Call centers to confront to PCI conformity challengeThe second version of PCI DSS norm (Payment Card Industry Data Security Standard), thought toprotect information about payment cards is now expected for all conformity tests. After several casesof confidential personal data divulgation that have tarnished the reputation of a whole industrylastly, in India but also in France with Nicolas Sarkozy bank information’s theft in 2009, this obligationcreates a new challenge for call centers. An epiphany seems to happen, sadly, most of managementsare quite helpless in front of the many changes needed to be in conformity. As we are showing, allthe company, and its entire staff are concerned about adopting the PCI norm. The following synthesisenlightens five key points to achieve an upgrade to PCI norm. They can be summed up in five actions:get yourself informed, communicate, understand, adapt, even for home shored agents. 1. Get yourself informed : use wisely the resources from the official norms websiteThe norm itself, wrapped with a flock of advices shaped in FAQ and supplementary guides, isavailable on PCI SSC website: www.pcisecuritystandards.org. This website is useful to discover themost recent expectations and concerns generated by the norm, in a practical way. By the same, onecan find a crucial answer for call centers: digital recording of calls containing credit card details are inthe field of application of PCI DSS norm. As saved calls, recorded in a quality proof state of mind bycall centers can be used to commit a fraud. In March 2011, PCI SSC edited a side guide containingspecific recommendations to protect credit card details stocked via recorded calls, available onwebsite. 2. Communicate with specialized providersPCI SSC website contains an “agreed by PA-DSS norm applications” list, these application have beentested and approved as viable payment technologies adapted to payment processing directionsedited by PCI DSS norm. About recording solutions, they have been especially tested on the followingpoints: high encryption level applied to files, possibility to stop and restart recording automaticallydepending on work station activity to avoid sensitive authentication details, such as CVV2 (CardVerification Value), to be captured. 3. Understand that all personal data are concernedIt is of utmost importance to keep in mind that confidential parts of personal data are defined inmultiples laws; credit card numbers are only a part of all data needing to be secured. It is thusnecessary to have the other data such as maiden name, social security number, driver license,medical files… secured during transmission.
4. Adapting physical and hardware settingsThe usual disposition of a call center is potentially problematic. In a wall free vast space, this settingallows counselors to hear or see personal data collected by their coworkers. Creating a neutral zonewhere authorized agents can process credit card details is a possible solution to ensure data security. 5. …Even for homeshoringData confidentiality and safety issue is particularly pressing for home shored calls, as agents are notdirectly controlled by their higher-ups. However, solutions exist, offering contact center to fulfill PCInorm requirements. Two keys identification (using, i.e. physical chips) is necessary to ensure that theconnected person is the allowed employee. Some companies even implemented vocal recognitionsolutions to confirm agent identity. Isolating distant agents on a specific segment of their network,using a firewall is another option to contain eventual surety issues and unwanted access to data.Complying PCI norm, even if it’s not mandatory, truly is a major ambition for call centers as theyneed to reassure as much as they can the customers. The five “intels” pitched here, even if they donot cover the entire topic; help understand that it is the whole call center is concerned by thenecessary adjustments.