Article

Registration and PCI compliance: A primer for ATM deployers, call centers

The Payment Card Industry Standards Council has a lot to focus on — the entire payments chain, in fact. The ATM, being part of that chain, definitely falls under the purview, but some ATM operators have difficulty understanding just where they fall.

March 23, 2010 by Susan Kohl — President, ThoughtKey

In this article, I will focus on one piece of the PCI puzzle — the call center — and hopefully provide easy-to-understand steps to follow for PCI compliance.

How, you might ask, does the call center connect to the ATM? Easy. All of the payment sources use outsourced call centers to handle ATM trouble tickets from either consumers and/or internal help-desk from processors. For example, say a consumer is having difficulty at an ATM or maybe thought he was charged incorrectly. Regulation E requires that all ATMs have 800 numbers posted or adhered somewhere on the ATM or printed on ATM receipts for consumers. Those calls go to call centers. So, let's say the consumer calls the 800 number that's on the ATM or is printed on the ATM receipt. In some cases, this may be an outsourced call center that must request the user's card number, now the concern for PCI compliance at the call center, initiated by an ATM transaction, begins.

Imagine how catastrophic it would be to a merchant or a bank if a customer's identity were compromised as a result of poor internal controls at a call center. This danger is more real than ever, now that so many companies in the payment industry rely heavily on outsourced call centers to provide customer service and payment acceptance. Catalog and other MOTO/e-commerce merchants are prime examples.

Customers expect merchants to protect any personal data, especially card transaction data. As a call center, what should you do to protect your customers and your customers' customers? The first step is called "registration."

Registration

The purpose of registration is to clearly identify all parties that handle payment transactions and/or cardholder data in any way. Registration is mandatory. Failure to register exposes you to fines of up to U.S. $500,000 by Visa, Mastercard, STAR, etc.

The card networks/brands require registration of all entities providing these services to the payments industry (referred to as third-party service providers/agents or TPAs):

• Solicitation of payment activities • Call center operations • Chargeback, fraud and settlement management services • Enabling authorization and/or settlement activities • Performing encryption management services • Payment program managing, monitoring and/or reporting (such as loyalty programs)

A card brand member must register and sponsor each TPA that provides services to the member's payment portfolio. A member must be a financial institution that meets the criteria of the card brand to sponsor TPAs. Here we will refer to each of these members as a "sponsor bank", though other types of members, not relevant to this article, do exist. TPAs can select their sponsor banks or rely on the payment processors' sponsor banks to complete the proper registration.

While Registration program requirements vary by sponsor bank, the card brands' operating rules and bank regulations require that all sponsor banks follow basic information standards. The table available below highlights the minimum information you must provide to a sponsor bank so that it can properly complete your registration.

Click here to review required registration information. After you have completed your registration, be sure to obtain written confirmation that your entity has been properly registered with each card brand that you accept as a payment mechanism from customers.

PCI Data Security Standard

TPAs are not only required by the card brands to be registered. If your business accepts or processes payment cards, TPAs must comply with the PCI Data Security Standard. PCI DSS applies to any entity that stores, processes and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. PCI is an important component of the registration process, one not taken lightly by a sponsor bank and the card brands.

PCI DSS includes 12 common-sense steps toward protecting cardholder data. Click here to view a list of security standards.

PCI validation requirements vary slightly based on the service provider PCI level. Click here to view a list of service provider levels and requirements. For more information about specific card brand PCI requirements review the following Web sites:

• Visa ("CISP"): http://usa.visa.com/merchants/risk_management/cisp_service_providers.html • MasterCard ("SDP"): http://www.mastercard.com/us/sdp/serviceproviders/serviceprovider_levels.html • American Express: https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=spinfo&ln=en&frm=US • Discover ("DISC"): http://www.discovernetwork.com/fraudsecurity/disc.html

For additional details about PCI requirements, review the PCI Security Standards Council's Web site:https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf.

Payment industry consulting firms are available to help merchants navigate through the complexities of implementing PCI requirements and/or completing the registration process.

Susan Kohl is CEO of ThoughtKey, a payment industry consulting firm focused on PCI, regulatory compliance and risk management.

Security