Improvements in technology mean that contact center managers can now outsource key tasks, including payment processing, to people who want to work from home. Home working can cut costs and improve productivity, but this type of virtual working also introduces new data security risks, particularly when accepting payments with a credit card. In the United States, the Payment Card Industry Data Security Standard (PCI DSS) applies to all your employees, including home workers. Find out about the challenges that virtual working can cause, and learn more about the steps you should take to improve home workers' PCI DSS compliance.
Why PCI DSS is crucial
Experts believe that card fraud in the United States costs merchants as much as $190 billion a year. Banks lose a further $11 billion, while customers lose just under $5 billion, so online retailers lose more money than anyone else. As such, everything you do to protect customer payment cards directly influences your profits.
PCI DSS compliance is not just about boosting profits. Working in this way helps maintain trust with your customers. High-profile stories about card fraud can damage your brand. Compliance can also help you find ways to improve IT security in other ways, and you may even find that working to PCI DSS guidelines will help you meet other regulatory requirements.
What the guidelines mean to your business
To protect cardholder data, the PCI DSS guidelines restrict the storage of certain data elements. These data elements fall into two categories – cardholder data and sensitive authentication data.
Cardholder data include the primary account number (PAN), the cardholder name, the service code and the expiration date. You can securely store all these details, but you must make sure the PAN is unreadable in your systems from places like One Payment.
Sensitive authentication data include the full magnetic stripe data, the CV2 identification number and the customer's PIN. According to the guidelines, you cannot store any of these items in your systems – or anywhere else.
All businesses fall into one of four PCI merchant levels, depending on the volume of payment card transactions you process in a year. At level 4, your business would process less than 20,000 transactions a year. At level 1, your company would handle more than 6 million transactions.
PCI DSS compliance is an ongoing process of assessment, remediation and reporting. Assessment is not a one-off exercise. You must continually review your working practices, to make sure you meet the requirements.
The challenges that home working presents
Home working can make it harder to comply with PCI guidelines because you must manage a more disparate group of employees. With all your team members in one building, it's often easier to assess and monitor what is happening, but home working means that you will often have to rely on self-assessment and extra system controls.
What's more, home working normally relies on a different, more secure IT infrastructure. While you can invest in a supplier that meets PCI requirements, it's vital that home workers continue to use these systems in a way that supports card security. Indeed, some risks come from the habits that home workers may have when they are not using these systems.
Training and guidance for home workers
Your IT infrastructure can help you make sure your home workers handle payment cards securely, but you must also put in place robust training and guidance for home workers. Implement a training plan that refreshes the information annually, and make sure that home workers know this training is mandatory.
Areas to consider include:
- Voice recording systems. Home workers must often turn off the voice recording system when taking the customer's payment. Put a trigger in the call script that reminds agents to turn the system off and on, as required.
- Masking the customer's PAN. Your payment system should automatically mask the PAN when your agent enters the details. Make sure home workers understand that these restrictions don't just apply to system-based work. Highlight why home workers cannot write these numbers down, and encourage paperless working.
- Outbound calls. Your IT supplier should make sure that the IT network and telephony infrastructure have the right level of encryption or security. When these systems fail (or there is a temporary fault), it's sometimes tempting for home workers to pick up the phone and speak to a customer. Make it clear that an agent should never take payment card details on an unencrypted call, email or instant message.
- Two-factor identification. PCI rules mean that agents must always make sure they are speaking to the authorized cardholder. Reinforce the need for two-factor authentication on every call, inbound or outbound, where the agent needs to handle payment card information.
For at-home/remote workers, call monitoring is particularly important. This activity helps you make sure that agents adhere to these practices. The latest technology allows you to remotely view the agent's screen in real-time. This could help you spot bad practices. For example, you may note that the agent puts restricted data in an email or even copies the information into a separate document.
If your home workers are handling sensitive customer data, it's vital that you make sure the right controls and processes are in place. PCI DSS compliance gives your business a robust framework to measure against, helping you protect customers and save money.