Outsourcing PCI Compliance?
Enterprises whose contact centers handle credit card transactions typically utilize PCI-certified third-party payment processors to offload the regulatory hurdles and compliancy mandates dictated by the PCI Security Standards Council, the organization formed by the major card brands to monitor and ensure data security for card-based financial transactions.
Often contact centers believe that, because they use a third party for processing credit card payments, they are insulated and exempt from PCI mandates which can include costly annual audits and significant ongoing IT resource commitments. But there’s a hole in that thinking. According to the PCI Council, any business that touches any part of a communication involving a credit card transaction is considered “within scope” of rigorous PCI mandates — or face harsh financial consequences.
How One Remains on the Hook
There are several scenarios whereby outsourcing can lead to unexpected PCI compliance challenges. Perhaps most common, Interactive Voice Response (IVR) solutions that use SIP trunks to connect with payment processors can be vulnerable to data breaches and lead to unexpected exposure to PCI compliance issues despite use of third party payment services. The technology — which is the backbone of the IP network — leaves enough of a data footprint to unwittingly place the merchant in scope, and, in effect, puts a number of entities at risk: the contact center, payment processor, and consumer.
Another example, a customer calls your company’s contact center to place an order or pay a bill. When it comes time to pay, the agent passes the call to a PCI-certified third-party payment processor who runs the transaction in a presumably separate and secure environment. The thinking goes that, by relinquishing responsibility for that transaction to this third party, your contact center need no longer worry about PCI compliance.
The problem with this theory is that the caller, your customer, may have remained in conference call with your agent during the whole transaction — on your phone system, which is connected to your network. Or, it may be that your voice recording system captures all of that customer’s sensitive credit card data. Since it’s your network and the call remains connected to, you’re still technically on the hook for PCI compliance standards, any data breach that may occur or some fraud perpetrated on that customer.
Perhaps you’ve believed all this time that your company has been in PCI-compliance because you’ve contracted with a PCI-compliant third-party partner who conducts all of your transactions separately. Not true. The customer call originated from your network or may not have completely disconnected from your contact center, so the PCI Council continues to consider your company “in scope”, and liable for any malfeasance committed against that customer. In short, despite your PCI-compliant third-party partner, you remain exposed.
Truly Cutting Free
Fortunately, there is an easy remedy to these common situations, where the call can be passed through a specially-designed border controller technology, and become completely disintermediated from the agent or your network before any sensitive card or customer information can be shared, recorded, or used to complete the transaction. Under this model, the transaction can occur completely outside your environment and PCI-compliance achieved at low cost.
Better still, after the call has been completely disintermediated from the system, this same technology can allow for the agent to easily reconnect with the call, without missing a service beat, keeping the experience for the customer intact. The customer would return to the same queue position and to the same agent who’s been servicing him all along, completing the sale in one seamless encounter. In such a wholly separated scenario, the PCI-certified third party would then indeed be wholly responsible for security, leaving your enterprise truly disassociated and compliant.
The Whole Truth
What’s the lesson to be learned? Enterprise contact center managers and technology providers that service them, must investigate all avenues for cardholder protection — such as deploying cost-effective session border controller technologies like the example provided above — instead of simply relying on the concept of “outsourcing” to mitigate your exposure. Third-party providers have varying levels of PCI compliance and the complexity of contact center operations may leave you at risk.
PCI requirements are changing rapidly and contact centers are struggling to keep pace with new threats and evolving industry standards. Staying current on new best practices, such as the session border controllers, can keep your risks mitigated, protect your customer data and reduce your compliance costs.
About the Author
Greg Gentile is president of Govolution, a payment service provider that offers its Velocity Payments solution to enterprises, government agencies, and institutions. He can be reached at [email protected]
Edited by
Peter Bernstein