Sarah-Jane Heber-Hall, Operations Director at ComputerTel says she felt compelled to send us a brief statement which she has compiled, based on the amount of companies claiming that their equipment, especially in the Voice recording arena, is ‘PCI DSS compliant’.
Heber-Hall says this is misleading organisations who are not fully conversant with PCI DSS and how to obtain compliance.
“PCI DSS is an industry requirement these days and will affect any organisation who takes credit card payments in the course of their business.
Relating to voice recording applications, PCI DSS do not offer accreditation or endorse any equipment. They simply stipulate the guidelines and companies must work with their PCI assessors and credit card companies to create a PCI DSS compliant environment.
PCI DSS affects each department within an organisation and it is all about the processes and procedures that a company endorses, which help them achieve compliance.
There are a number of equipment suppliers claiming that they can provide PCI compliant equipment, this is misleading contact centres to believe that if they simply buy “compliant equipment, it will be enough. It can only be deemed as a complaint contact centre by a qualified security assessor (QSA) and based on the processes and procedures in place at that particular site.
PCI DSS is more about making the way you conduct your business of processing card payments over the telephone, safe and secure and about minimizing ANY risk from fraudulent activity.
So what can you do to Minimise Risk and help achieve compliance?
Internal processes and procedures are the initial focus for the organisation, so they may evaluate how they currently operate and how they can minimize the flow of information to un-necessary departments or personnel. Once the processes are in place, then specific technology to help maintain the process and manage risk with a view to reducing the need to store data to a minimum and only store this information securely and safely, preferably in an encrypted form.
Technology that enables this process to occur is therefore key. However it would be specific to the individual contact centre and in line with their mode of operation and risk management. Generic technologies like secure data storage systems, encryption software and risk mitigating technologies like Verified by Visa and Mastercard Secure Code makes life easier for the contact centre to meet their PCI standards.
Specifically relating to the removal or storage of the CVV and voice recordings, then the best technologies to meet this requirement is by integrating the CRM/Credit Card Payment system with the recording solution’s Application Programming Device (API).”