Cam Ross, Director of Payment Strategy at the PCI compliance and contact centre software firm Eckoh, is pleased that the PCI Council has published an updated document, its PCI SSC guidance to securing telephone payments.
The publication by the PCI SSC of the updated version of the PCI DSS information supplement Protecting Telephone-Based Payment Card Data is very welcome – the last version was published seven years ago!
The guidance is the result of a collaboration between 50 companies, all specialists in this field. Eckoh has been very pleased to work alongside real industry experts like Worldpay and Verizon, as well as the other acquirers, industry bodies, call centre operators, consultants, telecommunications companies, legal and financial companies involved. Having been a founding member of the SIG, Eckoh was pleased to contribute our expertise to the new guidance.
The new document explores the potential risks and security challenges associated with telephone-based card payment environments and provides much needed clarity for the contact centre industry, globally. What’s noticeable is that this version deals explicitly with current technologies and now includes DTMF payments which were not mentioned at all in the previous version. That’s important, because DTMF technology is the way in which most contact centres want to take payment today; it offers such good security and de-scoping benefits.
This update completely supports Eckoh’s view that contact centres should seek to reduce the scope of the PCI DSS audit for their contact centres wherever possible. What’s particularly helpful are the sections that show how companies, of many different models and sizes, can address PCI DSS in their environments. The clear and sensible diagrams will allow companies and QSAs to more easily define scope within even highly complex contact centres.
There are many often-misunderstood areas of technology and operation around today’s contact centres, such as VoIP, call recording, transfers, home or remote-workers, and outsourcing. So it’s welcoming to see the guidance cover these specifically. Also addressed are ‘digital payments’ – where a payment may start with a phone call and end with an online or mobile payment. This scenario occurs more frequently now with the growing number of engagement channels and a user’s tendency to channel shift.
Digital payments over the phone is an area in which Eckoh have led the world. We were the first to launch secure payment using Apple Pay, Google Pay and PayPal over the telephone, and the first to provide secure Web Chat payment. It clearly shows that our innovation and R&D strategy was, and remains, ahead of the curve.
In the past few years, the industry has seen fraud switch towards card-not-present channels like contact centres. Finally, the industry has a comprehensive document which will help it define and address the increasing threat. You only need to read it to see the immense challenges facing contact centres which wish to handle card data directly.
Eckoh continues to help companies reduce their PCI DSS audit scope; this document will ensure that clients and their QSAs have a clear, independent way to determine that their chosen approach is the right one for them.
