BPO Providers and PCI Compliance: Things You Need to Know

BPO Providers and PCI Compliance: Things You Need to Know

As a business owner, it is your responsibility to protect your organization’s valuable corporate data as well as your customers’ sensitive information. Because security standards are ever-changing, many companies are increasingly shifting their operations to outsourced merchant processing services.

Hiring a PCI-compliant BPO provider will ensure the safety of your customers’ personal financial information, maintain your organization’s reputation, and ultimately put your mind at ease. Keep reading to learn the in’s and out’s of PCI call center compliance.

What Is PCI Compliance?

As online payments became more prevalent in the 2000s, security breaches began to increase in frequency and severity. In 2004, a handful of major credit card companies banded together to create the first Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of rules that requires companies to handle credit card information with an abundance of security and caution. The Payment Card Industry Security Standards Council (PCI SSC) was later formed to oversee the future of payment processing standards.

Since then, the PCI DSS has become a globally accepted standard. Although the PCI DSS is not required by law, the Federal Trade Commission (FTC) enforces PCI compliance.

Who Needs To Be PCI Compliant?

Regardless of size or industry, the PCI DSS applies to any organization that accepts, stores, or transmits cardholder data. This standard is divided into four levels that are based on the number of transactions processed per year.

  • Level 1: Merchants that process over 6 million card transactions per year
  • Level 2: Merchants that process 1 to 6 million transactions per year
  • Level 3: Merchants that process 20,000 to 1 million transactions per year
  • Level 4: Merchants that process fewer than 20,000 transactions per year

Reporting requirements vary depending on the merchant level. Regardless of level, all organizations must remain PCI compliant.

According to 2020 The Payment Security Report, in 2019, only 27.9% of organizations assessed on PCI DSS compliance achieved 100% compliance during their interim compliance validation. This is a significant drop since 2016 when 55.4% of organizations achieved full compliance.

The Importance of PCI Compliance in Call Centers

Now more than ever, it is crucial for businesses to understand the importance of the PCI DSS. Not only can failing PCI compliance lead to loss of consumer confidence and a damaged reputation, but it can also result in numerous fines and even lawsuits. This applies to the company itself, even if the failure occurred at an outsourced call center. For this reason, it is crucial to ensure your call center provider is PCI compliant.

For more information on PCI DSS compliance, visit the Official PCI Security Standards Council website.

 

Questions to Ask Your Call Center About PCI Compliance

When hiring a call center vendor, the first step is to ask if they are PCI DSS compliant and what steps they take to remain compliant. In order to ensure you’re partnering with a trusted customer service company, we’ve provided some additional questions worth asking:

What kind of network security is used at your call center?
The PCI DSS requires organizations to have strict network security in place to reduce the exposure of customers’ payment information. Ask your provider about their protocols and what their plan is in the event of a breach.

What redaction processes does your call center follow, particularly for calls that include customers’ credit card information?
The PCI DSS has strict regulations regarding the storage of credit card information. Organizations are prohibited from storing credit card numbers in an unredacted format in digital, paper, or audio formats. If a system saves credit card information for future uses, it must do so via encryption, only allowing employees to see the last four digits. In addition, call centers that record phone calls for quality assurance must keep credit card numbers from being unsafely stored in audio files.

How is access to information controlled?
The PCI DSS requires many levels of security, including log-in tracking, need-to-know access, and more. Ask your vendor what types of access logs are kept and how it limits access to information.

AtPoint Nearshore BPO Values PCI Compliance

The AtPoint team understands the importance of compliance and maintaining a secure environment for our customers, which is why we are PCI DSS certified.

AtPoint is a nearshore BPO company that offers streamlined, customized outsourcing services to help organizations outperform their competition. We are headquartered in Houston, Texas, with call centers located in Jamaica, only 90 miles off the coast of Florida. With 25+ years of industry experience and a vast team of highly-trained customer service professionals, we’re more than just an ordinary call center.

Contact AtPoint today to learn more about our customer service outsourcing solutions.

Add comment