Keep Calm and Simplify: 4 Tips to Tackle Compliance in the Era of PCI DSS 4.0
Learn how to helm compliance & security without compromising payments CX with the introduction of PCI DSS v4.0 standard.
Compliance is a tricky territory for contact center businesses. Now, the introduction of PCI DSS v4.0 will bring a few changes that will impact these companies. Geoff Forsyth, chief information security officer, PCI Pal, discusses how to navigate compliance and security without compromising the payments CX as PCI DSS v4.0 is introduced.
Contact centers are often at the forefront of customer service, managing numerous inbound calls and sensitive card information. With the ecommerce boom prompted partly by the pandemic, call volumes exploded, leading to a valuation of $496 billion annually by 2027, according to ReportLinker. With an increased reliance on contact centers has come an increased threat of both human and cyber-attacks on sensitive data. Consumers expect organizations to provide secure environments, and with the newly revised standard, PCI DSS 4.0, contact centers have guidance to execute.
Compliance has always been a tricky territory for businesses to navigate. The latest version, PCI DSS 4.0, has taken security and compliance standards to a new level compared to the original standards produced in 2004. The new revision encompasses six goals and twelve requirements related to payment card data protection, making it more than two-and-a-half times longer than the previous set of standards. One of the biggest changes is the new two-track method which introduced the “Customized Approach,” a flexible option for businesses, and requires additional documentation to demonstrate compliance.
Companies know it is best practice to keep customer data secure. But they tend to act too quickly when adhering to new security measures, leading them to fall into “The Three Stages of Compliance Management Failure.” These include:
1. Failure of vision: These are “why” mistakes. This is a failure to understand the purpose — not aligned on goals and outcomes.
2. Failure of strategy: These are the “what” mistakes. This is a failure to design and execute a strategy in a manner that delivers the desired results — choosing the wrong “what” to make the strategy happen (i.e., wrong priorities and objectives).
3. Failure of architecture and design: These are “how” mistakes. Simply put, it is about taking the wrong approach, including inadequate strategy and management methods and frameworks.
With PCI DSS 4.0 increasing guidelines and recommendations, many contact centers are searching for a long-term strategy to future-proof their systems in hopes of avoiding the three stages of failure. Due to the volume of the new 4.0 standards, disseminating the information can be daunting. We have put together the following tips to help you navigate compliance and security without compromising your organization’s payments customer experience (CX).
4 Tips To Navigate Compliance While Elevating CX
1. Do your homework
Do not blindly jump into implementing the new DSS 4.0 requirements. Take a step back, understand how these new standards will impact your business, and then create your strategy. Establish a project with your team to properly review the new requirements, ensuring everyone is aligned before executing.
With the rapidly changing payments landscape, companies need to understand the environment and new data privacy laws that many national and regional governments are implementing. With legislation differing regionally, a standard such as PCI DSS gives companies a road map for success to ensure payment card processes are secure.
A step that is often overlooked, but should be most obvious, is reading the standard itself. Although the standard may not be a beach read, taking the time to sift through the material is critical to helping your business decipher what updates will be most important. For contact centers, these are some of the new controls that will directly impact them:
1. Certificates used to safeguard Primary Account Numbers (PAN) during transmission over open, public networks
2. Reviewing and updating the security awareness program at minimum once a year
3. Maintaining the new minimum level of complexity for passwords when used as an authentication factor
4. Using multifactor authentication for all access to the CDE (Card Data Environment)
See More: Tips for Embracing a Digital-First Approach in Contact Centers
2. Keep CX top of mind
The companies that do their homework and are compliant may be worried that their CX will be affected. Consumers expect security without hindering their experience. The new and more prescriptive security controls require greater efforts from companies that process, transmit, or store credit and debit card information or cardholder data (CHD). Although PCI DSS may involve extra steps to reach compliance, that does not mean your CX will be sacrificed. Establishing CX goals is critical in adjusting to the new set of guidelines. You must ensure your business has boundaries that keep customers comfortable while keeping their information safe.
The latest update to PCI DSS, 4.0, enacts new measures to enhance customer security, meaning companies will need to adjust their current strategies. A shift in strategy can sometimes lead to changes in your practices, but that does not mean you should abandon your initial company goals. For contact centers, the three main priorities include:
- Protecting customer data by updating technology
2. Minimizing access to customer data
3. Implementing a continuous improvement program with a maturity model.
3. Descope for success
To be ‘in-scope’ of the PCI DSS refers to any system part of your cardholder data environment (CDE). The more in-scope systems you have, the more difficult it is to secure and manage your CDE. Reducing the scope, and ultimately descoping your CDE, is one of the best ways to lighten the workload associated with the planning, implementation, operation, maintenance, and improvement of PCI compliance. For call centers, descoping means more than just keeping in compliance; it can cut costs, increase security, and improve agent and customer experience.
Minimizing the scope of your CDE can sometimes feel overwhelming, but the process is not that intimidating. For contact centers, descoping can be compartmentalized into three areas:
1. Find an alternative to storing card data. Avoid receiving and storing PANs and other sensitive data with automated solutions. It is best to use a specific cardholder data (CHD) tool to ensure the cardholder’s PII (Personally Identifiable Information), such as their name, expiration date, and CVV code, is protected.
2. Segment your network. Limit the systems and environments that need PCI compliance by separating network environments that store, process or transmit payment card data from those that don’t.
3. Outsource aspects of card processing and security. Outsourcing can remove some of the burdens of PCI DSS compliance from your organization and free up resources. Contact centers, log monitoring, access control management, and ecommerce systems are everyday environments that can be outsourced and therefore descoped.
4. Simplify
Contact centers went through significant changes with COVID-19. A job that previously had to be done in a secure environment went to a remote work model overnight, causing new hurdles for companies. This major shift in operational models prompted contact centers to take action and simplify their processes.
An important aspect to remember is the agent experience. An agent has to balance the three main fundamentals within the contact center: the phone system, the Customer Relationship Management (CRM) application, and, of course, the customer. As the backbone of the contact center experience, agents need additional support, and the key is to outsource payment security functions. Simplifying the agent experience regarding payments allows agents more time to deliver an outstanding CX and to focus on the customer and their journey.
Contact centers that revisit their strategies early will be set up for long-term success. They will need to do their research, prioritize CX, reduce their scope, and simplify to build trust and protect their reputations in ever-competitive environments.
What steps have you taken to navigate compliance and security while ensuring seamless payment CX with the introduction of PCI DSS v4.0? Let us know on Facebook, Twitter, and LinkedIn.
MORE ON CONTACT CENTERS:
