PCI Compliance and What to Look for in a Vendor

Did you know that you’re responsible for protecting all your customers’ card data and payment details? Unless you’re able to prove you handle payments and store data in a way that’s PCI DSS compliant (Payment Card Industry Data Security Standard), the payment card companies won’t underwrite any fraudulent losses. That can be an expensive mistake!

Last month, the PCI Security Standards Council (PCI SSC), offered guidance for securing payment card data in cloud environments. More than 100 global organisations, including a range of technology vendors, came together to help businesses identify and address the security challenges for different cloud architecture and models, and understand their PCI DSS responsibilities when implementing these solutions.

So what should you look for when selecting a cloud PCI vendor?

It's not enough just to get their certificate. As the report recommends, companies that have undergone PCI DSS compliance assessment and validation, will be able to provide clients with proof of compliance documentation, such as the Attestation of Compliance (AOC) and appliance sections from the Report on Compliance (ROC), including the date of assessment. They should also be willing to share evidence of system components and services that were excluded from the assessment.

Specific due-diligence processes and goals will vary for each organisation, but typically, it is recommended that you look for the following:

  • A history of sound work practices and ethical behaviour
  • Potential risks with the provider that may impact your business
  • Areas of the service that need to be clarified and included in the service agreement
  • Assurance that the provider is compatible with your business image and risk profile

If you are taking credit card orders, or if your customer service agents are exposed to your customers' credit card information, it’s so important to take a hard look at your contact centre vendor. They really do need to be a PSI DSS tier 1 validated service provider, as that means they have been externally audited rather than self-certified. After all, do you really want to trust your customers’ card details with someone who has marked their own homework?

Ashley Unitt
Ashley Unitt

Ashley founded NewVoiceMedia to exploit the obvious benefits of putting an enterprise-class contact centre in the cloud, and now serves as Chief Scientist, leading the architecture and research teams. Prior to NewVoiceMedia he spent ten years at Teamphone.com Ltd developing innovative CTI software solutions including voicemail systems, hot-desking products and an open source gate keeper. Ashley's blog will focus on security, PCI-DSS and general cloud computing issues. Outside of work he spends most of his time running around after his two young children. You can follow Ashley on Twitter at http://twitter.com/aunitt.

Deskphone with Vonage logo

Talk to an expert.

UK free phone number: 0330 808 9348