:

  • 40 per cent of British consumers have been affected by the loss of personal information
  • 20 per cent of UK businesses have suffered a data breach in the last two years in the UK
  • 33 per cent of UK businesses do not have a data breach response in place
  • 81 per cent of UK businesses are concerned about the cost of recovering from a breach
  • 60 per cent of European data breaches in 2014 were in the UK
  • 117 data breaches occurred in the UK in 2014 compared to just nine in France and eight in Germany

Direct attacks on devices in the payment acceptance process have become increasingly common and highly sophisticated. These statistics were taken from Business Reporter and show just how essential it is to reduce risk, and avoid data breaches that can expose cardholder information.

Addressing PCI compliance in the contact centre

Also in attendance at the briefing were members of AXA’s technology team who discussed Adam Phones’ implementation of the Semafone payment technology solution. AXA needed to enhance its payment card security and de-scope its contact centres from PCI DSS regulations – all while ensuring the business continued to operate within PCI and FCA regulations.

We worked with Semafone to successfully migrate AXA’s 4,000 telephone numbers, along with its 2,000 agents, from one SIP endpoint to the Semafone hosted solution.

Additionally, we executed the implementation out of hours to ensure that AXA’s business was operating within PCI regulations. Using the solution, AXA was able to enhance the security for all of its customers making card payment over the phone – while freeing up call centre agents to perform ‘wrap up’ tasks during the call and improve customer service.

AXA Groups IT Director, Matt Potashnick commented, “I’m happy that we have a compliant solution and that our customers can feel confident about the security of their payment information. We have worked with Adam Phones for a number of years – they understand our business, so the implementation was something I knew would be handled professionally.”

If you’d be interested in reading more on our implementation with AXA, you can read the full case study here.

Posted on: 22nd April 2016

Posted in: PCI DSS Compliance