New PCI Enforcement Starts Later This Month

The Payment Card Industry has updated its Data Security Standard (PCI-DSS), and companies have until the end of this month to get their contact centers and other customer-facing operations into compliance. Companies not complying with PCI-DSS could face higher transaction fees, the loss of card processing privileges, and heavy fines from payment processors based on the size of the business and the scope of the breach. Penalties will usually range from $5,000 all the way up to $100,000 a month until the issue is fixed and the company comes into compliance.

The newest version of the PCI-DSS (version 4.0.1) contains several key clarifications of the stringent requirements related to phishing and e-commerce tampering protection, password complexity, multi-factor authentication, vulnerability scans, and security for third-party providers. It essentially turns controls previously considered best practices into requirements.

To become PCI compliant, companies must meet the 12 key requirements, which are split up into roughly 300 sub-requirements for firewalls, unique passwords, physical and virtual measures to avoid data breaches, encrypted transmission of cardholder data across public networks, antivirus software, data access, audit trails, regular security system and process tests, and more.

For companies, maintaining PCI-DSS compliance has several key benefits. Chief among them: Compliance helps protect them from data breaches. According to a study conducted by Verizon, compliant businesses are 50 percent more likely to successfully endure an attempted breach.

Research has also found that customers are more likely to buy, especially on the internet, from companies that can guarantee data security with PCI compliance.

Because credit card fraud is such a widespread problem, the major credit card issuers, including American Express, Discover, JCB International, Mastercard, and Visa, initially developed the PCI-DSS in 2004. The initial version, PCI-DSS version 1.0, consolidated the security programs of these founding members into a single, unified standard. The standard has been updated every two years or so to keep ahead of changing fraud trends and emerging threats.

The PCI Security Standards Council released the version 4.0.1 updates in June 2024, and companies must have them fully in place by March 31. The organization does, however, introduce a customized approach for complying with requirements, allowing organizations to use alternative, validated security methods. It also clarified applicability for organizations using keyed cryptographic hashes to render primary account numbers unreadable.

The PCI standard applies to all entities that store, process, or transmit cardholder data and sensitive authentication data or could impact the security of the cardholder data environment. This includes merchants, payment processors, acquirers, issuers, service providers, and, importantly, contact centers.

PCI-DSS version 4.01 also suggests—though it does not require—that contact center agents and others covered by the standard no longer handle credit card numbers via the voice channel.

“The PCI Council wants to eliminate people collecting credit card numbers over the phone because people can listen in,” explains Robert Wakefield-Carl, senior director of innovation architects at TTEC Digital, a customer experience technology and services company. “The risk of eavesdropping in and outside of the contact center is very real.”

Additionally, outside of secured services, customers should never have to provide credit card numbers over any channel unless it’s a secure form or a secure input, Wakefield-Carl says. “It’s changing the way that companies are taking credit cards. A lot of them are moving toward token-based systems so that they don’t actually receive credit card numbers.”

Tokenized systems like this need to be set up in advance by the agent or the customer online; then all that’s needed is confirmation of the last four numbers of the payment card.

Other contact centers are re-engineering the way they accept credit card numbers, Wakefield-Carl says. Some of those are sending secure links to customer smartphones or confirmed email addresses. The link connects the customer to a secure website to enter payment card information, then the agent receives a token or confirmation so the agent never has access to the payment card data.

The latest PCI-DSS revision is the result of concerns over audio as well as the reality that artificial intelligence, particularly agentic AI, is a growing threat vector, says Sanjay Kukreja, principal global head of technology at eClerx, a provider of business process management, change management, data-driven insights, and advanced analytics services. “There is greater emphasis on what a human should be doing and what an [AI] agent should or should not be doing. The overall theme is reducing credit card exposure to agents, recordings, and various AI tools because there is a lot of card data that flows into any contact center.”

Kukreja adds: “Contact centers remain a high-risk digital environment, and so everything around identity, data segmentation, the way you capture the data, and monitoring and vendor governance remains an important part of what PCI-DSS is.”

Kukreja expects additional guidelines as well as more use of AI to help secure contact centers and others involved with payment cards. Fraudsters are already using AI to aid in their attacks, and AI-powered fraud is on the rise and evolving faster than most risk teams can keep up with, he states.

“The latest AI fraud tools, many available off the shelf, are not generic chatbots or image generators repurposed by bad actors. They are built specifically for fraud and designed to target every stage of the life cycle,” Kukreja says. “That includes account creation, identity spoofing, real-time voice manipulation, and more. Many are packaged as ready-to-use kits, complete with documentation and support communities, and are actively shared across cybercrime forums. It’s all part of a popular new business model called ‘Fraud-as-a-Service.’

“With agentic AI, it’s an opportunity as well as a risk that exists,” Kukreja adds.

The PCI Security Standards Council is providing “high-level guidance,” though there is no official standard update on AI as of now, according to Gina Gobeyn, executive director of the PCI Security Standards Council.

