AM Online

Guest opinion: How many dealers have overlooked PCI compliance amid GDPR preparations?

Tim Mercer, chief executive, Vapour Cloud

GDPR has been putting the frighteners on virtually every business in the UK for the past 12 months and with D-day finally on the horizon, there’s no escaping the panic any time soon.

For many dealers, the primary concern has been how to market to customers who will inevitably fail to opt-in to ongoing communications.

Others have felt overwhelmed – like numerous organisations in wider sectors – as to how to up their cyber security game, fearful of the mounting penalties that could be imposed following a careless breach.

However, with so much attention paid to these new data protection regulations, the question has to be asked – how many automotive dealers have overlooked another important legislative hurdle?

Closely linked to GDPR is the need to be PCI and MIFID II compliant.

The Payment Card Industry Data Security Standard (PCI DSS) requires all companies that accept, process, store or transfer credit card information, to do so in a safe environment.

Compliance levels are graded, with level 1 representing the most robust degree of conformity.

If a dealer takes card payments over the phone – either verbally or via the keypad – this is just one scenario where PCI compliance comes in.

If these calls are recorded to provide an audit trail, this is where a breach becomes risky. In such instances, it is illegal not to have some form of protection in place to safeguard the customer’s personal details.

The call recording could be manually paused – or better still the process would be automated – but either way, the result must be a recording that does not contain sensitive data. Why? Because this would be problematic if it was accessed unlawfully.

Then there’s MiFID II – the latest Markets in Financial Instruments Directive which came into force in January 2018. Implemented largely to reform the financial services sector, this latest move means that anyone involved in this advice chain must record their calls.

Dealers must therefore ask themselves if they fall into this category, or if they’re likely to find themselves in that world in the near future.

If the answer is yes, considerations need to be made as to how these conversations are captured and stored.

The process becomes particularly difficult if salespeople discuss vehicle leases, for example, on incoming or outgoing calls made via a mobile phone or their own device.

Every call must be subject to the same treatment.

With cloud technology advancing apace, telecoms compliance is feasible and it doesn’t have to break the bank.

There is no need to invest in complex hardware, when intuitive apps exist to facilitate security with ease. But an understanding of the legislative landscape is required first.

So, irrespective of GDPR worries, dealers must research their wider regulatory obligations so that appropriate next steps can be planned.

Author: Tim Mercer, chief executive, Vapour Cloud

If you are not a registered user your comment will go to AM for approval before publishing. To avoid this requirement please register or login.

Login to comment


No comments have been made yet.