In today’s digital economy where millions of transactions are occurring at any given moment, it is absolutely critical that businesses and vendors maintain the most stringent security measures to protect their customers’ payment card information. Which is why the major credit card institutions (American Express, Discover, MasterCard, Visa, JCB International) created the PCI Security Standards Council in 2006, outlining a number of rules and regulations businesses and vendors should follow in order to prevent potential breaches. But for businesses and call centers collecting sensitive payment information over the phone, what measures should be taken to protect their customers and maintain PCI compliance?
Mask sensitive payment information: To ensure sensitive cardholder data is not captured and stored, businesses should automatically terminate call recordings when payment information is shared over the phone, mask payment information with silence or white noise, or encrypt call recordings to prevent the potential misuse of cardholder data.
Take payment information via IVR: To remove the need for agents to hear, collect, or record sensitive information altogether, businesses can automatically route callers to an Interactive Voice Response (IVR) menu for payment card input, reducing the potential misuse of payment card information or security breaches.
Limit access to payment information: If payment information is stored, it should only be accessible to certain individuals. Businesses should limit access either physically through RFID card systems within their building, or through role-based log-ins, ensuring staff members are only able to access what they need to perform their job.
Change passwords regularly: Businesses should frequently change access passwords (every 60-90 days), and ensure passwords are strong (e.g. mix of numbers and upper and lower-case letters) to help prevent a potential breach.
Additional measures to take: While businesses want their employees to feel trusted, additional measures should be taken if they are regularly handling payment information. Call center managers can switch paper for white boards and limit the use of cell phones while in the center to prevent a potential breach.
Ensure your platforms are PCI certified: Whatever platforms a business is using to collect and store payment information (e.g. CRM, call center software), they should ensure the solutions are PCI certified by the PCI Security Standards Council. 3CLogic’s call center software is PCI compliant, having met rigid security requirements and undergone internal and external vulnerability and penetration testing. Learn more here.