PCI Compliance for Remote Workers
The past year has seen a huge increase in the number of customers paying for items online or over the phone. With this e-commerce boom showing no signs of slowing down, even as non-essential retail reopens, contact centres are often the first line of communication for customers looking to make their payments. With many contact centre agents still working remotely, and likely to continue to do so in the new world of work, it is vital that organisations prioritise secure payment applications and ensure that their remote agents are PCI (Payment Card Industry) compliant.
The compliance challenges of homeworking
Organisations must continue to adhere to compliance frameworks such as GDPR, FCA and PCI, especially in today’s digital-first world where more and more personal data is being shared online. Indeed, the biggest challenge of having remote workers as part of phone or online payment processes is securing sensitive data, as working from home significantly increases the agent’s risk profile.
The primary issue is that agents are operating outside of the secure corporate environment, making the processing of telephone or online payment card data vulnerable to additional threats. While agents will be using company-approved devices, there are many other factors that can make securing systems located in home-working environments difficult, such as the presence of unauthorised personnel.
In addition, controls are harder to implement and it is more difficult to monitor the performance and compliance of homeworkers. Finally, as customers become more accustomed to omnichannel CX, remote workers have to also be able to take secure payments across multiple platforms, from phone to webchat.
Homeworking PCI best practices
Here are IPI’s suggestions and best practices for how today’s virtual contact centre can remain compliant whilst keeping its agents and customers safe:
- Pause & Resume: Whether manual or automatic, Pause & Resume addresses a small number of PCI controls around card detail storage, as details aren’t captured on the call or screen recording estate. While this does remove liability, agents are still exposed to sensitive card information, and the risks of the homeworking environment aren’t taken into account.
- Automated Payment IVR: Here, card data is shielded from agents through an automated payment application. Whilst this option can disrupt the customer journey, if calls are disconnected for example, it does shield customer’s secure card information from agents, and with tools like IPI’s own Cloud PCI solution, even homeworking agents can accept secure payments.
- DTMF Suppression: Regarded as the compliance gold standard, Dual-Tone Multi-Frequency (DTMF) Suppression helps organisations obtain PCI compliance whilst continuing to take payments over the phone and record calls. By generating a series of audio signals to mask the input from a caller’s keypad, customers can input sensitive data without compromising cardholder data. The Cardholder Data Environment (CDE) is eliminated and no payment details ever enter the home network, going only to the Payment Service Provider and the bank. DTMF suppression is also available as part of our IPI PCI Cloud offering, a more extensive PCI solution that reduces the risk of hacking or payment information being stolen.
- Omni-Channel: Using DTMF integration, secure payments can be made across multiple channels, from webchat to email. The CDE is removed as the details are blocked from the agent’s view and never enter the home network. Also available through the IPI PCI Cloud solution, customers have more choice, the risks of agents taking payments from their home office decreases, and it significantly reduces the PCI compliance controls needed by as much as 90%.
A compliant workforce
With the growth of remote working and cloud contact centres likely to continue well into the future, organisations must take actionable steps to ensure homeworkers remain compliant and customers secure. By turning to solutions like DTMF Suppression, organisations significantly reduce the risks of homeworking and also enable agents to add business value, securely and compliantly.
If you would like any further information on the points discussed above, visit our dedicated PCI page, get in touch and keep an eye out for our upcoming ‘How to make your remote workforce PCI compliant’ whitepaper.