De-scoping from PCI DSS

The easiest way to solve the issue of PCI DSS compliance is to take the call centre out of scope of the standard altogether by making sure that sensitive payment information from customers does not enter your systems in the first place:

  • If your customers do not read out their payment information over the phone, your agents cannot hear it, cannot write it down and cannot pass it on to anyone else. This immediately takes the contact centre environment and your agents out of scope for PCI DSS.
  • If your agents do not enter sensitive payment information into their desktop, this too takes both the desktop and the network it is running on out of scope for PCI DSS.
  • If payment processing is outsourced and not done in-house, this too de-scopes your contact centre systems from PCI DSS.

All of this can be achieved using the Semafone solution because:

  • Customers enter their payment information using the telephone keypad, and Semafone masks the DTMF digits so they cannot be heard by the call centre agent, nor recorded on the call recording system.
  • When the time comes to take payment, simply moving to the payment page triggers Semafone’s SecureMode and as the customer taps in their information, the relevant fields are automatically populated (masked by asterisks), meaning the sensitive information does not enter the desktop.
  • The payment details are sent to your Payment Services Provider, where the payment is processed and authorisation is sent back to your system to allow the transaction to continue.

Simple and effective

The Logic Group’s Robin Adams, a Qualified Security Assessor accredited by the PCI Security Standards Council says: “By far the best way to help ensure your contact centre complies with the PCI Data Security Standard is to remove the payment element from the call entirely. I believe that a solution, such as Semafone, which can prevent sensitive information entering a merchant’s system is the simplest and most effective way to achieve this.”

Semafone has recently been awarded the Payment Application Data Security Standard (PA DSS) from the PCI Security Standards Council, which means it has recognised the software as an effective way to become compliant with PCI DSS. You can view our accreditation here 

Saving your organisation money

“We had struggled for a long time with the issue of PCI DSS compliance,” says Neira Jones, head of payment security at Barclaycard, “and it was costing us a lot of money and man hours. Even then, we weren’t sure we were completely compliant. Taking the contact centre out of scope for the standard certainly eased my workload, as well as the financial burden of maintaining security controls and vetting hundreds of agents.”

If you’re wondering how much PCI DSS compliance is costing your business, Semafone can come into your organisation and review your current processes and compliance procedures to determine what savings Semafone could bring to your business.