So you manage a call centre, or you're planning to start one. You've heard about the PCI DSS, but you're not sure exactly what it requires from you.

Totally understandable. The PCI DSS is complicated. It's no wonder many businesses rely on professional help to make sure they're ticking all the boxes for compliance.

And with complexity comes misconceptions. There are many myths floating around the internet that only make the PCI DSS more difficult to get to grips with.

Today, we're going to tackle five of the most common myths and misunderstandings. Because by understanding what the PCI DSS isn't, you'll soon have a better idea of what it is.

But first, the basics…

What is PCI compliance?

PCI DSS stands for "Payment Card Industry Data Security Standard".

It lays out baseline security criteria for companies that process credit card information. If you accept, store, transmit or otherwise use card data, then the standard applies to you.

The standard launched in 2006 and was developed jointly by six major credit card companies – MasterCard, VISA, Discover, American Express and JCB. It is administered by the PCI SSC ("Payment Card Industry Security Standards Council").

PCI DSS is a global standard. Whether you're in Cambridge, Kansas or Kathmandu, the rules still apply.

You can access the latest version of the standard here.

Myth 1: the PCI DSS standard is just a guideline

A wise individual once said, "rules are meant to be broken, and guidelines are meant to be ignored".

Well, when it comes to PCI compliance, this so-called wise person is doubly wrong.

The PCI DSS is not a set of guidelines. It's mandatory for ALL businesses that process card information.

And if you don't play ball? See myth number five…

Myth 2: PCI standards don't apply to us

This is a common myth that comes in countless flavours. Let's examine a few of them.

"It doesn't apply to us because we only take a handful of credit card payments each month". WRONG. If you process card data at all, you have to abide by the standard.

"...because we work on behalf of a non-profit". WRONG. The PCI DSS applies to all organisations, commercial or otherwise.

"…because we don't store card data". Doesn't matter. You're still processing the data in some form or another.

"...because we're only a small contact centre". You could be a ten-year-old with a lemonade stand and the standard would still apply.

That last one comes with a teensy caveat. If you process fewer than 20,000 credit or debit card transactions per year, you might not be required to seek validation of your compliance. But you must remain compliant, whatever the size or shape of your business.

Myth 3: PCI compliance is a one-and-done job

So we just have to fill in a questionnaire, right? So we can just let IT worry about it and then carry on as normal… right?

Uh… no and no.

The PCI validation procedure involves completing a self-assessment questionnaire, sure. But this is designed to help you implement processes for continuing card data and payment security.

And as for IT doing all the work… well, they'll have to do some of it, but assuming it's mostly a technical job is plain wrong. The fact is, PCI compliance requires action and buy-in from all members of staff, whether they're high-level IT managers or the agents who take the calls.

For instance, one requirement is that card data is stored securely – it must never be written down on paper. This means all staff – especially customer-facing agents – must undergo appropriate training to ensure ongoing compliance.

Another requirement states that access to cardholder data must be restricted on a need-to-know basis. To implement this, you'll need to maintain a card security policy and update it regularly as staffing structures change.

Sorry, but IT can't just wave a magic wand to make it happen. (Though IT is pretty magical, if we do say so ourselves.)

Myth 4: applying PCI standards makes my systems secure

The PCI DSS requirements are pretty comprehensive, so it's easy to think they provide all-around security for your call centre and its data.

Nope.

Card security should be considered one facet of a wider security policy. The vast majority of modern companies need an internet connection to do business, and the very fact this connection exists means that myriad potential vulnerabilities exist too.

You could have rock-solid card security in place but remain vulnerable to email phishing attempts, website DDoS attacks, and bad-old-fashioned phone scams. For call centres, where multiple internet-connected systems work in tandem, it's especially important to remain vigilant.

While some of the PCI requirements – like installing antivirus software – do help with business-wide security, it would be foolish to think they automatically turn you into an impenetrable fortress.

(Psst. We can help you strengthen your cybersecurity. Just saying.)

Myth 5: it doesn't matter if I'm not compliant

LOL.

Sorry, that was a wee bit insensitive. But, honestly, have you seen the fines you could face for non-compliance?

If you're found to be in breach of the PCI DSS, you could be fined between $5,000 and $100,000 (around £4,000 and £75,000)…

PER. MONTH. Until you fix the problem.

What's more, failing to comply could see you bumped up to a higher compliance level. This would likely mean forking out for an on-site QSA assessment… call that another £15,000 to £75,000.

And if you experience a breach, that's a whole other kettle of cash. Then you have to consider potential lawsuits, legal fees and payouts to affected customers. Not to mention the reputational damage your company could suffer.

So… yeah. We think you'll agree – non-compliance is not a tightrope worth walking.

How we can help

Our cloud-based call centre software boasts some pretty nifty features, ranging from omnichannel contact management to high-tech AI chatbots.

But one of its most useful features is its processing payment solution.

This lets you do all sorts of things, like take payments via web chats and automated IVR. And best of all, it's PCI compliant, right out of the box.

Now, to be absolutely clear – this won't automatically make your call centre compliant. You'll still have to implement all the required standards, such as installing antivirus software and maintaining a security policy.

But it does mean there's one less hoop to jump through. And with something as complicated as the PCI DSS, that can be a big help.

Interested? Click to learn more about our cloud contact centre software.

Want more useful tech tips? Sign up for our Knowledge Hub newsletter. (It's spam free – promise.)