How Compliant Are You?

By a Record Retrieve staff member.

Recently a colleague of mine was telling me about her decision to switch private health insurance providers. She had successfully done so, and all was well until she needed to give the agent her credit card details and other personal information.

She told me that the agent had taken her details and then had read them back to her to ensure that were all correct. Fair enough.

During her customer survey she raised the issue of privacy – the agent had taken her details on a PCI secure line during their recorded call but had then proceeded to read those details back to her, aloud in a busy call centre environment. This was a concern for her, she told me, as she felt that it introduced the possibility of someone overhearing those details and taking advantage of them. Even though the employees may be honest and trusted it doesn’t ensure practice when handling sensitive customer information.

A few days later, she said the call centre manager called her to discuss her concerns about her details being re-read aloud. The manager then promptly asked, “is it a legislative requirement?”

Firstly, let’s just outline how many dangers there are with actually reading a customer’s details aloud. It presents the danger of skimming, whereby the agent at could be the victim (or the victor) of a compromised terminal or station which collects credit card details. It presents the danger of other people overhearing the details and doing with them what they will. The list goes on for ways in which details could be compromised. Much in the same way one wouldn’t shout their credit card details from the rooftops, it’s very unlikely they would want someone else to do so!

The legalities and best practice suggestions of PCI are many. Specifically though, PCI requirements stipulate that organisations that process cardholder information must:

  • Encrypt transmission of card-holder data and sensitive information across open public networks
  • Protect cardholder data by business need-to-know
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data

These PCI requirements generally refer to capturing and storing CVV details. But it should be looked at from another perspective: with all these safeguarding standards, it is implied that repeating any kind of credit card and sensitive customer details aloud is a no-no.

A PCI information supplement, Protecting Telephone-based Payment Card Dataexplains that regarding PCI, “[it] requires measures to protect any systems that store, process, and/or transmit cardholder data. This impacts call recording management and storage, and control of the agent/caller interface within the physical call-centre space.”

Within the physical call center space is where it gets interesting. There have even been discussions of having a “clean” call centre room. That means cleans desks, no paper and pens for writing things down and no personal phones. From a PCI perspective there are many suggestions for best practice. it’s simply common sense and best practice.

That’s what this is all about: instilling a sense of urgency for best practice. Because any instance of card information being breached, is a business’s failure to safeguard their customers’ data.

For example, in another instance, the very same colleague had some issues with an online purchase that had been made. At the end of the mixup, the online company had requested that my colleague send credit card details via email. Perhaps a small online business would make such a rookie move – it’s extremely unlikely that a bank or larger online retail space would request their customers to supply their details via email. Or would they? Perhaps the person dealing with this is new, doesn’t know the compliance ropes, or they’ve never been taught the ropes.

To protect customer details, many call centres and businesses are applying technology that is compliant with PCIDSS and the approach for this is multifaceted. It’s about the best approach, the best practise which is in line with PCI standards, which ultimately, protects cardholder data. Such a best practice measure could be to prevent card details from entering their environment and the agents from seeing or hearing the card information being relayed to them. There is technology out there which when customers provide details using the phone keypad, audio tones are converted into monotones to avert encryption. Agent screens displaying a customer’s file also marks the card from view so they are not seen.

While compliance is a subscription to a set of very strict regulations, it should also be an attitude to subscribe to those very strict regulations and strive to continually evolve with the very fluid nature of compliance standards through the best possible best practice approaches.The point is, from these two real-world examples that compliance is more than just technology, it’s a culture, the two should  be inextricably linked. Without technology there is no compliance, but without a compliance culture there is also no compliance.

So back to the call centre manager in question: whether it is or it isn’t a legislative or regulatory requirement is beside the point. However, atop all of the requirements, standards and suggestions that PCI presents, is the clear-cut, glaringly obvious raison d’être: to protect cardholder information. The how is up to the business. The need and necessity is most definitely there.

Contact us today to learn more about how you can address compliance!

Icon made by Freepik from is licensed under CC BY 3.0