October 4, 2018 by Siobhan Climer
Payment card industry – PCI – compliance is not a clean-cut process. The PCI Security Standards Council is regulated by the credit card industry, not the government, and enforcement of PCI compliance only takes place after a breach. Despite these challenges, PCI compliance is essential to operating in today’s economy.
To take credit cards – and work with banking institutions – your business needs to remain compliant. While ensuring the procedures for collecting, storing, or transferring credit information, many organizations forget that you must also use PCI compliant hardware. Whether a small business using an iPhone and Squarespace, or a 1000-agent contact center using Cisco phones and headsets, every element of hardware that may be used in the processing, storage, or transfer of credit card information must be compliant.
Contact centers in particular feel the effects of PCI compliance amendments. Use our Contact Center PCI Compliance Checklist to get started in assessing your current compliance state.
What Is PCI Compliance
In an effort to secure increased security for consumers in the use of credit cards, all major credit card companies joined together to create the Payment Card Industry Security Standards Council. Over the past decade, the council has developed rigorous standards to which any merchant or service provider that processes, stores, or transfers credit card information must adhere. This year, the PCI Security Standards Council released PCI Data Security Standard (DSS) V3.2.1. In the latest version of the PCI DSS, any hardware that is used in the processing of credit card information must be compliant as well. PCI compliant hardware came as a surprise to many businesses, large, and small.
PCI Compliant Hardware: What Counts?
Let’s pause for a moment and consider the hardware a business that is PCI compliant might use.
This is obviously not an exhaustive list, but it begins to highlight the complications that arise from ensuring PCI compliant hardware is integrated in every facet of your business. Any equipment that is used to process or store credit card payment information, from a POS terminal to your managed servers, must meet the 12 PCI DSS requirements (though there are well over 200 sub-requirements):
Defining Scope Of Credit Card Information Flow
Determining what hardware and software must be PCI compliant doesn’t have to be complicated. A great first step is to create a flow diagram that delineates the process by which credit card information enters, travels, and leaves the network perimeter. Once you have your diagram, it is simply a matter of identifying each element within that pathway and ensuring those segments are compliant.
Even with a dedicated IT team, the process of diagraming, segmenting, and creating end-to-end security protocols that include PCI DSS V.3.2.1 is complicated. Working collaboratively within the business or with a specialized partner gives additional confidence that compliance is met.
While it’s clear your POS terminals and servers must be compliant, delineating PCI compliant hardware can become more difficult the closer to the perimeter you move.
For example, a locally-owned and managed coffee shop uses Squarespace to process payments. Squarespace is a PCI compliant platform, or software. The payment processors Squarespace uses, Stripe and PayPal, are also PCI compliant. However, if the shop owner simply has staff use Squarespace on a staff iPhone, the phone itself must also be PCI compliant. If staff bring their own phones in from home, you expand the network perimeter and where PCI compliance matters.
On the other hand, large contact centers utilize thousands of hardware devices to process payments. Every phone, computer, keyboard, mouse, and headset must be PCI compliant, especially given call recording and omnichannel solutions. The recent adoption of PCI DSS V3.2.1 adds a new complication to the mix. The Cisco 7900-series phones most contact centers use are no longer PCI compliant.
Contact centers across the U.S. must utilize an upgraded phone system to ensure PCI compliant hardware going forward. While the 7900-series remained compliant for the last decade, contact centers must now move to using new PCI compliant phones, such as the Cisco 7841-series.
No matter the size of your business, PCI compliance is essential. Data breaches, which trigger a PCI audit by the PCI Security Standards Council, are increasing in number. Businesses that are not prepared for a breach are more statistically likely to go bankrupt within 6 months of a breach. Ensure you have PCI compliant hardware and software by working with a trusted partner, like Mindsight.
If you are considering a strategic contact center transformation, take a moment to view our free ebook Customers Drive, You Navigate: Your Contact Center Roadmap to Customer Care Success.
Like what you read?
Contact us today to ensure you have PCI compliant hardware.
Mindsight, a Chicago IT consultancy and services provider, offers thoughtfully-crafted and thoroughly-vetted perspectives to our clients’ toughest technology challenges. Our recommendations come from our experienced and talented team of highly certified engineers and are based on a solid understanding of our clients’ unique business and technology challenges.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.