How GDPR Compliance Will Impact PCI DSS
Well, GDPR is nearly upon us! Many companies in the UK have been quite busy over the past number of months preparing for the pending legislation. They have been hiring GDPR compliance officers, conducting internal process reviews and basically trying to become as ready as they can be.
Protect your payments and help your GDPR Compliance:
Unfortunately, many companies have chosen not to be ‘ready’ for GDPR in the belief that the UK has a ‘get out of jail free’ card with Brexit. However, such companies could be very sorry with this decision as GDPR will be in place until at least March 2019, when the UK will formally leave the EU. Also, if any company holds personal data of anyone in the EU, no matter where that company is located, it will still be subject to GDPR, including its maximum fine of 4% of global revenue.
GDPR Summary
PCI DSS and GDPR are separate regulations but are related. PCI DSS aims to protect payment details while GDPR will focus on protecting personal data. With GDPR, as part of the regulation, you have a responsibility to implement technical measures to help defend against data breaches and having the right PCI DSS solution in place will protect against breaches.
For any company accepting credit card payments, you must be PCI DSS compliant. This means that when the credit card details are disclosed, including over the phone, you need to have security measures in place to ensure you are not holding any recording of the details nor do you store this sensitive data within your company’s database or network.
PCI Compliant
If you are already PCI compliant, great! Your road to preparing for GDPR will be an easier trip. You’ll already be used to conducting audits and reviews of the payment details you process. More than likely, you are also more aware of implementing secure technologies as part of your overall IT infrastructure which will help with GDPR. Larger UK firms will more than likely be in this category, but the concern will be with smaller or medium sized companies that are less likely to be PCI compliant.
For those not yet PCI compliant: not to worry, it is not too late! As part of your attempts to become GDPR ready, its time to also consider the measures you need to put in place to ensure that when gathering both personal data and payment details over the phone, you won’t be in breach and face a hefty fine come May this year.
GDPR Compliance
Call recording as a whole is categorised as a form of data processing. The Data Protection Act (DPA) 1998 implies that the caller must be made aware that the call will be recorded and for what purpose the data gathered will be used. These recordings must also be stored in a secure manner. However, this act has been in place for two decades and the penalties for a breach or offence, and the enforcement of the regulations, are nowhere near as severe as what you may face with GDPR compliance.
At Callstream, we provide cloud-based call management technology to the UK insurance, travel and retail markets with a focus on PCI compliance and system security. Callstream Vault allows your customers to provide their credit card details without any information being shared or stored by the agent or call recording software. Our solution is the most comprehensive cloud-based PCI level 1 certified solution available to the contact centre environment.
Remember, you can always visit our website to find out more: https://www.callstream.com/secure-phone-payments-vault/