How to make your credit card payment channels PCI DSS compliant
Let’s say you are a thriving business who has had a fantastic financial year with results that has left everyone smiling. While no-one would begrudge you that good fortune, it may prove somewhat worthless if you are hit with the financial consequences of a data breach, if you haven’t made sure your credit card storage & payment channels maintain their secure PCI compliance status.
You may argue what is all the fuss about? You achieved compliance 6 months ago, doesn’t that mean you are done and dusted with security & compliance? Well, no actually. The PCI Security Standards Council says many companies make the mistake of thinking that only focusing on an annual compliance assessment can “create a false sense of security”.
The following are the key payment channels in use across most organisations:
With the release of the 3.2 version in Europe this month, what do you need to do to ensure your credit card payment channels are PCI DSS compliant? The Council, as well as a team like ours, says it is a three-step process.
The Council advises you need to firstly make an assessment of your cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyse them for vulnerabilities; this is where our team can advise and guide you.
Then you need to fix vulnerabilities and eliminate the storage of cardholder data unless absolutely necessary (as noted below advanced services can eliminate the need to store card data). And finally you must compile and submit the required reports to the appropriate acquiring bank and card brands.
Take note of your security program. How are you accepting payments and is there a way to reduce the risk to your customers and organisation by changing business practices in relation to the handling of cardholder data to reduce financial exposure? Evaluate newer payment technologies like tokenization and cloud based payment processing (see below) – our team can discuss the most suitable options relevant to your specific processes.
Pay by phone (IVR) channel:
In house IVR infrastructure can be costly to secure in line with the PCI standards, outsourcing to a pre certified IVR service provider can significantly reduce the initial and ongoing costs associated with security compliance.
Leveraging third party cloud based IVR service provision can take the form of IVR to IVR integration or modification of call termination points.
Pay by Internet channel:
The easiest way to reduce the compliance burden across diverse internet based payment channels is via either, direct post, iFrames or scheme wallets. The issue with scheme wallets is that not all wallets area created equal and not all customers are registered with wallets, as such direct post or iFrames would also need to be employed. Iframes enhance security and de-scope more of the PCI DSS compliance burden compared to direct post, and as such should be utilized where possible.
Contact centre payments (inbound & outbound):
PCI Compliance within the contact centre can be complicated, as agents see and hear credit card data, call recordings store data while infrastructure and downstream systems process sensitive card data. The most effective way to de-scope the contact centre is to divert to a cloud based IVR service or use DTMF call filtering such as IP Solutions AgentSecure service. As such card data is removed from your environment and systems, agents no longer see or hear credit card data and as such you risk of fraud and your PCI compliance costs shrink. Advanced call filtering enables customers to make payments while remaining in contact with call centre agents as such it has customer service benefits over traditional pay by phone / IVR services.
Mobile device initiated payments:
Mobile devices can benefit significantly from advanced iFrame services which have the flexibility to render frames for different devices. Iframes in conjunction with cloud based tokenization is the most effective way to de-scope mobile based payment channels.
Many companies still think they need to keep credit card data for recurring billing, refunds and chargebacks. This is no longer the case as advanced tokenization services can perform and in fact enhance payment handling without the need to store sensitive credit card data within your environment.
Recurring payments can then be initiated via submission of token based batch files or third party system automation i.e. cloud based services can also store and automatically process payments for customer against a pre-defined schedule.
There are important factors to consider and if you’re unsure how the above relates to your business, our team can help you, from start to finish, to review your PCI DSS compliance channels and help you solidify the future prosperity of your enterprise.
To find out more about PCI DSS Compliance download your free copy of the eBook Achieving & Maintaining PCI DSS Compliance.