Payment Card Fraud Continues to Grow

The new standards come as the amount of credit card fraud and identity theft attempts continue to grow. In fact, Security.org reports that 63 percent of U.S. credit card holders have been victimized by fraud, and 51 percent have experienced fraud multiple times. At the same time, 62 million Americans had fraudulent charges on their credit or debit cards in one year, with unauthorized purchases exceeding $6.2 billion annually. A full 21 percent of victims experienced recurring fraudulent charges from the same bad actor. Security.org also found that only 8 percent of fraudulent charges involved stolen or lost credit cards; the rest involved fraudsters accessing personal and account information remotely.

The number of annual payment transactions continues to increase exponentially, and that growth isn’t limited to the number of transactions but is also represented in speed, with tens of thousands of transactions occurring every single second, Gobeyn explains. “There’s no reason to believe those numbers won’t continue to climb and that criminals won’t continue to target payment environments. More than ever, businesses and consumers are demanding payments that are faster, simpler, frictionless, and, most of all, secure.”

Workplace Changes

The updated PCI-DSS has already resulted in several workplace changes at some contact centers, according to Wakefield-Carl. Some facilities are segmenting agents by which ones can or cannot take credit card information.

“Since there are processes involved, and there’s some trust involved, a brand-new hire probably won’t be taking credit cards; it will be someone who’s been around for a while or a senior person,” Wakefield-Carl says, pointing out that new hires typically aren’t immediately trained on back-end systems for accepting credit cards.

“Five to 10 years ago, PCI was just good to have,” Kukreja says. “A lot of people did not get into the details of the importance of protecting card data. But I think what we’ve seen with our clients and our partners on the contact center side is a lot of awareness on everything related to [personally identifiable information] or related to card data.”

Contact center and security experts also recommend that facilities also look into other security considerations. In addition to role-based security, contact centers should also consider the points at which staff comes into contact with customers’ personal and financial data and where that information is stored. This could involve limiting access to key areas of the building or certain pieces of equipment, they say.

Also high on the list of recommendations is the banning of mobile phones on the contact center floor. By taking this step, the contact center can eliminate any potential for sensitive call center information being leaked onto an agent’s personal device.

And then, when it comes to sensitive business data storage, encryption is an accepted best practice. In the case of PCI compliance, it is essentially a requirement. The PCI-DSS mandates a strong level of encryption with a minimum key strength of 256 bits.

“We are also seeing a lot more services that are providing widgets and other mechanisms so that no spoken communication of credit card information is ever sent between the caller and the agent,” Wakefield-Carl says. Additionally, with as many as 99 percent of callers using a smartphone, it’s a relatively simple matter for the agent to send an SMS to a phone on file to authorize the caller, he adds

The system in place depends largely on which credit card processors are employed by the contact center, according to Wakefield-Carl. “Some credit card processors can’t process the actual credit card. They will process a payment token, and then that token will be used to actually debit the money. It’s not the same for every single processor.”

Other contact centers might push out a form asking for the full 16 digits (after initial verification, only the last four might be needed for subsequent purchases), expiration date, three- or four-digit card security code, and user’s ZIP code. The amount of detail required varies from processor to processor.

Contact center security experts also suggest that contact centers revise how they think about the PCI-DSS. An all-too-common pitfall that call centers fall into is viewing PCI-DSS compliance as an annual exercise rather than the ongoing process that it should be. Managers should make sure controls are continuously enforced, not just around the time of the annual review.

They also suggest that data security should be factored into agent training and that coaching should be provided on a regular basis, especially to agents who have demonstrated risky behaviors that could result in compliance failure. Managers should sit in on calls with at-risk agents and help them remain compliant at all times.

This is important because the standards and the threat landscape are both constantly evolving. As noted, the PCI Security Standards Council updates the PCI-DSS roughly every two years and the next update could come out sometime later this year.

“The regulations related to data privacy are going to get more and more stringent,” Kukreja predicts. “The controls are getting more mature, and the way people are architecting their systems is designed to isolate [personally identifiable information and payment card data] from the rest of the network. That’s going to get more and more secure. You’re going to have strong segmentation and the concept of zero trust, where you don’t trust any incoming connection and have very tight control on the egress.”

The PCI-DSS updates also come at a time when the U.S. federal government considers nationwide data security regulations. Many U.S. states already have data protection and privacy regulations on the books. A number of foreign governments are also invested in similar legislation.

U.S. standards often follow in the footsteps of European privacy standards, Kukreja adds. “Europe is trying to drive up a lot of governance on [the General Data Protection Regulation], Kukreja explains. “They’ve kind of turned the heat on every provider to ensure data privacy is paramount.”

So in Europe and in the United States, companies are designing advanced systems and strategies to mask and otherwise protect card data, making sure that only relevant information is used and destroying any data after a transaction, according to Kukreja. “Companies are at various stages in their maturity curves with this. But at least there is better awareness from a privacy perspective.” 

Phillip Britt is a freelance writer based in the Chicago area. He can be reached at spenterprises1@comcast.net.