Some pitfalls of PCI DSS & GDPR to avoid for contact centers and remote workers

Contact center management, PCI DSS

Some pitfalls of PCI DSS & GDPR to avoid for contact centers and remote workers

If you’re holding payment card data within your organization’s contact center environment (for instance in call recordings, or in your network as transactions are made) you’re always at risk from a data breach, even if you’re PCI  and GDPR compliant.

Many organizations have shifted calls and transactions to remote workers and outsourcers due to the COVID-19 pandemic, so it’s even more important to remember that PCI and GDPR aren’t magic bullets.  They cannot guarantee your organization will not be the victim of a data breach or from personal information such as payment card data being compromised, especially if you’ve shifted some or all contact center operations to a less supervised environment.

Fraudsters are becoming much more sophisticated in the ways they access sensitive payment card information and such attacks are on the rise, as we have written about before on this blog. Many well-known organizations have fallen victim and have had customers’ card details accessed by criminals.  Most experts agree that these days it’s not a question of if you will get breached, but rather when.

Some of the most common ways in which card data can be accessed are:

  • Insider fraud – a contact center agent is able to access customers’ card details either by hearing or seeing them and then goes on to misuse them in some way themselves, or to sell such details on to other criminals
  • Errors – staff members accidentally share card data by mistake or there are bugs in systems that enable such details to be accessed from outside of the organization
  • Hacks – malicious hackers are able to breach an organization’s security systems and access data which includes card data, such as in call recordings.

There’s even a warning we’ve read about recently entitled ‘The secret fight for your personal information’ about the US courts being used to try to gain access to personal information (which for the purposes of GDPR includes payment card data).

If you’re storing card data within your organization then you could therefore be vulnerable to data being accessed in one of these ways, even if you’re PCI and GDPR compliant. The only way to guarantee card data can’t be accessed is by stopping it entering this environment in the first place. We always recommend this strategy, as do most payment security experts, as there are a number of reasons why we believe it’s the only sensible approach.

  1. Securing payment card data yourselves is a never-ending task

Managing payment card data security compliance yourself is a huge task and also represents a moving target. As fast as you find technological ways to close loopholes and protect yourself from data being accessed in one area – for instance by eliminating card data in call recordings – fraudsters and hackers will find new vulnerabilities to exploit in other areas. If you let card data enter your network or your agents have access to customers’ card numbers, then you’re going to be involved in a constant battle to keep it secure. There will never come a time when you can relax or feel safe from the risk of this data being compromised.

  1. Securing payment card data yourselves is complicated

If you’re securing data yourselves then your whole contact center environment is going to be embedded into your compliance processes. When the regulations or requirements change it can be hugely expensive to implement the changes, as so many things may need to be unpicked in your contact center and rebuilt to the new specifications. PCI and GDPR compliance can end up sucking up a massive amount of IT and project management resource that could be made available for other more valuable projects, if you didn’t need to worry about keeping card data secure.

  1. Securing payment card data yourselves limits your flexibility

Many contact centers want or need to be able to make use of home workers or outsourcers. It’s a common way to manage costs, access the right skills and manage variable call volumes, as well as a necessary move to handle the COVID-19 pandemic for many organizations. However, if you’re holding card data within your organization’s systems, then this can lead to significant security and training challenges when it comes to managing remote workers and outsourcers. Eliminating the card data from your call or center environment makes it much easier to take on remote workers when you need them, without having to worry about the implications for card data security.

  1. Securing payment card data yourselves is expensive

It’s extremely expensive to keep data secure yourself, as is the cost of demonstrating that your data is secure in order to achieve PCI compliance. You’ll have to invest substantial sums of money in software and other technological solutions and, as already discussed, the continually changing nature of the threat means that you’ll need to keep updating these solutions and investing both time and money to ensure that your systems and processes are up to date and that your staff are trained. There’s also the cost of insuring against cybercrime which is getting ever higher.

  1. Being breached can be an expensive disaster for an organization

The cost of securing your data may be high, but the potential cost of a breach is higher still.

The direct costs associated with the breach include the costs of:

  • Investigating how it happened
  • Closing whatever security hole caused it
  • Compensating the victims and paying fines
  • Increased insurance premiums.

However, you’re also hit with indirect costs such as damage to your brand and lost customer trust, which can be incalculable.

So, what’s the solution?

At Syntec, we firmly believe that the best way to deal with sensitive payment card data in your organization is not to have to deal with it at all.

This view is supported by many payment security experts and also the global PCI Security Standards Council, whose  2018 guidelines on protecting telephone-based payment card data state:

“For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN (long card number) and SAD [3 or 4 digit security number] to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE [cardholder data environment] or eliminating the CDE altogether.”

Our CardEasy solution enables you to take card payments in your contact centers and by remote workers without the customer’s card details ever entering your own environment or systems. Whether you take payments by phone or via digital channels such as e-mail, SMS  webchat or social media, you can’t be at risk of a breach of the card payment data because you’ll no longer be privy to that data – and you will also be seen to have adopted ‘appropriate technical measures’ to be compliant, as required by the PCI DSS standards.  And most importantly, you won’t be faced with the never-ending task of trying to keep that very sensitive customer data secure.