PCI DSS: Protecting Credit Card Security in the Call Center Or “Honey, Did We Buy a MacBook?”
A few months back, as I went through my credit card statement, I found to my surprise a $1,500 charge for a MacBook I couldn’t recall purchasing. My wife looked puzzled as well. We both stared suspiciously at our two-year-old daughter. She stared back, but didn’t crack. I called the credit card company. The customer service rep I spoke to immediately credited my account and said the company would take care of everything (again, to my surprise). The company traced back all of my recent purchases and found an online store that I never purchased from before. The rep who followed up said it seemed that my credit card number and personal information were stolen after I’d made a purchase there. The MacBook was purchased from another site just a few days later. With the emergence of e-commerce over the last couple of decades, you can purchase just about anything online using a credit card. When something is so easy and so widely used, it unfortunately attracts the wrong crowd. Credit card-based e-commerce is a good example. Here are just a few frightening facts and figures:
- Credit and debit card fraud reached $7.82 billion worldwide in 2006 and is expected to climb to $15.3 billion by the end of 2009. (Frost & Sullivan)
- Loss or theft of personal and financial information is the number-one concern among consumers worldwide (64%), surpassing terrorism, job loss, disease epidemics and natural disasters. (Visa survey)
PCI DSS and call centers to the rescue
Knowing this, banks have taken action. Visa, MasterCard, American Express, Discover and JCB each began programs to protect card security, sowing the seeds of what would become the Payment Card Industry Data Security Standard (PCI DSS). Each company’s intentions were similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. In September 2006, the PCI Security Standards Council was formed as an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. As of September 2009, more than 600 organizations participate worldwide.
At its core, PCI DSS is comprised of the “Digital Dozen,” six goals and twelve requirements that revolve around maintaining a secure environment for cardholder data, restricting access to data stored there and ongoing monitoring to ensure this environment has not been breached. If you examine the Digital Dozen, you can see the important role that call centers play in PCI DSS. From protecting cardholder data, to restricting access and constantly monitoring who is accessing it, the contact center can be considered one of the main gatekeepers for credit card security.
Having been the victim of credit card fraud, I take some comfort in the idea that companies—particularly their call centers—are working to protect me. And personally, I’d be more inclined to do business with a company that is taking PCI DSS seriously, as part of its responsibility, not only to credit issuers but to customers.
What measures is your call center taking to comply with PCI DSS?
Simple call recording in today’s small to medium contact center (SMCC) is regarded as a standard vanilla-flavored ice cream. It’s a no-brainer commodity solution supplied today by a number of vendors which, all in all, don’t differ that much from one another (the working ones, that is…). The tricky part is that tasty chocolate topping: namely, the more advanced call recording solutions that can really advance the SMCC.
