Managing remote agents in the PCI DSS 4.0 era

PCI DSS 4.0 has moved with the times, catching up with the huge shift to home-based working for many contact center agents. But the beefed-up regulations are also in tune with shifting customer sentiment.

While many employees have settled into remote working with its convenience and flexibility, some customers aren’t so comfortable with the idea. Research commissioned by Eckoh this year found that 55% of consumers view contact center agents who are working from home as a risk to their personal privacy. What’s more, 53% didn’t want to share their payment information or personal data with these agents.

Let’s look at how PCI DSS 4.0 addresses risks around remote access – and different approaches available to contact centers.

Greater security awareness

PCI DSS 4.0 asks organizations to view card security as a continuous process, rather than an annual compliance exercise. Companies should build a culture of security – but this can be harder to create and maintain if you have hundreds or thousands of agents based remotely. 

Contact centers must provide comprehensive security awareness training to remote employees. For example, this can include training personnel to recognize and report phishing emails. Companies should also have mechanisms in place to protect against and mitigate risks posed by phishing attacks.

Organizations must also conduct bi-annual reviews of all user accounts and related access privileges.

The off-boarding process has become more important than ever to security. So it’s wise to ensure that departing users don't have any residual access rights. At the same time, contact centers should refresh procedures for new starters and movers, so they're up to date with security policies for remote working.

Remote access controls

PCI DSS 4.0 also brings in stronger authentication. But crucially, the new rules recognize the distinction between regular business systems and those coming into contact with cardholder data.

Whilst complex passwords for remote agents may need be needed when they’re using company systems that are not in the cardholder data environment, PCI DSS 4.0 demands better security. Password length is increased to a minimum of 12 characters and must include a mix of special characters, uppercase, and lowercase letters. 

Any hardcoding passwords in files or scripts is prohibited. Contact centers are also required to change passwords/passphrases at least once every 90 days. This is unless they have a security posture of accounts that’s dynamically analyzed and where real-time access to resources is automatically determined accordingly.

However, mandatory multi-factor authentication (MFA) must be applied to the cardholder data environment from March 31, 2025, which represents a significant change for contact centers. 

MFA applies to all components – including any on-premise equipment as well as cloud environments and hosted systems, servers, and endpoints. This could be a major challenge for organizations.

Multi-factor authentication with PCI DSS 4.0

MFA isn’t just for IT teams and administrators. The rubber hits the road with remote agents taking payments. Any desktops, laptops, or devices used by remote agents must have MFA if they need to access systems that process or store cardholder data.

In turn, this raises a variety of questions and concerns, especially with ‘security friction’ around each customer interaction and transaction. This is because MFA will be required – again and again – for each and every access request to the cardholder data environment. 

Potentially, these authentication steps could increase average handle time (AHT) for contact centers, causing delays and frustration for customers and agents. Being able to handle fewer transactions could lower agent productivity increase costs. 

Let’s just let that sit for a moment … the seconds, minutes, and hours lost for hundreds and thousands of transactions. The impact could be huge financially. 

Is there a simpler path to take? 

It’s notable that PCI DSS 4.0 identifies the cardholder data environment (CDE) as being key to the ongoing security story – and where tough new regulations must apply. 

It’s no wonder that the place where many contact centers store, process, and transmit payment data happens to be the #1 honeypot targeted by criminals. 

Fortunately, contact centers can remove themselves from much of the scope of PCI DSS 4.0 by simply separating their on-premise teams and their remote agents from the CDE entirely.

You can use a payment partner to handle transactions using tokenization, which keeps your environment completely shielded from any cardholder data, so there’s nothing that can be stolen. This approach usually requires minimal integration.

Your remote agents can take payments in just the same way via any channel, including phone, online, chat, chatbot, or IVR. But they cannot see, hear, store, or access any sensitive card data. It’s all handled by your partner. 

This strategy is working well for scores of major organizations. Great examples include a US-based health insurance business with 95 million customers around the world, as well as a company working for government agencies in collecting financial obligations, such as traffic citations, utilities and property taxes.

Next wave of PCI DSS 4.0 hits in 2025

Already this year, PCI DSS 4.0 has bolstered data protection with 13 measures. Merchants must have the remaining 51 in place by March 31, 2025.

One of the biggest challenges will be around balancing the requirements and costs of compliance with maintaining a seamless customer experience that instils trust in your brand.