The credit card industry’s way of keeping a tight lid on fraud and other slippery activity has been through the creation of “PCI” – the short-code name for a comprehensive set of rules that govern just how credit card handlers should protect card information and the privacy of cardholders.
Contact centers, especially those in Latin America and the Caribbean that deal with payments, billing and collections, are naturally prime candidates to adopt PCI. “It’s become a big topic of late and in some situations it’s becoming ‘table stakes,’”, says industry consultant Ann Harts, of HartsGroup. “There continues to be a large flow of business opportunities for call center/BPO companies who are PCI compliant… some clients are starting to migrate to this designation as a minimum or an industry standard, even though it may not needed based on the type of work.”
For one thing, more and more customers are going to demand it, says Thomas Oronti, president of Nearshore Call Center Services, a Dominican Republic based provider that employs about 1,200 agents in three facilities in the country. Oronti told Nearshore Americas recently that PCI compliance has become a top priority for his organization over the last year. “Bigger companies want to see a PCI certificate,” he says.
In fact, one potential customer – which promised to land about 700 additional seats at Nearshore CC – would only do business with Oronti if his company could obtain PCI certification. “The stumbling block has been PCI,” he says. Current customers at Nearshore CC include two U.S. companies – WellCare , a health services processor and Direct Energy, an alternative energy provider.
The Biggest Hurdle: IT
Partly as a result of the new business opportunity, Nearshore CC started a PCI compliance program in June of last year. A total of $40,000 was spent throughout the remainder of 2009 on boosting the firms’ capabilities in building protections around the transmission and storage of sensitive data. About $20,000 was spent on a consultant, says Oronti, and other costs were on IT improvements and new equipment. “We feel that the cost is still much cheaper than it would have been in the states.”
Achieving PCI compliance is no easy feat and one of the biggest issues to tackle is the appropriate configuration of the network. “Our biggest challenge is on the IT side. It’s very intensive,” says Oronti. “We’ve been slowing changing our environment to become fully PCI compliant.” Steps include putting documentation together, completing a full audit and making sure the server containing recordings of credit card numbers is kept inside the firewall.
Oronti stresses that physical security is a big deal at his company. “We have full time security at the entrance. No pen or paper and no cell phones or PDAs.. that kind of security mindset progresses on to the floor.” Nearshore CC provides customer service; inbound and outbound sales; lead generation and confirmation calls.
Six Guideposts to PCI
In order to ramp up your PCI compliance posture, Harts suggests following some of these basic steps:
- Identify and dedicate an IT resource, someone that works well with internal teams, and is accountable.
- Perform preliminary audits to ensure all gaps are identified.
- Budget accordingly. Don’t assume you can throw a nominal amount in the budget to get results. Software, hardware, building improvements, etc need to be gleaned from the gap analysis/audit and proposals for work obtained.
- Build appropriate and realistic timelines, set goals, and hold people accountable for missing any milestones.
- Determine which industries and clients that you see as a fit for the site and start discussions during the implementation phase. Gain CapEx approvals prior to these discussions.
- Continue with gap analysis and special audits to identify any gaps and other processes to address and remediate issues promptly.
Finally, a related consideration for both contact center providers and sponsoring customers is how strong data protection laws are in the host country. “There is the possibility that the process and designation will be difficult to sell to your internal leadership and clients, in countries that do not have solid data protection laws,” says Harts. “It is imperative to build a secure site, set the appropriate processes, limit external exposure, and audit regularly, with remediation protocol firmly in place.”