Skip to main content

The PCI Compliance Checklist For Remote Workers

The PCI Compliance Checklist For Remote Workers

PCI compliance in the contact centre ensures both customers and your business gets protected from potential risks and non-compliance when taking payments.

As you’re likely working from home (or other remote locations) since the start of the coronavirus pandemic, it’s important to understand the implications of taking customer payments from a non-office location.

According to PCI Compliance Guide, if you are found to be in breach of PCI DSS, you could be fined £4,000 to £80,000 per month by payment providers.

In this post, we cover all angles of PCI DSS to ensure your business is protected.

1. What does PCI DSS compliant mean?

2. Is PCI DSS compliance mandatory?

3. Who is subject to PCI compliance?

4. How do I get PCI DSS compliance?

5. What if I am not PCI compliant?

What does PCI DSS compliant mean?

Being PCI DSS compliant means you adhere to the standards set out by the PCI Security Standards Council (PCI SSC). This is an independent body created by the major payment providers including Visa, MasterCard, and American Express.

There is no PCI DSS product. But, there are 12 requirements every business that takes payments must meet.

These are:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

“Being PCI compliant” means you have the processes and technology in place to meet these standards each time you take a payment. It is not a one-time process and you must demonstrate the ability to take PCI DSS compliant payments on an ongoing basis.

What does PCI DSS stand for?

PCI DSS is short for Payment Card Industry Data Security Standard. This is the standard any business receiving a customer payment must adhere to.

PCI DSS compliance is often shortened to PCI compliance too.

Is PCI DSS compliance mandatory?

PCI DSS is not a law but an industry standard laid out by payment providers like Visa, American Express, and Mastercard. 

This means it is not mandatory for all businesses. But, that doesn’t mean your business should not be PCI compliant - far from it.

Under several UK and EU laws, PCI DSS is mandatory. It is therefore much safer to de-risk your contact centre by being PCI compliant.

Failure to adhere to PCI DSS standards could be punishable by the European Union’s General Data Protection Regulation (GDPR), or the UK’s Data Protection Act (DPA).

Who is subject to PCI compliance?

According to the guidelines, “any entity that stores, processes, and/or transmits cardholder data” is subject to PCI compliance. This has been the case since December 15th, 2004.

Visa lays out four merchant levels to aid businesses to decide which level of PCI compliance they must adhere to:

  • PCI DSS Level 1: Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • PCI DSS Level 2: Any merchant — regardless of acceptance channel — processing 1M to 6M Visacceta transactions per year.
  • PCI DSS Level 3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  • PCI DSS Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

And yes, even remote workers are subject to PCI compliance.

PCI compliance and remote working

The PCI compliance requirements for companies working remotely either full-time or part-time are identical.

If you were forced into sending your agents to work from home during the coronavirus pandemic, this may leave you at risk of failing to adhere to PCI DSS requirements as you may not be able to protect cardholder data at rest or in transit.

This includes businesses of all sizes in line with the PCI DSS levels outlined in the section above.

The PCI compliance for remote workers is therefore exactly the same as it is for any other business. The requirements remains as follows:
 

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

Do small businesses need to be PCI compliant?

The PCI compliance requirements for small businesses are clear.:

  • Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel must adhere to PCI DSS level 4

So, regardless of the size of your business, you must be PCI compliant if you store, process, and/or transmit any cardholder data. In simple terms, if you take payments then you must adhere to PCI DSS.

Often, in small businesses, it’s easier to send and receive money via PayPal. Let’s look at the nuts and bolts of PCI compliance and PayPal.

Do I need to be PCI compliant if I use PayPal?

The PCI compliance requirements for PayPal users are clear:

  • Any merchant processing payment transactions per year, regardless of acceptance channel must adhere to PCI DSS.

The good news is that PayPal is PCI compliant itself. As PayPal transmits cardholder data, it must adhere to the standards outlined just like any other business.

PayPal splits its products and services into two sections with regards to PCI DSS:

The following products are PCI compliant:

  • Website Payments Standard
  • Online Invoicing
  • PayPal Checkout

The following products are not PCI compliant so you must ensure your business is:

  • Website Payments Pro
  • Virtual Terminal

If you’re using these PayPal services but your business is not yet PCI compliant, you could be subject to a fine. This could range from £4,000 to £80,000 depending on your business and the transactions you complete.

How do I get PCI DSS compliance?

Achieving PCI compliance is difficult at the best of times - let alone when the people taking payments are no longer located inside your physical contact centre.

Nasstar specialises in de-risking contact centres and homeworking environments. Either as part of a new contact centre rollout or adding to and upgrading the technology in your existing setup, we can provide a full suite of payment applications from contact centre, mobile, and web to self-serve and chatbots. 

So, that craftily worded line in the standards that says regardless of acceptance channel is catered to.

You choose the best option for your business; we keep you compliant.

Steve Dungworth, Director of Digital Transformation at Accent Housing, went through this process with Nasstar recently:

“This project was about modernising our voice communications internally and helping us work more efficiently in order to better serve our customers. The HANA award win was a recognition that our solutions from Nasstar have done just that, offering technology that is easy for staff to use, is resilient to ensure business continuity and - most importantly - improves customer experience through the contact centre.”

What if I am not PCI compliant?

If your business doesn’t adhere to PCI DSS guidelines, you could be subject to a fine between £4,000 and £80,000 per month.

Miranda Yan, Founder of VinPit, was fined as a result of not being PCI compliant. She says:

“Although we learned the hard way, I wished we knew that PCI was actually to protect the companies data and information of every cardholder in case of hacking or any unusual data breaches. 

We were fined nearly 23% of our earnings since we were a level 2 business and therefore cannot afford much to lose. So, we now abide by the rules after we got fined.”

As mentioned above, PCI DSS is not a UK or EU law. But we don’t think it’s worth the risk of processing card payments (on any channel, don’t forget) and getting caught out because you didn’t install the right piece of technology to keep your customer’s data secure.

With any contact centre deployment, we ensure any payments taken will be secure and PCI compliant as standard.

Trust us. It’s not worth the risk.