Why Should Contact Centers & BPOs Comply with PCI-DSS?

In an environment where digital fraud and data theft are increasingly common, contact centers and BPOs in Mexico face an urgent challenge: ensuring the security of the information they process daily. PCI-DSS certification has become a key requirement for call centers, especially those focused on collections, customer service, and financial services.

With the growing incidents of data breaches and system attacks—along with the high financial costs and the impact on corporate reputation and trust—investing in security is not optional; it is an absolutely necessary measure. Learn the benefits of PCI-DSS. In recent years, data theft, cyber fraud, and attacks on institutional systems have increased significantly due to the involvement of organized crime.

According to Forbes, Mexico recorded 300,868,532 malware attacks in the last year (October 2018 to October 2019), representing a 31% increase compared to the previous period. This places Mexico as the second region with the most cyberattacks in Latin America and ninth worldwide.

The National Banking and Securities Commission (CNBV) reported that of all attempted cyberattacks against banks, SOCAPs, SOFIPOs, and fintechs, more than 40% were successful. The response and recovery from these attacks cost these institutions around $107 million USD in 2018, representing between 1% and 1.7% of EBITDA generated the previous year.

This situation has raised global concern, prompting various industries to define standards that companies must adopt to ensure the security of information, systems, and transactions. Two main certifications have emerged: PCI-DSS and ISO 27001.

1. What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) is a certification designed to protect cardholder data. This standard is especially relevant for contact centers and BPOs that process, store, or transmit bank card data.

It was developed by the PCI Security Standards Council, formed by the world’s leading card brands. Obtaining this certification demonstrates an organization’s commitment to protecting sensitive customer information.

PCI-DSS security requirements are organized into 12 key controls:

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security.

These controls involve more than 300 checkpoints, applicable to physical systems, logical systems, and internal processes. They are especially critical for contact centers and BPOs operating in banking, insurance, or retail sectors.

2. Cybersecurity Context in Mexico

According to Forbes, Mexico recorded over 300 million malware attacks between 2018 and 2019, ranking as the second country with the most cyberattacks in Latin America and ninth worldwide.

The CNBV reported that more than 40% of cyberattack attempts on financial institutions (including banks and fintechs) were successful, causing losses of over $107 million USD.

This scenario has driven industries—especially contact centers and BPOs handling financial data—to adopt international standards such as PCI-DSS and ISO 27001.

3. What Security Areas Does PCI-DSS Cover?

PCI-DSS encompasses business monitoring and control, security environment, incident management, vendor control, risk management, and comprehensive security.

4. How Can Each Level Be Achieved?

Each level has a different degree of difficulty depending on the requirements of the standard, so not all organizations can reach Level 1, which guarantees the highest security standards.

Levels 3 and 4 do not necessarily mean a center is secure—they are just the beginning of the process. Achieving PCI-DSS Level 1 certification is a long and costly process; however, the financial risks of non-compliance are astronomical.

5. How to Achieve Certification?

Stage I: Internal Preparation

This stage involves preparing the organization in all aspects for the certification process—not only systems but also processes and people. Key activities include:

• Scope Definition: Decide whether certification will apply to a specific project or the entire site. Investment and time depend on this scope.

• Assigning Responsibilities: Define coordinators and a monitoring committee, ideally involving senior management for necessary support.

• System, Physical, and Process Adaptation: PCI compliance is based 80% or more on logical system security and process consistency. Costs for adapting a data center, acquiring systems, licenses, monitoring software, control tools, CCTV, access controls (security gates, turnstiles, biometrics), servers, antivirus, etc., can range from 7 to 10 million MXN in initial investment, plus audit and maintenance costs.

• Human Awareness: If staff are unaware of the certification’s impact, it will fail. Develop induction and continuous training for all personnel, and specialized courses for key staff such as internal auditors and IT personnel. Costs can range from $5,000 MXN to $60,000 MXN per person, depending on the course.

• Internal Audit: At this point, the organization should be over 90% compliant, with designated responsibilities and trained staff. Conduct internal vulnerability scans, and internal auditors should interview each responsible party to ensure compliance with the standard.

• Vulnerability mitigation: Based on the results of the internal audit and vulnerability scan, action plans must be created to mitigate the identified risks. These plans will also serve as evidence to present during the certification audit.

Stage II: Audit and Certification

Once the 12 PCI-DSS controls have been implemented, a thorough audit process must be completed.

This stage is divided into five activities. The cost of an on-site audit to obtain PCI-DSS Level 1 can range from 2 million MXN to 5 million MXN, depending on the defined scope. After obtaining certification, quarterly scans must be submitted to the certifying body to demonstrate the continuity of the implemented controls. Failure to comply could even result in the cancellation of the certificate.

Benefits for a Certified Contact Center

• Greater trust from clients and partners

• Access to contracts with financial or international companies

• Reduced legal and reputational risks

• A key competitive differentiator for contact centers & BPOs in Mexico

Complying with PCI-DSS is not only an obligation to protect data—it is also a competitive advantage for contact centers & BPOs that want to offer high-quality, secure services. In a context of digital transformation and increasing cyberattacks, this certification is a critical investment for the future.

Is your call center ready to meet the highest security standards?
Contact us and we’ll help you achieve PCI-DSS certification with expert guidance and support.