First in a two-part series
Protection of personal information is an area where contact centers play a critical role. A key section of the 2009 – 2010 Quality Management/Liability Recording Product and Market Report prepared by DMG Consulting, provides an overview of payment card industry data security standards, defines the circumstances under which they must be implemented, and explains how they affect contact centers.
Today, we look at the Payment Card Security Council and the Payment Card Industry Data Security Standard, which it established to protect credit card users. Tomorrow we will look at how the standards apply specifically to contact center operations.
Why a Standard Is Necessary?
According to the U.S. Census Bureau, there were 1.42 billion payment cards in the United States in 2000, and 1.48 billion in 2006. The same data projects that the total amount of annual commerce paid for with payment cards will reach $2.8 billion in 2010.
A variety of government agencies require companies to safeguard consumer information, including the information on payment cards. In response, American Express, Visa, MasterCard, Discover and JCB Global established the Payment Card Security Council and the Payment Card Industry Data Security Standard (PCI-DSS). This standard is a set of voluntary requirements for payment card issuers, processors and merchants with regard to payment card data security. PCI-DSS is an international standard accepted in markets throughout North America, Europe and Asia. It covers data center security, protection of data during transmission, and standard operating procedures.
While the standard is widely accepted by the credit card companies, many companies that handle credit card payment are confused about how the Data Security Standard applies to them.
The standard incorporates 12 broad requirements that set a baseline for a vendor’s data security practices and provide mechanisms for members of the payment card industry to self-regulate and self-police. The requirements range from installing firewalls to developing and maintaining security systems and restricting access to cardholder data.
Who Must Comply?
Any business that accepts (merchant) or processes (processor) payment cards issued through the brands—Visa, MasterCard, American Express, Discover and JCB Global—needs to be PCI compliant.
What Information Do the Standards Cover?
The standard covers information such as account number, personal identification number, and card validation code through the entire transaction network. The standard requires merchants and payment card processors to ensure that customer data are secured at the point of sale, while being transmitted throughout the company’s network, and while being transmitted between merchants and processors. The data security standards also cover when and how payment card information is stored.
Who Maintains and Modifies the Requirements?
The PCI Security Standards Council provides the umbrella structure, sets policies, and establishes common auditing and scanning procedures. It is up to each of the five card brands to interpret and enforce the standards.
Tomorrow: The implications of the Payment Card Industry Data Security Standards on contact centers.
The full report Payment Card Industry Data Security Standards Guide for Contact Center Managers is available from KnoahSoft.