Any organisation that handles Cardholder Not Present (CNP) payments needs to comply with the Payment Card Industry Data Security Standard (PCI DSS) – a set of 12 binding compliance requirements, designed to ensure card data is handled securely and reduces the possibility of data breaches to a bare minimum.
The PCI DSS rules dictate that stored credit card data must be encrypted at all times and various items, such as the 3-digit security code on the back of a card, cannot be stored at all once a payment has been authorised. Additionally, exposure of personnel, including contact centre agents, to credit card information should be kept to a minimum.
Public Sector organisations are no exception, required to not only meet the standards of PCI DSS but other strict regulations such as ISO 27001 and GDPR. With some, such as FCA rules, requiring telephone calls to be recorded. So just how can local authorities meet operational requirements while maintaining payment compliance?
Furthermore, with data breaches regularly reported in the media, public sector organisations would not want to be exposed by non-compliance or data breaches. A recent survey carried out in the UK found that ‘Government’ was regarded as one of the top five least secure industries when it came to data security.
As well as compliance challenges, local authorities are looking at ways to make call handling as efficient as possible, while providing a quality experience to the person at the end of the line. The preferred solution when taking payments over the phone is to keep customers on the live call, however historically there have been PCI Compliance issues with this approach as agents are exposed to customers’ sensitive card data, which creates a potential risk.
Many local authorities are heavily reliant on customers paying through Interactive Voice Response (IVR) systems, which are automated systems that allow a computer to recognise and process both speech and DTMF telephone keypad tones. The difficulty arises however when the customer is transferred to an IVR, where high levels of dropouts are experienced as some customers struggle to navigate the automated process. And, when customers are paying a car parking fine or similar, adding automation at a time when they may be frustrated or reluctant to pay, simplifying the process is likely to help reduce dropped-call-rates.
With customers from every walk of life – those familiar with technology and those who aren’t – public sector organisations need to identify a seamless payment solution to ‘apply across the board’, where customer service teams can fully assist callers for an improved service. One that ensures payments are taken securely, preventing the fall out that comes from cyber-attacks and helping to maintain the trust of the public.
At PCI Pal, we have helped many public sector organisations achieve and maintain PCI Compliance. Read about one Borough Council’s compliance journey here and learn how they improved customer service while descoping their organisation entirely from the requirements of PCI DSS.
*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by PCI Pal. Read the original post at: https://www.pcipal.com/en/knowledge-centre/news/pci-compliance-for-the-public-sector/