ARE YOUR CARD DETAILS SAFE?
The latest set of industry standards for ensuring the integrity of credit card data may bring reassurance to consumers, but Communications Providers should be aware of what they need to do to maintain compliance
THE PRICE OF DATA INTEGRITY Since the start of 2007, any company handling credit card data has been expected to comply with the most recent revision of a set of industry regulations, known as the Payment Card Industry Data Security Standard (PCI DSS) version 1.1. While there is no doubting the enormous benefits of security standards for such critical data, their broad and comprehensive nature has left some organisations struggling to meet their obligations.
The PCI DSS was established by the PCI Security Council – an alliance of five leading financial and card services providers, including American Express, Visa International and MasterCard Worldwide – to try to enhance and maintain the security of payment services.
The standards are highly relevant to Communications Providers, which are dependent on credit card data for the vast majority of consumer transactions, such as those for broadband services, as well as many payments from small businesses. However, applying the standards and maintaining them across all aspects of credit card data usage and storage, including providing all relevant employee training, is not a simple process, particularly for smaller organisations.
CROSS-BUSINESS COMPLIANCE Gordon Cannon, Market Development Manager for BT, says: "It is not just the physical infrastructure of the data storage, networks and firewalls, which are always traditionally talked about. Companies also need to think about all the elements of their business that handle and process card details and sensitive information. For example, for a lot of companies the contact centre is the front end for taking and processing card details. Often those calls are recorded for quality purposes, which means those recordings require managing in such a way as to maintain standards compliance."
The PCI DSS standards contain 12 principle requirements, covering everything from maintaining secure networks and data storage, to access control measures and information security policies. Summary details and the full specification can be found on the PCI Security Council Website.BT Wholesale works with a number of Communications Providers to help them meet and maintain the standards without having to have all the required expertise inside their organisations.
Gordon notes: "Companies do need to take this legislation seriously, but it can be broken down into manageable elements. It looks daunting but it can be done. We have worked with a number of companies to help them ensure compliance – the expertise within BT Wholesale means we can make that easier for them." AT YOUR SERVICE
BT Wholesale’s services cover a number of areas, including security services for network operations and data storage, consultancy on infrastructure security and firewall management, vulnerability assessments and management programmes, and even complete monitoring services from BT’s Network Security Operations Centre, which can provide alerts if there are any threats to data integrity.
While there are no immediate penalties for not reaching compliance, the big card providers are putting increasing pressure on companies to meet the standards and reduce the possibility of further embarrassing breaches in credit card data integrity.
Terry Sanson, Solutions Architect, at BT Wholesale, warns: "Companies do need to be aware of the possible financial implications of not adhering to these new regulations. In the future we expect that card suppliers will add one or two percent on transaction costs to cover the additional risk of transacting with non compliant companies, We can also see the possibility of fines for non-compliance. Both of these scenarios could add up to very serious financial penalties for a company."
He continues: "In addition, if cardholder data gets out of an organisation then there are all the related costs of the compromised data plus the intangible damage to the brand. It can be extremely embarrassing and costly."
In an age where credit card payments particularly over the internet and telephone, are part of daily life, data integrity is a critical reality of modern business life. Seeking help to meet the requirements now may help prevent the significant cost of standards slipping in the future. MANAGED SOLUTIONS – ONE STEP FURTHEROne other option that Communications Providers can also consider as part of their security compliance solution is a managed contact centre solution from BT Wholesale.
That’s part of a much bigger decision of course, there is far more involved than security. But one considerable benefit of taking this route is that it can support Communications Providers in meeting their compliance obligations. It can also help them to keep pace with data and security regulation and avoid extra or hidden costs of conforming.
BT’s Next Generation Contact Centre is a pre-packaged, out-of-the-box, multi-channel contact centre solution that can be seamlessly integrated into a Communications Provider’s existing call centre infrastructure. It is offered ‘on demand’, or as a hosted solution at one of BT’s data centres.
Says Gordon Cannon: "One of the beauties of NGCC is that it means Communications Providers don’t have to make significant investments in infrastructure, software or security upgrades to reap the rewards of a 21st century contact centre solution. And that includes helping you to become compliant with industry regulations and guidelines now and in the future."
READ BETWEEN THE LINES
Talk to BT Wholesale about how you can best maintain compliance for the new Payment Card Industry Data Security Standard (PCI DSS) regulations.
To find out more about BT’s Next Generation Contact Centre and arrange to speak to a specialist click here.