CustomerZone360 NEWS

CustomerZone360 Home

Vulnerability Despite PCI Third-Party Outsourcing-Understanding the Truth

By Special Guest
Greg Gentile, President, Govolution
March 21, 2016

Outsourcing PCI Compliance?

Enterprises whose contact centers handle credit card transactions typically utilize PCI-certified third-party payment processors to offload the regulatory hurdles and compliancy mandates dictated by the PCI Security Standards Council, the organization formed by the major card brands to monitor and ensure data security for card-based financial transactions. 

Often contact centers believe that, because they use a third party for processing credit card payments, they are insulated and exempt from PCI mandates which can include costly annual audits and significant ongoing IT resource commitments. But there’s a hole in that thinking. According to the PCI Council, any business that touches any part of a communication involving a credit card transaction is considered “within scope” of rigorous PCI mandates — or face harsh financial consequences. 

How One Remains on the Hook

There are several scenarios whereby outsourcing can lead to unexpected PCI compliance challenges. Perhaps most common, Interactive Voice Response (IVR) solutions that use SIP trunks to connect with payment processors can be vulnerable to data breaches and lead to unexpected exposure to PCI compliance issues despite use of third party payment services. The technology — which is the backbone of the IP network — leaves enough of a data footprint to unwittingly place the merchant in scope, and, in effect, puts a number of entities at risk: the contact center, payment processor, and consumer.

Another example, a customer calls your company’s contact center to place an order or pay a bill. When it comes time to pay, the agent passes the call to a PCI-certified third-party payment processor who runs the transaction in a presumably separate and secure environment. The thinking goes that, by relinquishing responsibility for that transaction to this third party, your contact center need no longer worry about PCI compliance.

The problem with this theory is that the caller, your customer, may have remained in conference call with your agent during the whole transaction — on your phone system, which is connected to your network. Or, it may be that your voice recording system captures all of that customer’s sensitive credit card data. Since it’s your network and the call remains connected to, you’re still technically on the hook for PCI compliance standards, any data breach that may occur or some fraud perpetrated on that customer.

Perhaps you’ve believed all this time that your company has been in PCI-compliance because you’ve contracted with a PCI-compliant third-party partner who conducts all of your transactions separately. Not true. The customer call originated from your network or may not have completely disconnected from your contact center, so the PCI Council continues to consider your company “in scope”, and liable for any malfeasance committed against that customer. In short, despite your PCI-compliant third-party partner, you remain exposed.

Truly Cutting Free

Fortunately, there is an easy remedy to these common situations, where the call can be passed through a specially-designed border controller technology, and become completely disintermediated from the agent or your network before any sensitive card or customer information can be shared, recorded, or used to complete the transaction. Under this model, the transaction can occur completely outside your environment and PCI-compliance achieved at low cost.

Better still, after the call has been completely disintermediated from the system, this same technology can allow for the agent to easily reconnect with the call, without missing a service beat, keeping the experience for the customer intact. The customer would return to the same queue position and to the same agent who’s been servicing him all along, completing the sale in one seamless encounter. In such a wholly separated scenario, the PCI-certified third party would then indeed be wholly responsible for security, leaving your enterprise truly disassociated and compliant.

The Whole Truth

What’s the lesson to be learned? Enterprise contact center managers and technology providers that service them, must investigate all avenues for cardholder protection — such as deploying cost-effective session border controller technologies like the example provided above — instead of simply relying on the concept of “outsourcing” to mitigate your exposure. Third-party providers have varying levels of PCI compliance and the complexity of contact center operations may leave you at risk.

PCI requirements are changing rapidly and contact centers are struggling to keep pace with new threats and evolving industry standards.  Staying current on new best practices, such as the session border controllers, can keep your risks mitigated, protect your customer data and reduce your compliance costs.

About the Author

Greg Gentile is president of Govolution, a payment service provider that offers its Velocity Payments solution to enterprises, government agencies, and institutions. He can be reached at  

Edited by Peter Bernstein

Related Articles

Trisys is SMB Answer for Call Recording

By: Maurice Nagle    9/10/2019

Just Google it isn't always the answer. Anybody can buy anything on the internet today, but there is something to be said for speaking with another hu…

Read More

CUSTOMER Magazine Announces Winners of the 2019 Contact Center Technology Award

By: TMCnet News    9/10/2019

TMC announced the winners of their 14th Annual Contact Center Technology Award, presented by its premier publication, CUSTOMER magazine.

Read More

The Next Generation of Speech Analytics

By: Special Guest    9/6/2019

In this conversation with Jim Noble, President and CEO of Noble Systems, and Nancy Jamison, Principal Analyst at Frost & Sullivan, we learn about the …

Read More

CoreDial Launches Certification Program to Drive Contact Center Opportunity for Partners

By: Erik Linask    8/27/2019

CoreDial has launched a formal partner certification program for its private-label hosted CoreNexa Contact Center platform.

Read More

Perfecting Customer Experience

By: Special Guest    8/19/2019

Customer Experience is all the rage, but so much of it is focused on the initial stage of the customer journey. This front-loaded approach to CX virtu…

Read More