advertisement
advertisement

What’s The Rush For New PCI Call Center Requirements?

Written by Walter Conway
February 2nd, 2010
PCI Columnist Walt Conway initially thought the PCI Council’s revised guidance on audio recordings were not that big a deal. He quickly changed his mind.

"You will need to reconfigure your call center application to stop recording the security codes. This point is where I start to have some problems. If your application can’t do this, you need to upgrade or replace it with one that automatically interrupts recording when, for example, the payment screen is displayed. And forget about using manual interrupts, at least if I’m your QSA. In practice, they can be too easily missed, forgotten or ignored. Large retailers will make a business decision and budget for the investment. But what about smaller merchants, charities and universities with call centers?"

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Pages: 1 2

Posted in IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud
advertisement

8 Comments | Read What’s The Rush For New PCI Call Center Requirements?

  1. Kemil Carbuccia Says:
    February 3rd, 2010 at 7:59 pm

    You hit the nail right in the head !

    PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision.

    This is a good read, enjoy !

  2. J- R Says:
    February 4th, 2010 at 6:35 am

    The issue in Financial services especially here in the UK is that the regulator here mandates that all call recordings have to kept for at least three years (you can argue for 7) and cannot be altered in any way so deleting the CV2 is prohibited.

    This “clarification” is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs.

    The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification.

  3. Geoff Miller Says:
    February 4th, 2010 at 11:25 am

    Another ridiculous decision where regulators don’t think critically enough about the unintended consequences of their decision. This is why regulation has completely gone off the deep end. Somebody has to make it stop.

    This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can’t purge all of our calls and we don’t have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it.

    Another regulatory body and decision that is killing private business. This bs makes me sick to my stomach.

  4. Mike Pruden Says:
    February 4th, 2010 at 1:00 pm

    And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. Many companies have contracts with these types of industries. How do you deal with that type of issue? PCI Council needs to rethink this requirement until there is a widely available commercially viable solution.

  5. Cranston Snoard Says:
    February 4th, 2010 at 6:50 pm

    Did the PCI SSC intentionally make a 2010 New Year’s resolution to step up efforts to demonstrate how out of touch and inane PCI DSS truly is?

  6. Walt Conway Says:
    February 5th, 2010 at 4:21 pm

    Thanks for all the comments!

    @J-R: Sovereign law trumps PCI, so I think your UK regulator’s/government body’s position on recordings will override this PCI guidance. It will be interesting to see if there is some country-specific clarification although this should not be needed. You mentioned using a push-button or some other manual interrupt to avoid recording the security codes. As I noted in the column, I am not convinced this will work given how easy it is to forget/defeat it, but in your case it may be the only viable option.

    @Geoff and Mike: Good comments. I forgot about all the related services retailers use who will be affected.

    @Cranston: You and I may disagree about the value of PCI, but I take your point that this revised call center guidance may cast a negative light on the whole PCI Council and the Standard for some people. I know some of the Council staff, and they are intelligent, thoughtful, capable people. I am hoping they see that there are some unforeseen difficulties with this latest guidance, and that they consider revising it.

  7. Cranston Snoard Says:
    February 5th, 2010 at 6:20 pm

    @walt
    While specific individuals on the council may indeed be “thoughtful, intelligent, capable people” the council as an entity certainly does not display those qualifications.

    If this was a local, back-country, small village bylaw council, I’d be willing to give them a lot more leeway.

    But let’s get real here! These people are supposedly the “experts”, the cream-of-the-crop representing billion dollar card companies — and they come up with inane stuff like this?

    Don’t blame “some people” for seeing the Council in a negative — put the onus and responsibility where it belongs, on the Council for making such bad decisions. THEY are the ones causing the “negative light”, not those who call them on it.

  8. philippine call center Says:
    May 26th, 2010 at 11:15 pm

    There might be some problem implementing those new guidelines in some call center companies. Thanks for providing this informative post.

Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.
advertisement

Most Recent Comments

"Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?" -Ed

The Backward World Of Loyalty: "I'd Like A VCR, A Wired Phone and a Plastic Loyalty Card, Please"

Walt Conway
The common thread in each case is immediacy. I carry no additional plastic in my wallet I can avoid. Then again, I'm not a typical consumer so maybe others have different experiences as retailers or consumers. Read more...
Omar Iftikhar
Loyalty should be the main driver for all your targeted services and promotions. Not a lot of retailers do that very well. The best at it in my experience is Best Buy. Being part of their Rewards Zone not only automatically assigns the points to your purchase, but also sends you an electronic copy of your receipt, and any follow up coupons and specials. Read more...

Neiman Marcus Goes Down, But Only For A Special Few

Steven P
We insist our staff check all changes (how ever small) on all the popular browsers. Its something we'd recommend to everyone. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...

Home Depot's Try At Not Shutting Down Completely Leaves Customers Running In Circles

Bill N
This is SO Home Depot -- a lack of vigor resulting in rookie mistakes. I see it all the time in the stores. Read more...

MasterCard Pushing EMV PIN. Visa? Not So Much

James L.
When our company switched from AmEx to MC for business travel expenses, I thought we finally had the opportunity for chip/PIN & signature cards to facilitate the travel in Europe. "They're not available in the US yet", I was told by the bank representative who conducted the training on the new related expense reporting website. It was interesting to see that the chip card with mag stripe was available to my colleages in Canada. I thought the idea with chip & signature was to allow its use in both US & EU markets. One card - dual authorization methods. Read more...
Dan
I want Chip & PIN. With Chip & Signature, sure it has a an EMV chip, but then a fraudster could just steal my card, run it through the chip reader and then sign my name. The PIN adds an extra layer of security as only I (should) know it. At the very least, I would like to see a dual method wherein if the US insists on using Chip & Signature, our cards would work as Chip & PIN in countries where that is the norm. I am just sick of this back and forth. America needs to get off its high horse and comply with the world payment standards. Visa says Chip & Signature, MasterCard wants Chip & PIN and then Amex is mysteriously quiet. All of this talk....the government, banks, acquiring banks and card networks need to work together to make it affordable and easy to fast track EMV. Read more...

In The Security Vs. Compliance Battle Of The Mind, Security Is Winning

Andrew Jamieson
I think that this has the potential to provide a terrific win for the merchants in scope for these sorts of systems, and also to the security posture of payments as a whole - exactly because it should ensure that people who know what they are doing are the only ones involved in the details. Read more...

Guess CIO On iPad Trial: "This Is The Consumerization Of IT."

John Pruban
Because Apple provides little support at the enterprise level, it is interesting to watch the struggles as retailers implement. In Mike's case, he talks at great length about the augmentation of the customer experience. The biggest hole we see retailers struggle with here is basic wireless coverage. The experience goes bad quickly if, while your walking around, you get into the middle of a function and can't recover. Read more...

Brook
This phone is not "from Verizon". The operating system was written by Google. The hardware was manufactured by Samsung. The reason a person might buy such a device is to run Android software. Verizon is just the service provider that links the device to the telephone backbone and the Internet. Verizon has no right to tell users what software they can or cannot run on their devices. And "Google Wallet" or Verizon's (vaporware so far) competing product should be treated as just what they are: software. The users should be able to download and install their own choice. Read more...

Macy's In Australia: No, John, It's Not All Thanks To eBay

Ric
John Donahoe is so anxious to impress his Wall Street Masters that it comes as no surprise he exaggerated and got the facts wrong during the conference call. Read more...

In Theory, E-Commerce Sites Are Way Too Slow. But Do Customers Care?

Jason Goldberg
I love it when the data in vendor studies directly contradicts the conclusion, and thanks for calling it out. In the case of page load speed, while I am skeptical of the urban legends quantifying the effect of page load (1 conversion drop per 100ms, etc...), I have seen a number of first hand examples of improved performance directly improving bounce rate and conversion. So my own experience tells me that speed is an important factor in customer experience. I just don't believe it can be reduced to a simple equation. Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.