The journey of a PCI-DSS compliance project – Part One - Cognia - ContactCenterWorld.com Blog
I wanted to take some time to look at the journey of a PCI compliance project for a merchant, from the drivers behind it to the completion of the validation process. My hope is that sharing what I feel are best-practice approaches will turn what can be a daunting project into a clear journey with sign-posts and stop-offs along the way.
It’s a multi-part series, which will be published regularly so please be sure to come back and follow our updates (@CogniaDotCom)
I’ve gained a lot of experience in and around contact centers implementing Cognia Live, Cognia’s contact centre DTMF payment service, and so it’s within this environment I will focus on.
The drivers behind a PCI-DSS Compliance Project
Gaining PCI-DSS compliance can be an in-depth and specialised project, which requires considerable planning, orchestration and consensus from within all levels of a merchant or contact center’s management and operational staff. I say can be, as some solutions require a much deeper level of commitment (upfront and ongoing) from the organisation than others, for more information on that, read our blog posts on the different solutions available in the marketplace.
Understanding and defining the ‘why’ is always a critical place to start for any project, so it’s here that we begin.
Just remind me, why are we doing this?
When you begin any project it’s important to agree upon and understand why the project was started in the first place.
These project drivers, in my experience, fall within one of four categories;
- External pressure (acquiring banks or card brands requiring compliance)
- Ongoing responsibilities (new physical locations or infrastructure)
- To improve customer experience
- To offer an expanded suite of features to your sales opportunities (outsourced contact center)
External pressure is a common driver for PCI compliance projects and it can come in two forms; assurance and enforcement. From the merchants point of view, both activities will be performed by your acquiring bank, enforcement will take place after a breach has been identified and assurance is part of day-to-day relationship management between a merchant and their acquiring bank.
Your acquiring bank can apply pressure to address your PCI-DSS responsibilities if they believe you are non-compliant. This pressure can come in the form of higher transaction fees or even the withdrawal of a merchant’s account. A common procedure is for the card brands to propose an escalating schedule of fines to the acquirer, sized depending upon the level of risk.
All organisations who process customer card data should adhere to the current PCI-DSS standards and record that adherence every year, but organisations have varying levels of validation requirements depending upon the number of transactions they have processed over the previous twelve months. Certainly a Visa level one merchant (processing more than six million transactions in the last twelve months), will be required to prove their compliance through on-site QSA led assessment.
Enforcement of the PCI-DSS standards begins with the card brands, They monitor fraud volume and will identify common points of purchase as part of a breach.
Should a merchant be identified as a CPP, the card brands will actually approach the acquiring bank for that merchant and can take any number of the following steps with that bank;
- Apply one-off fines.
- Impose increased fees
- End commercial relationship entirely, inc. a ban from the card brand entirely with any acquiring bank.
- 90 days to achieve compliance from issuing of decision – costs more, business loses all inertia as focus must be on achieving that compliance.
At this point, it is within the right of the acquiring bank to pass these on to the merchant. Increased fees can have a very real impact on a merchant’s business model and their bottom line, but the one-off fines and threat to end relationships can be terminal for a business.
One critical piece of understanding commonly lacking is that upon the identification of a breach, the PFI (PCI Forensic Investigator) report must be submitted to all of the card brands, no matter which one identified the breach and each brand has the right to take the same actions as the others whether a breach occurred on their brands card or not.
The point of these escalating steps is to ensure that merchants understand the risks of non-compliance and work to minimise it through application of the PCI-DSS standards.
Internal drivers, such as opening new physical locations for your business or changing infrastructure will require re-assessment of your PCI-DSS compliance. All locations that operate under the same tax ID or DBA (“Doing Business As”) and are not adequately segmented are considered in-scope and must be included in your annual compliance assessment.
Obviously, all new or replacement IT equipment has to be audited, but beware of stealth increases in your scope. For instance, when changing the VLAN segmentation of your network infrastructure; you may bring more of your equipment into scope for the purposes of your compliance audit and the same can apply to any hosting partners.
Believe it or not, aligning yourself with PCI-DSS standards can improve your customer experience. If your customers feel confident when transacting with your organisation they will be more likely to recommend and repeat.
We all live with a continual stream of news around customer data breaches, making the act of calling in to a contact center and being asked to read out your credit card number to a stranger an unnerving one. Any way you as a merchant can appear to distance yourself from a customer’s data will improve their perception of how you as a brand respect their information privacy.
Contact centers manage this through the use of automated payment IVRs and other innovative solutions such as having customers use their telephone keypad to enter card data. It puts the customer at ease and removes a large burden from the agent and contact center overall.
Improving your product suite
This one really applies to outsourced contact centers who wish to offer their existing and potential customers the option of accepting payments in a compliant way. Many brands enjoy the flexibility of using outsourced contact centers for their telephone operations, but many are unprepared for the overhead of accepting payments. Therefore, being able to offer PCI-DSS compliant services really sets you apart in the market and empowers your sales teams to go after whole new areas of business.
In my experience, it’s always an effective tactic in a project of this scope to add the goal of applying best-practice to your organisation, along with the other main project drivers. As PCI-DSS standards are followed by many organisations all around the world, it’s actually a very powerful tool, and as such can be used to bring order and predictability to your systems and processes. Approaching the project from this perspective helps teams see the benefit and less the burden of compliance and helps you focus on opportunities rather than costs.
As you can see, the reasoning for starting this journey is varied; from regulatory pressure to sales opportunity. Whatever the driver is in your situation, completing your PCI-DSS assessment should be viewed as an important and key step to building a solid and reliable foundation for the future growth of your business.
Publish Date: February 9, 2015 5:00 AM
|All Suppliers||Get Listed|
(VIEW OUR PAGE)
HigherGround develops data collection, information storage, and interaction analytics solutions that easily transform data into actionable intelligence, enabling operational optimization, enhanced per...
|PREMIUMFuture Gen International Pte Ltd|
(VIEW OUR PAGE)
Outsourcing provider of English Call Centre services, Audio Transcriptions, Big Data ETL (Extract, Transform, Load) , Big Data Visualization, Big Data Predictive Model Generation
(VIEW OUR PAGE)
Advanced AI technology and Natural Language Processing delivered to clients in the Cloud that harnesses both voice and digital conversations. The focus is on building an environment where intelligent ...
View more from Cognia
Recent Blog Posts:
|The hidden costs of pause and resume payment processing||March 30, 2016 5:00 AM|
|Cloud vs Onsite – 6 ways cloud beats on-premise infrastructure for contact center operations||August 13, 2015 5:00 AM|
|10 Reasons why contact centres are embracing the cloud||July 10, 2015 5:00 AM|
|The risks of payment card fraud and data breaches haunt contact centre managers||May 20, 2015 5:00 AM|
|Counting the costs of a contact centre data breach (and how to minimise your risks)||April 10, 2015 5:00 AM|
|How can you cope with new PCI DSS 3.0 requirements?||March 16, 2015 5:00 AM|
|PCI DSS compliance without the hassle and risk||March 6, 2015 5:00 AM|
|SSL is dead. Long Live SSL||February 23, 2015 5:00 AM|
|The journey of a PCI-DSS compliance project – Part One||February 9, 2015 5:00 AM|
|Breach, Brand and 5 things we know about PCI for 2015||January 27, 2015 5:00 AM|