CustomerZone360 NEWS

CustomerZone360 Home

Vulnerability Despite PCI Third-Party Outsourcing-Understanding the Truth

By Special Guest
Greg Gentile, President, Govolution
March 21, 2016

Outsourcing PCI Compliance?

Enterprises whose contact centers handle credit card transactions typically utilize PCI-certified third-party payment processors to offload the regulatory hurdles and compliancy mandates dictated by the PCI Security Standards Council, the organization formed by the major card brands to monitor and ensure data security for card-based financial transactions. 

Often contact centers believe that, because they use a third party for processing credit card payments, they are insulated and exempt from PCI mandates which can include costly annual audits and significant ongoing IT resource commitments. But there’s a hole in that thinking. According to the PCI Council, any business that touches any part of a communication involving a credit card transaction is considered “within scope” of rigorous PCI mandates — or face harsh financial consequences. 

How One Remains on the Hook

There are several scenarios whereby outsourcing can lead to unexpected PCI compliance challenges. Perhaps most common, Interactive Voice Response (IVR) solutions that use SIP trunks to connect with payment processors can be vulnerable to data breaches and lead to unexpected exposure to PCI compliance issues despite use of third party payment services. The technology — which is the backbone of the IP network — leaves enough of a data footprint to unwittingly place the merchant in scope, and, in effect, puts a number of entities at risk: the contact center, payment processor, and consumer.

Another example, a customer calls your company’s contact center to place an order or pay a bill. When it comes time to pay, the agent passes the call to a PCI-certified third-party payment processor who runs the transaction in a presumably separate and secure environment. The thinking goes that, by relinquishing responsibility for that transaction to this third party, your contact center need no longer worry about PCI compliance.

The problem with this theory is that the caller, your customer, may have remained in conference call with your agent during the whole transaction — on your phone system, which is connected to your network. Or, it may be that your voice recording system captures all of that customer’s sensitive credit card data. Since it’s your network and the call remains connected to, you’re still technically on the hook for PCI compliance standards, any data breach that may occur or some fraud perpetrated on that customer.

Perhaps you’ve believed all this time that your company has been in PCI-compliance because you’ve contracted with a PCI-compliant third-party partner who conducts all of your transactions separately. Not true. The customer call originated from your network or may not have completely disconnected from your contact center, so the PCI Council continues to consider your company “in scope”, and liable for any malfeasance committed against that customer. In short, despite your PCI-compliant third-party partner, you remain exposed.

Truly Cutting Free

Fortunately, there is an easy remedy to these common situations, where the call can be passed through a specially-designed border controller technology, and become completely disintermediated from the agent or your network before any sensitive card or customer information can be shared, recorded, or used to complete the transaction. Under this model, the transaction can occur completely outside your environment and PCI-compliance achieved at low cost.

Better still, after the call has been completely disintermediated from the system, this same technology can allow for the agent to easily reconnect with the call, without missing a service beat, keeping the experience for the customer intact. The customer would return to the same queue position and to the same agent who’s been servicing him all along, completing the sale in one seamless encounter. In such a wholly separated scenario, the PCI-certified third party would then indeed be wholly responsible for security, leaving your enterprise truly disassociated and compliant.

The Whole Truth

What’s the lesson to be learned? Enterprise contact center managers and technology providers that service them, must investigate all avenues for cardholder protection — such as deploying cost-effective session border controller technologies like the example provided above — instead of simply relying on the concept of “outsourcing” to mitigate your exposure. Third-party providers have varying levels of PCI compliance and the complexity of contact center operations may leave you at risk.

PCI requirements are changing rapidly and contact centers are struggling to keep pace with new threats and evolving industry standards.  Staying current on new best practices, such as the session border controllers, can keep your risks mitigated, protect your customer data and reduce your compliance costs.

About the Author

Greg Gentile is president of Govolution, a payment service provider that offers its Velocity Payments solution to enterprises, government agencies, and institutions. He can be reached at  

Edited by Peter Bernstein

Related Articles

TMC Announces Winners of the 2017 CUSTOMER Magazine TMC Labs Innovation Award

By: TMC    11/29/2017

TMC, a global, integrated media company helping clients build communities in print, in person and online, announced the winners of the 2017 TMC Labs I…

Read More

Does Your Partner Measure Productivity by Outcome or Output?

By: Special Guest    11/3/2017

The right partner will provide you with guidance and EXPERTISE, and not just a subscription for contact center "as a service." The right partner will …

Read More

How Customer Journey Mapping Fosters Cross-Functional Collaboration

By: Amy Downs    10/30/2017

Customers know when there is misalignment between various departments. When the right hand isn't talking to the left, it's apparent and it's the prima…

Read More

CUSTOMER Magazine Announces Winners of the 2017 Contact Center Excellence Award

By: TMCnet News    10/5/2017

TMCannounced the winners of its 12th Annual Contact Center Technology Award, presented by its premier publication, CUSTOMER magazine.

Read More

CUSTOMER Magazine Announces Call for Entries: 2017 Workforce Optimization Excellence Awards

By: TMC    9/27/2017

TMC, a global, integrated media company helping clients build communities in print, in person and online, announced today that its flagship publicatio…

Read More