Blog Posts

Contact Center Payment | The PCI DSS compliance pitfall to avoid in your contact centre

Olivier Cauderlier
January 10, 2022
3 minutes

We live in a world in which personal data is constantly under threat. From nation state attacks to ransomware, there has never been a time when people and organisations have been more aware of the way their data is used, processed or stolen. Contact centres that process card payments are at the frontline of this data threat and need to be more vigilant than ever to protect client data and brand reputation.

The conversation around cyber security needs to occur at the highest levels of the business, especially as business owners and senior stakeholders will most likely be held personally liable for data breaches. While there is a greater understanding of the compliance landscape across businesses, many contact centres are still in scope for PCI DSS compliance when you take a deeper look at their payment processing solutions.

The current contact centre compliance landscape

The primary motive behind most cybercrime is financial gain (90% of breaches), which means that contact centres who process card payments are at high risk. Verizon’s 2020 Payment Security report found only 27.9% of the organisations globally surveyed achieved 100% compliance with PCI DSS during their interim validation.

This leaves over 70% of the organisations vulnerable to not only attack but liability. Failure to maintain PCI compliance can not only affect your right to utilise payment channels, you may also be penalised with severe, six-figure, fines.

This has seen a drastic drop since 2016 when over 55% of organisations surveyed were compliant. It also shows the greater complexity that organisations must deal with when it comes to risk and compliance. This is reflected in the new PCI DSS 4.0 standards (through encryption on internal network and continuous compliance) — planned by the PCI DSS council to come into effect in early 2022. Security testing must now be a continuous process rather than a freeze frame of an organisation’s compliance standard taken during the annual audit. The new standard requires assessors to select and present samples over a period of time.

It’s clear that the burden of compliance is only increasing over time for organisations. The growing trend of contact centre agents working from home is one of many added layers of complexity to PCI DSS compliance.

Understanding the different levels of PCI SAQs

All merchant organisations must be certified as PCI DSS compliant annually. How your organisation accepts card payments will define which PCI DSS SAQ must be utilised to evaluate your compliance with the PCI DSS. There are eight types of PCI DSS SAQ levels. One or more may apply to you, depending on the nature of your payment channels. Contact centres are typically SAQ-A outsourcing most responsibilities to an accredited partner or SAQ-D, where, as a merchant, you carry the burden of compliance.

Why you should be relying on PCI DSS SAQ-A compliant payment solution?

The last thing you want to find out is that you’re at more risk than you think — and, unfortunately, compliance is not always simple. While many cloud technology providers claim they have PCI DSS compliant solutions, very few are able to truly descope contact centres. This leaves businesses with the bulk of responsibilities like still having to deal with up to 400 audit points across 12 requirements and 250 sub-requirements (as with SAQ-D). Just meeting four of these requirements can cost over $50k, and compliance certification needs to be completed every year. Ensuring you comply with 400 audit points is not just time intensive and laborious, it is also risky. You must figure out who is responsible for each compliance area — is it the merchant, is it yours, or is it shared? This is a huge exercise that requires specialist resources and subject matter experts, all of which add to your costs.

Therefore, using an SAQ-A compliant solution matters. An SAQ-A evaluation means that, as a merchant, you only need to answer 24 audit points across five requirements. The processing of card payments is outsourced, and card details never enter the contact centre so all compliance responsibility can be left to the security expert. The graphic on the right provides an example of the potential difference in PCI DSS compliance ownership for an organisation that relies on a standard SAQ-D solution versus one using a gold-standard SAQ-A one.