Are Call Centers the Weak Link in PCI Compliance?

By Gary Palgon and Cameron Ross

Call centers that accept credit card numbers not only have an ethical obligation to protect sensitive customer information, but also a requirement to comply with the Payment Card Industry’s Data Security Standard (PCI DSS), as well as data privacy laws. In addition, outsourced call centers bear equal responsibility for protecting consumer privacy and credit card numbers, while keeping customer information belonging to different clients separate. Today, most service level agreements (SLA) require third-party call centers to provide this protection and be able to prove PCI DSS compliance.

Call centers typically use several applications and databases to store consumer information. It’s common to find a dozen or more applications – including ones for fraud monitoring, returns, outbound marketing, CRM, and data backups – holding sensitive information. The more places sensitive data resides in an organization, the more difficult it is to protect it and comply with PCI DSS.

For companies that maintain call centers to accept phone orders and companies that outsource to a call center service, protecting cardholder information from the moment the credit card number is taken until it is destroyed is imperative for PCI DSS compliance. Yet call centers are often the weak link in the chain of PCI compliance for a host of reasons.

Innate Call Center Vulnerabilities Increase Data Security Risk: Few would disagree that call center employee turnover is high, which keeps the risk level high. Despite background checks on applicants, some employees simply are not trustworthy. Dishonest or disgruntled employees represent a high risk and have been known to steal credit card numbers to either use themselves or to sell. What’s more, some call centers are located in low economic areas where a criminal element exists. There are documented instances of customer service reps being bribed and coerced to provide credit card numbers. Allowing call center employees to handle credit card numbers during a transaction increases the risk of misuse exponentially.

With all that is at stake – laws, fines, and a damaged reputation – it’s vitally important for call centers to implement ironclad defenses against electronic breaches and internal data theft. Fortunately, a new data security technology called audio tokenization has emerged to provide this level of protection in call centers.

Audio Tokenization: The Solution to Call Center Data Breaches: The key to protecting cardholder data in a call center is twofold:

1) Prevent call center employees from hearing or seeing credit card numbers

2) Protect credit card numbers residing in back-office applications and databases

A customer service rep who never sees the credit card number on screen during an order can’t steal it. Supervisors who can’t hear the number during a recorded call quality assurance (QA) review can’t take it.

Audio tokenization, a hardware-software solution that combines DTMF-blocking technology with data tokenization, ensures that all recorded telephone conversations are compliant with PCI DSS regulations and that credit card numbers are fully protected from electronic breaches of back-office systems, applications, and databases.

Here’s How Tokenization Works: Audio tokenization works with call-recording systems to help bring call centers into PCI DSS compliance. It combines DTMF tone-blocking software and hardware with tokenization to protect credit card numbers from the time they are given during a telephone order to wherever they reside throughout the extended enterprise, for as long as they are in the company’s possession.

Audio tokenization detects and blocks DTMF tones, the sounds produced when keying in a number on a telephone keypad. This prevents the customer service representative from having any exposure to credit card numbers during an ongoing conversation over the phone. It also prevents storage of the numbers being communicated by the customer.

As soon as the customer enters their credit card information, the tokenization technology takes over. A token – a meaningless surrogate value – is issued for that number during the transaction and placed into the company’s order entry and processing applications. The actual credit card number is encrypted and stored in a central, secure repository, where it is accessible only to authorized employees with the proper encryption key.

In addition to preventing order takers from seeing the credit card number on screen, audio tokenization also prevents supervisors from hearing the card number during QA reviews. Because credit card numbers are not exposed in any application, they are protected from casual exposure to all other employees.

Tokenization Benefits Call Centers beyond Protection: Because format-preserving tokens maintain the length and size of the data they replace, applications, systems, and databases do not have to be modified to work with them. And because the tokens maintain a one-to-one reference – or referential integrity – to the data they represent, sales, marketing, and financial analytics can be performed just as if the actual credit card number were present.

Tokenization also has another big advantage, which is a key reason why it’s catching on with so many companies. It takes entire business systems, applications, and databases out of scope for PCI DSS compliance and annual audits. De-scoping can dramatically reduce the time, effort, and cost of PCI DSS compliance.

To illustrate the value of de-scoping, a $500 million US direct marketer implemented tokenization in 2009 to protect cardholder information gathered by phone, mail order, and online orders and to comply with PCI DSS. By substituting tokens for credit card numbers in applications, the e-tailer was able to take eighty systems – nearly 90 percent of all its systems – out of scope for PCI DSS audits, leaving only ten systems to be audited. The company estimates that this reduction in scope has the potential to save $250,000 annually in staff, administrative, and audit overhead. The company is now in the process of reinvesting their cost savings to tokenize customer loyalty data and other personally identifiable information.

Audio tokenization is highly effective for protecting cardholder information in call centers because it eliminates exposure to credit card numbers during the order taking process and in back-office processes and applications. The benefits of using audio tokenization to help secure customer data in call centers reaches beyond PCI DSS compliance and privacy laws to reduce overall corporate risk due to security breaches, as well as to minimize the cost of compliance. As an added advantage for larger call centers, operating in a PCI-compliant environment enabled by audio tokenization can secure lower charges with banks to improve profitability.

Gary Palgon is vice president of product management for data protection software vendor nuBridges, Inc. He leads the Payment Card Industry’s Tokenization Working Group, one of four working groups in the PCI SSC’s Scoping Special Interest Group (SIG). He can be reached at

Cameron Ross is cofounder and managing director of Veritape, where he oversees business strategy and operations for the leading provider of PCI DSS-compliant call-recording software for call centers. He can be reached at

[From Connection Magazine April 2011]

Leave a Reply