The holidays are almost here. Hooray! While people may forget to wash their hands after going to the bathroom or forget their anniversary was yesterday, there’s no doubt they’ll remember to call your store about that Hatchimal shipment, or to find out why their next-day-air package hasn’t arrived. Seriously, where is that package!?
Whether you operate an old fashioned brick and mortar business or you run an eCommerce shop, you need to start getting your communication channels in order ASAP so you can showcase your jaw dropping customer service come Black Friday. Outsourcing your calls to an answering service is a great way to shine while alleviating some of the pressure on you and your staff. However, if your answering service isn’t PCI compliant, your business is at risk! Worried? Don’t be. Sit back and hit that Egg Nog while we break down what PCI compliance is, when your answering service needs to have it, and what probing questions to ask to make sure they are certified.
What does it mean to be PCI compliant?
The Payment Card Industry and the Data Security Standard, better known as PCI DDS, was founded in the early 2000’s to combat the increased rise in security data breaches. In order to be PCI compliant, a company needs to either complete a yearly self-assessment or pass a quarterly security scan. Plus they get a super cool certificate to show off.
Do answering services need to be PCI compliant?
It depends! If an answering service is processing payments on a customer’s behalf, then they are required to be PCI compliant. If they aren’t, they don’t need to be.
How do I know if my answering service is PCI compliant?
For starters, you can ask them for their Certificate of Compliance. This will show what assessment body they were certified by, what category their certification was, the conditions of issuing, the validation length, the signature of the qualified security assessor, and the certification date. Here’s a few of the more important conditions they would have had to meet to be certified:
- Secure Building Entry: In order to access a building, the answering service service will have secure points of entry. For example, employees may be provided key cards with identification or a unique code for access. This ensures that Joe “Identify Thief” Smith can’t wander in off the streets and access any personal data.
- Secure Credit Card Documentation: If your answering service records calls, the feature would the ability to be turned off while credit card numbers are being documented.
- Say No to Papers: All virtual receptionists would be required work in paperless environments and without their cell phones, so they don’t have the ability to write down any CC information they’ve gathered for later nefarious use.
- Secure Online Portal: If your answering service has a portal and are logging credit card information as part of the message, that information can’t be accessible indefinitely. Credit card data, if stored, should be purged after 30 days, and CVV codes never stored.
- Completing the Appropriate Tests: In order for your answering service to maintain PCI compliance, specific tests and assessments need to be completed routinely. Some tests include the Qualified Security Accessor (QSA) and the Self Assessment Questionnaires (SAQ). With the SAQ, there are 4 assessments, broken down into A, B, C or D. Depending on how a business operates and how they are handling payments, they may need to complete different forms. For example, if your answering service accepts payments and then stores credit card information for further purchases, they would be required to fill out the SAQ D form, which is the longest, whereas an answering service that is just accepting payments and not storing them for future use would just need to fill out SAQ A, which is the shortest form.
- Having Protected Systems: All systems where data is stored should require credentials for access, and all credentials should be individualized to each employee.
What happens if an answering service accepts payments, but is not PCI compliant?
If your answering service is accepting payments without being PCI compliant, that’s a major oopsie. According to the PCI Compliance Guide, payment brands “may fine an acquiring bank anywhere from $5,000 to $100,000 per month for PCI violations. The banks could pass this fine along until it reaches the merchant, and they may terminate their relationship or increase transaction fees.”
While these repercussions would only affect the answering service itself, your brand could still be at jeopardy. For example, if the answering service you’re using got hacked and leaked data, you would need to let your customers know what happened and how their personal information was affected. Basically, it’s not a good look.
How do I choose the right answering service?
Choosing the right service with respect to PCI compliance really depends on your needs and what you’re having the service do on your behalf.
Your answering service doesn’t need to be PCI compliant if:
- They are just taking messages about orders and passing those messages to you
- They are answering shipping questions and not accessing any sensitive data
- They are generating quotes or estimates without any payment exchange
Your answering service needs to be PCI compliant if:
- They are processing orders on your website and taking payment information
- They are processing orders via their merchant account