PCI Scope Reduction Can Save Tens of Thousands of Dollars Per Year


By Art Coombs

High-profile stories of compromised credit cards and data breaches and their sobering aftereffects have dominated the headlines in recent years. As such, increasing security and reducing fraud is on the minds of many business leaders. This is particularly true of call centers, where credit card transactions are at the heart of their operations. These companies are challenged to provide a secure environment to accept credit cards while keeping the associated costs down.

The leading credit card companies set up the Payment Card Industry Data Security Standard (PCI DSS) to help businesses that take card payments reduce fraud. Built on solid security principles that apply to all sorts of data, it covers areas such as retention policies, encryption, physical security, authentication, and access control. According to the Verizon 2017 Payment Security Report, almost half of companies that accept credit cards fail to protect their payment card data on an ongoing basis.

The explanations vary widely as to why this is the case, but one of the primary reasons is the expense associated with maintaining full PCI compliance. In many cases, it’s prohibitively expensive. Fines levied by banks and credit card institutions for not being PCI compliant in the event of a breach can range from five thousand dollars to five hundred thousand dollars, highlighting the need for compliance despite the cost.

Companies Face Mounting Costs

PCI-compliance costs add up quickly. Companies can expect to pay handsomely for items such as vulnerability scans, penetration testing, training, and policy development. Overall, there are twelve standards and more than four hundred controls outlined in the PCI DSS.

Often the largest direct expense (aside from remediation requirements resulting from a breach) is usually the PCI assessor and assessment fees, which, depending on the complexity of an organization, cost tens and even hundreds of thousands of dollars each year. These annual and biannual assessments are conducted by Qualified Security Assessor (QSA) companies, independent security organizations that have been qualified by the PCI Security Standards Council to validate a company’s adherence to PCI DSS.

The PCI Security Standards Council maintains an in-depth program for security companies seeking certification as Qualified Security Assessors and recertification each year. The requirements are stringent and comprehensive. Because of the time and energy individuals and companies invest in certification, they are justified in charging a premium for the assessments they conduct.

Reduce PCI Scope and Save Money

The litany of requirements is as costly as it is formidable, but call centers, as well as any company accepting credit cards, need to be aware that there are distinct ways to reduce the burden of applicable PCI controls. This means they can easily reduce the number of areas in the scope of PCI compliance that the company is responsible for. Reducing or eliminating areas of PCI scope can greatly reduce costs now and in the future and still provide a secure system.

Two approaches call centers can employ to reduce or even eliminate PCI scope is to use DTMF (dual-tone multi-frequency) suppression and SMS text messaging. These bypass the agents and contact center infrastructure, going instead directly to a tokenization service provided by the company’s payment processor and acquiring bank.

DTMF represents the tones the numbers on a phone make when pressed. DTMF suppression is a method that enables customers to enter their credit card information using the keypad on their phone. The agent stays on the line and never sees the numbers or hears the tones.

The second approach is to leverage SMS, or texting, so customers don’t have to give their credit card information verbally over the phone to the agent. SMS and an accompanying payment portal are a secure and smart solution for accepting payment for several reasons. Most consumers are already familiar with their mobile devices and SMS. This saves agents from having to explain a complicated web portal and payment screen. The consumer doesn’t need to download an app or go through a credit card terminal to make payments via SMS. SMS payments can be accepted around the world without any agents seeing or hearing the information.

The systems the company uses (CRMs, CMS, and payment systems) receive a confirmation or token validating that the transaction went through, but the credit card data never touches the company’s infrastructure. This greatly reduces risk: the company doesn’t have the credit card data, and it isn’t present, stored (recorded for quality assurance), or transmitted within the company’s systems. This reduces or eliminates PCI scope.

It’s important to note that regarding fraud prevention, even the most robust, 100 percent PCI-compliant environment could still be at risk when human agents, including employees, decide to commit fraud or theft. If they verbally receive numbers over the phone, they can memorize the critical information and then write it down once they leave the office or record the numbers and use them for their own nefarious purposes. In any card-not-present environment, there is risk. These approaches take that risk out of the picture.

Reduce Scope to Qualify for Self-Assessment

By using technologies that employ DTMF suppression and SMS, companies can reduce the scope of what’s required under an assessment so much that they’re no longer required to hire a consultant to conduct an assessment. Instead they can conduct a self-assessment, write a report, and submit it to the PCI council themselves, instantly saving tens of thousands of dollars or more while dramatically improving security.

Art Coombs is a published author on leadership and methodologies for BPOs, contact centers, and technical support. Art has more than twenty-five years of experience with several global firms and their call and BPO centers worldwide. He is president and CEO of KomBea, a fifteen-year-old software company that develops solutions for contact-center environments to help deal with the myriad of regulations and standards they face, including PCI compliance and HIPAA. For more information visit www.kombea.com.

%d bloggers like this: