What Is PCI-DSS
And Why Is It So Important?
PCI-DSS are requirements which are designed to assure that companies properly process and transmit card information in a secure environment. The vendors who can make use of PCI DSS include nearly any business or individual. This is to say: any merchant who possesses a Merchant ID qualifies for The Payment Card Industry Data Security Standard. The Payment Card Industry Security Standards Council began on September 7, 2006. The Council was started to manage the continual evolution of the PCI security standards with the objective set on improvement of payment account information in a secure environment. The PCI DSS falls under the management of the PCI SSC which is an independent organization established by significant payment card brands such as MasterCard and Visa; among others. It is up to the payment brands to enforce compliance not the council.
Application of PCI
The PCI is applicable to all companies or individual entrepreneurs; regardless of size or transaction number which accepts transmits or stores the data of the card. When a customer pays a company direct and uses a credit card or debit card this is when PCI DSS requirements are applicable. For further information on the PCI standard overview please click here
Deadlines for PCI Compliance
Merchants that store process or provide transmission of cardholders data are now compliant. Level 4 merchants must refer to their bank with respect to specific validation deadlines and requirements. Enforcement of particular deadlines comes by way of the merchant bank. You may find specific requirements and deadlines on the Visa brand site. For further information please click here
PCI compliance levels:
Merchants fall into one of four levels. The level is based on number of transactions tied to Visa and over a 12 month span. This is to say volume with regard to transactions is based on Visa transactions which include debit, credit and prepaid cards: all from a merchant d/b/a. When the corporation has several doing business as; Visa must consider the volume of transactions which are processed, stored or transmitted by a corporation in order to properly assess the prospect's Validation level.
Merchant levels with respect to VISA:
Level One: A merchant processing over 6M in Visa transactions annually.
Level Two: A merchant; no matter the acceptance channel which processes 1M to 6M in Visa transactions on a yearly basis.
Level Three: A merchant who processes twenty thousand to 1M Visa-e transactions, yearly.
Level Four: A merchant who processes over 1M Visa e-transactions annually.
PCI compliance in call centres with a predictive dialler:
PCI-DSS standards as everyone knows are clear about requirements in way of access to personally identifiable information. The acronym is PII as it pertains to personally identifiable information. The Payment Card Industry Security Standards Council, for one reason or another, has said very little about how the information should be collected. It is wondered whether the personally identifiable information be officially collected by way of front side approaches through websites, interactive voice systems or call centre representatives. The reader might find this insight somewhat of a surprise: since there is great risk in way of fraud and the compromise of certain data; particularly in a Call Centre.
In the call centre environment, purchasers of product or services literally read their card information, CVV codes and card expiration dates to the representative. There are minimal controls in place in way of preventing the call centre representative from taking advantage of attaining the customer's data or practising fraud with respect to credit card information. The information could be attained easy enough by way of an electronic recording device; computer or note pad. There are call centres using software in order to record the call and in use with a call centre predictive dialler. The software application captures and stores call data. The recordings are accessible by the personnel of the call centre; or a host. Data is generally not encrypted. The PCI-DSS standards do not tie in with the preceding environment. Telephone representatives, too, who work from home, provide an additional layer of challenge.
On January 22nd 2010 the Payment Card Industry Security Standards Council provided interested parties with a revision of the Frequently Asked Questions offered on its site. The FAQ was brought up to date; and questions about Call Centre recordings were issued. It has been suggested that an Interactive Voice Response system be used in order to minimize the incident of fraud. Also the recommendation has come forth to not store recordings including the CVV information of clients.
There are solutions such as agent assisted automation. The technology makes it possible for the representative to collect credit card data without seeing or actually hearing it. The representative simply remains on the line and the customer enters his or her card information into the CRM software using their phone. A conversion of tones takes place: recognizable tones are converted to monotones. The representative is not able to recognize them. There is a sizeable security benefit to the customer.
Assessing the possibility of liability and risk as it pertains to credit card fraud and then implementing measures relative to that risk: assures everyone benefits in reduction of fraud and greater security of the contact centre.