For many businesses, good call center agents are the best way to increase revenue collected and close more accounts. The front line agent’s job is to provide a great customer experience and in many cases take payments. This means contact and call centers must comply with PCI requirements.
Phone Payment Risks for Call Centers
Most call centers use some form of call recording to ensure customer service quality. If agents are taking payment information verbally from customers then the call center is storing PCI data in their call logs.
Even if a call center is using ‘pause and resume’ technology with their call recordings, the sensitive credit card data could still be compromised through the phone system and VoIP infrastructure.
PCI Compliant Call Center: Agent Risks
The agents themselves pose another risk for call centers either through accidental mishandling of sensitive data or malicious intent to commit fraud. Management needs to train staff on the security risks and PCI compliance requirements associated with credit card transactions.
Maintaining compliance throughout your call center is a team effort. It takes cooperation and understanding at every level of the business. Establishing guidelines, maintaining current documents and fostering an open, positive environment are all essential to keeping agents invested in compliance and security.
Call Center PCI Compliance Policies And Procedures
The foundation of managing a business is a robust set of policies and procedures. Your call center PCI compliance checklist should be presented during your call center training and clearly explain the guidelines agents must follow (and why).
The policies and procedures should include:
- Awareness training that any unauthorized copying, sharing or storing of payment card data is prohibited.
- Awareness training that the physical security of their workstations and equipment is a high priority.
- The use of multi-factor authentication when connecting to any systems that process credit card data.
Provide an accessible written document not only for training purposes but to allow employees to refer back any time they have questions.
Quarterly Security Training
Your staff is likely a mix of new, moderately experienced, and seasoned call center agents. With such varied levels of training, it’s a good idea to present all agents with reminders every few months.
This keeps information top-of-mind and reinforces its importance. Oftentimes, employees can become complacent in their daily activities and slip up. Refresher training decreases the likelihood of your call center PCI compliance rules being forgotten.
Additional guidance for managing call center agents from the PCI Council in order to safeguard card data includes:
- Restricting the use of pen and paper so cardholder data cannot be written down. Employees with high goals or busy call schedules can feel pressured. Even top agents might break rules if they don’t know the security risks involved with handling payment card industry data.
- Ban cell phones from the call center so that voice recordings or pictures cannot be taken of cardholder data.
- Restrict the ability for agents to bring personal items that could be used to compromise cardholders’ account data such as USB sticks.
- Ideally using technology where call center agents would not have to hear or enter account numbers into a virtual terminal. For example, PDCflow's Flow Technology allows cardholders to receive an email or SMS with a secure payment form so customers can enter their own card information while still on the phone with the agent.
Management and trainers should explain why agents need to take care with the sensitive card data they handle. This ensures employees understand why procedures exist and why these rules should be consistently followed.
Reward and Support Reporting of Security Threats
If employees aren’t trained or feel uncomfortable with management, delayed reporting may lead to a data breach.
How management handles compliance and security reporting policies can also impact morale – and future agent performance. Front-line staff are in a good position to notice when some policies are out of date or an outside threat may be attempting to gain access to internal systems.
Create an environment of inclusion and respect between call center agents and leadership. This way, staff will feel comfortable approaching you with concerns that may end up benefiting the company.
Also remember that mistakes happen. If an employee clicks a link in a scam email or falls victim to phishing, don’t punish them. Staff that feel scared to report problems may delay doing so. This is when companies are at higher risk of outside parties penetrating internal systems to gain access to consumer data.
PCI Compliance Goals
Establish and maintain a secure network and system to ensure that payment transactions are processed in a robustly secure environment.
Protection of stored cardholder data with the needed steps taken to secure against hacking.
Establishment of a vulnerability management program.
Restrict and control access to system information and operations.
Constantly and consistently monitor and test to ensure that all security measures are in place and working effectively.
Maintain a policy that addresses information security for all personnel.
PCI Compliance for Call Center Remote Agents
The Home Office
An inadequate home office setup can violate privacy requirements associated with PCI Data Security Standards. Allowing call center staff to take payments or handle sensitive information from home is possible. However, you must ensure access to work systems and networks is secure and doesn’t violate security regulations.
Also, be sure the employee’s intended work-from-home environment doesn’t violate PCI or other payment security and compliance rules. A few of the most frequent mistakes made when setting up a home office:
- Shared office spaces - those outside your organization should not have access to consumer data. With so many companies turning to remote work, sharing an office space with a spouse or housemate may be common. Employees need to know only staff should have access to private work information.
- Inadequate security - Just as sharing a workspace is not always appropriate, having inadequate security in the remote workplace can cause issues. Computer screens should be locked when not in use. In addition, they shouldn’t face areas of the home where others may walk past and view private information.
- Disposal of private information - PCI standards require appropriate, secure disposal of paperwork that contains credit card information or other private data. In a traditional office, secure shred bins are routinely accessible. In remote work, this isn’t the case. This is where providing awareness training will be critical so agents understand the importance of the physical security of PCI data.
Be clear that employees should not be writing down or otherwise retaining sensitive data. However slim the chance, credit card numbers discarded in a regular trash do pose a risk of being found and used.
Simplify Agent Responsibility Through Software
Simplifying processes for employees and consumers increases completed payments and raises average payment amounts. The simplest way to guarantee compliance and better customer experience is to build it into payment workflows.
PDCflow’s Flow Technology for PCI compliant agent-assisted payments allows agents to send secure payment forms directly to consumers through email, text or chat. These requests are simple enough to be filled out and completed while still on the phone or on a chat with a call center representative. This minor operations change eliminates the need for staff to ever handle credit card data:
- Reducing training time
- Simplifying procedures
- Minimizing security risks
Flow Technology can be used to reduce risk and speed up payment compliance for in-office and remote call center employees.
With PDCflow’s Flow Technology and payment processing software:
- Agents never have access to cardholder information, reducing PCI scope and overall risk.
- The risk of sensitive card data being used for fraud is eliminated.
- A documented audit trail confirms identity and can include the capture of a signature for payment consent if needed.
- The payment is not delayed. Agents can take the payment immediately while still on the phone with customers providing a great customer experience.
- Agents can stay in control of completing the order or payment.
- Agents can include sending a billing statement or invoice with the payment form to answer questions.
For more information on PDCflow’s Flow Technology and payment suite options, request a call with with a PDCflow Payment Expert today.
Set up a Call:
Want to know more about PDCflow Software?
Press ▶️ to watch our explainer video
Last updated March 2023