Pause for thought - reducing your PCI scope
As a business, if you take card payments over the phone you are obligated to adhere to over 350 separate controls. Are you prepared for the forensic auditors to come knocking? GCI’s PCI Director, Martin Morris, addresses common misconceptions, complexities and the solutions you can trust.
26 April 2019
Given the exponential rise in the awareness of PCI DSS, at GCI we spend quite a lot of time speaking to concerned businesses about the challenge of compliance. To clarify, The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory set of controls that apply to all organisations that store, process or transmit cardholder data where customers are making payments, whether online, offline, via the telephone or any other method. Retail is an industry in which this would be highly applicable, but it’s important for a wide variety of other sectors too; for instance, if you’re a local council that offers its citizens the ability to pay online or by the telephone.
However, just understanding the regulations and interpreting them in relation to your specific industry, business and technology environment is a major challenge. The most common misconception is that your business is PCI compliant if you’ve implemented some form of “pause and resume” feature on your call recording platform, so if merchants are not recording card details, they must be in the clear. Even if that were the case, “pause and resume“ is an imperfect solution open to user error, relying on agents remembering to input a code or click a button before and after the transaction. What could possibly go wrong in a Contact Centre with 500 seats?
Some companies have partnered with their telephone system, Contact Centre software or CRM provider to somewhat automate the “pause and resume” process by automatically halting recording at the payment gateway page and then resuming once you’ve completed the transaction. This is a great step forward and is being widely adopted as good practice; however, if you’re Financial Conduct Authority (FCA) regulated then by doing this, you’re falling foul of those regulations which stipulate you must record the whole of the call and demonstrate that you’re treating the customer fairly. You’re damned if you do, damned if you don’t in this tremendous tug of war between two sets of regulations. And even these more automated methods of “pause and resume” are problematic as card details can be recorded for quite some time before a merchant becomes aware, leaving them with the task of identifying which call recording files now contain sensitive card data. The perceived wisdom, of course, is that “pause and resume” will ensure that no one can retrospectively go through your call recording files to pull out your customers’ card details and use them fraudulently if you’ve taken steps to ensure that they’re not recorded. And this is a great step along a much, much longer road to compliance... provided that no one forgets to put in the code or click the button, and that the technology is 100% reliable.
When it comes to PCI DSS, too many have what a former colleague of mine calls “happy ears”. They hear something which sounds like it solves the problem and rather than have to get their minds – or their budgets – around the seemingly endless list of other steps they need to take, they go along with it. Our experience is that this approach is not malicious. Essentially it boils down to a lack of knowledge, which can be a dangerous thing; especially if the forensic auditors come knocking. By then, of course, it’s too late. If you are allowing sensitive cardholder data into your environment, you are potentially obligated to complete over 350 separate controls - a figure that will only rise. So if you’ve implemented “pause and resume”, use a compliant payment service provider, operate a paperless office and regularly change system passwords… you only have another 340 or so controls to go.
Of course, this issue, problem, responsibility (or whatever else you want to refer to PCI DSS as) all but goes away if you remove sensitive cardholder data from your business entirely and reduce your scope as much as possible. This means not allowing Contact Centre agents to hear or see card details, ensuring they are not captured in any call recordings or stored in any systems logs or databases. This will, in turn, reduce overheads and costs of compliance by 98%, freeing up people and budget in the process. With GCI’s PCI Live Agent solution, you can do all of this, all whilst ensuring that communication between the agent and customer is never interrupted, and even letting agents guide the customer through the payment process. No “pause and resume” required! GCI will reduce your scope and remove the hassle, confusion, misinterpretation and a good chunk of the cost, allowing you to focus on your strategic IT goals. Basically, “remove the data, remove the risk”.
Want to know more? Simply email us at firstname.lastname@example.org to book a complimentary PCI consultation.
Author: Martin Morris, PCI Director at GCI
PCI Webinar you may be interested in
PCI DSS refresh: The challenge of compliance in an era of constant change
Digitalisation is constantly moving the goalposts for compliance teams as organisations struggle to cope with changing customer demands, revolutions in payment channels and other core security business issues. GCI’s compliance experts will talk you through the PCI DSS landscape and look at some of the solutions available to overcome the hurdles associated with achieving cost-effective compliance.
Date: Tuesday 25th June 2019
PCI Live Agent Product Sheet
PCI Live Agent from GCI is an agent-assisted telephone payments solution which allows card payments to be taken from customers over the phone without the agent seeing or hearing sensitive cardholder data.