Is Your IVR Provider PCI Compliant?
If your IVR provider accepts and processes credit card information, then it must be PCI compliant to ensure your systems are secure, and customers can trust you with their sensitive payment information. But what exactly does compliance entail? And how do you ensure that your IVR provider is in fact PCI Compliant? Read through the following to get a basic understanding.
You can also register for our webinar, “Is Your Call Center PCI Compliant?” which will feature a broader discussion than what is in this blog. Learn more and view the webinar here.
PCI Compliance: Why is it important?
The Payment Card Industry Data Security Standards (PCI DSS) are set by the PCI Security Standards Council. This council was formed by the major payment card brands to manage the ongoing evolution of the Payment Card Industry security standards. Being compliant means that you meet and adhere to their requirements for PCI DSS at all times. This is an ongoing process, not simply an annual audit.
Contact centers that outsource calls to an IVR vendor can benefit from a PCI Compliant provider because it takes payment data out of the hands of their live agents. However, entrusting a third-party with your customers’ sensitive payment information poses a huge risk to companies if the provider is not PCI Compliant.
Some of the negative consequences your company can suffer as a result of not being PCI Compliant include:
- Account data breaches
- Lawsuits
- Insurance claims
- Cancelled accounts
- Payment card issuer fines
- Government fines
How do you know your IVR provider is PCI Compliant?
The easiest and most trustworthy way a business can find out if an IVR provider is PCI Compliant is to ask for PCI Certification documents.
PCI Certification simply means the company satisfies the 12 requirements laid out by the PCI Security Standards Council and has been certified by a third-party Approved Scanning Vendor (ASV) and/or Qualified Security Assessor (QSA).
There are four different types of certification:
| Level 1 | Any merchant (regardless of acceptance channel) processing over 6M Visa transactions per year. |
| Level 2 | Any merchant (regardless of acceptance channel) processing 1M to 6M Visa transactions per year. |
| Level 3 | Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. |
| Level 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and all other merchants (regardless of acceptance channel) processing up to 1M Visa transactions per year. |
QSA companies are organizations that have been officially qualified by the PCI Security Standards Council to have their employees assess compliance to the PCI DSS standard. For most IVR providers, a Level 1 PCI Certification is required to ensure security of all client information. Your IVR provider should be able to show you a PCI Certification from a valid QSA. Once you see this certification, you can take it one step further by verifying the QSA is officially recognized by following this link.An Approved Scanning Vendor (ASV) will conduct a network scan to ensure safety requirements are functional. This is performed remotely. In addition to the remote scan, Level 1 certifications require an on-site assessment to be conducted by a Qualified Security Assessor (QSA).
Ultimately, ensuring PCI Compliance will give your customers more confidence in purchasing through over the phone. Additionally, your reputation with acquirers and payment brands will increase and your company will have increased prevention of security breaches and theft of card data.
There you have it, a brief but enlightening overview of PCI Compliance; what it is, why it matters, and how to know if your IVR provider is compliant.
