Skip to main content

PCI, GDPR and the contact centre

(Image credit: Image source: Shutterstock/Wright Studio)

The EU is serious about data protection. Unless you’ve had your head in the sand somewhat, you’ll be well-aware that its General Data Protection Regulation (or GDPR) will come into force on 25th May. Rules that set out clearly what is expected of companies handling personal information, and rules which come with stiff consequences for non-compliance. 

Failure to adhere to some sections of the new regulations could land a business with a fine of up to 4% of its annual turnover, or €20 million (whichever is greater), and lack of compliance with others could result in fines of up to €10 million or 2% of total global revenue (whichever is greater); or, to cut a long story short “ignore these new rules at your company’s peril”. 

The sort of teeth that the EU has equipped its new GDPR with could very easily lead non-compliant businesses into insolvency, and the data handled every single day by contact centres puts them in the frontline when it comes to risk. 

The contact centre risk 

In the UK alone, there are more than 6200 contact centres, employing around 5% of the country’s working population, and GDPR will have a notable impact on the way they all work. 

On a daily basis, those centres handle virtual reams of personal information, and the new guidelines will affect almost every aspect of their day to day work, from the recording and archiving of calls, to the implementation of safe and secure IT systems. 

The regulations also extend the list of those liable for any breaches of data security, making data processors culpable for any failures, where before it was limited to data controllers – meaning that any third-party who processes data on a company’s behalf can be punished if they fail to properly control and store the data in their possession. 


The good news is that companies that already comply with PCI DSS (the Payment Card Industry Data Security Standard, designed to help businesses process payments securely and protect customers against fraud) are already on the fast track to being compliant with the GDPR, and the standard makes a very solid foundation upon which to build a new, GDPR-compliant data protection strategy. 

The PCI DSS is an ever-evolving information security standard, created to increase controls around the use of cardholder data and to reduce fraud, and it is well-known to be a strong foundation of a solid information security strategy, one that complies to GDPR. 

A recent report by Verizon, however, exposed that almost half of businesses are struggling to keep up with the PCI DSS guidelines, even after they’ve been fully certified.   

The company explained that 55.4% of its PCI DSS certified customers met the requirements in an audit during 2016, compared to 48.4% in 2015. However, more businesses were failing their interim assessment, with 13% of businesses not having the controls in place to stay certified. 

“Many of the security controls that were not in place cover fundamental security principles that have broad applicability,” the report explained. “Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.” 

Lack of compliance 

There are a myriad of reasons for the noteworthy lack of compliance, but chief among them is thought to be a major skills shortage. Around 51% of compliance officers in financial services firms have reported a shortfall (opens in new tab), and it is reportedly leading IT decision makers to look in new directions as they try to solve their problems. 

These challenges aren’t limited to PCI DSS, however. A recent survey found that as many as 60% of UK businesses hadn’t even started to prepare for GDPR, and the rest of the EU is even further behind, with 72% of its organisations failing to get started.   

At the heart of much of that inactivity lies the misplaced notion that the GDPR won’t affect them – but any company operating in the EU is bound by it, regardless of where they process the personal data. 

Similarly, 1 in 4 UK businesses moved to cancel their GDPR prep post-Brexit, because they mistakenly thought the withdrawal from the EU meant they wouldn’t need to comply. However, businesses will still need to take the steps to comply, because similar rules will be imposed via the Data Protection Bill proposed by the UK government. Like GDPR, it will come into force in May 2018, so even when the UK exits the EU, businesses will be covered in the same way and can continue to trade with EU customers. 

The same survey made another interesting finding: that EU businesses were taking a more laid back response to GDPR prep due to their reliance on external consultants specialised in GDPR. Many businesses are relying on such consultants as a silver bullet, helping them address the challenges their organisation faces. 

How contact centres can comply 

Unlike the GDPR, which sets out clearly what needs to be protected, but falls short of actually providing organisations with an action plan, PCI DSS provides a robust framework from which to work, affording a virtual leg-up in the race to Spring 2018, and enlisting some outside assistance now, could take the pressure off, and ensure that you’re not adrift and vulnerable in the (not-too-distant) future. 

Because PCI DSS has been around much longer than GDPR, it’s not surprising there are more consultants available to apply their knowledge to protect businesses. But, it’s very early days and even those with expert knowledge of the incoming data protection laws are still figuring out the intricacies of the legislation. 

It’s a sad but inescapable fact that data breaches are no longer rarities. They have become a fact of life and it’s worth remembering that both PCI DSS and GDPR came about as a result of companies failing to treat personal data with the respect it deserves, and suffering enormous brand damage into the bargain. 

Looking forward, it’s imperative that all companies get to grips with the new demands placed upon them, and now’s the time to prepare, in order to be ready for when the clock strikes midnight on 24th May.     

James Barham, Chief Commercial Officer at PCI Pal (opens in new tab) 

Image Credit: Wright Studio / Shutterstock

James Barham is the Chief Commercial Officer at PCI Pal, which is a specialist provider of secure payment solutions for contact centres and businesses taking Cardholder Not Present (CNP) payments.