Skip to content
Empty office chairs sitting at call center agents workstations, image by Kate Sade
Challenges, Solutions, and Strategies for BPOs and Contact Centers Looking To Meet PCI Compliance

PCI 4.0 Here, And BPOs And Contact Centers Are Not Prepared


As the impending arrival of PCI 4.0 draws nearer, the importance of readiness becomes increasingly evident. The complexity of PCI standards demands proactive measures, as delaying the implementation of solutions aligned with the new 4.0 standards only sets organizations on a path of playing catch-up, with potentially significant costs down the line. 

This blog post delves into crucial aspects of preparing BPOs and contact centers for the upcoming changes. From a rundown of what's shifting in April regarding multi-factor authentication to navigating the PCI timeline and recommended implementation strategies, we explore the challenges and best practices associated with PCI 4.0. Additionally, we address pertinent inquiries from industry experts, including insights from Twosense CEO and Co-Founder Dawud Gordon, Ph.D. 

Join us as we unravel the essentials for a seamless PCI 4.0 MFA compliance transition.

General Update About PCI v4.0

With the retirement of PCI 3.2.1 looming on March 31st and the introduction of PCI v4.0, BPOs and contact centers are bracing for a wave of changes. One of the most significant shifts involves the widespread implementation of Multi-Factor Authentication (MFA). Under PCI v4.0, MFA becomes a requirement across the board, impacting every user within these organizations. 

This means every individual –agents, vendors, and third parties– will be required to authenticate when accessing a VPN or network, again to access the CDE, and again for all applications.  

If you are reading between the lines here, you know this presents one significant problem– security friction. This friction will only increase as requirements compound upon one another.

An additional measure was added to clarify that completing an MFA challenge into any system does not mean you can forego authenticating into the others. This means that even after that first MFA, MFA is required again for each access request to the card data environment (CDE).

Read more about updated MFA requirements in PCI 4.0 here.

Another adjustment that comes with PCI v4.0 is the introduction of 15-minute session timeouts–a long-awaited alignment with NIST 800-63B. Users will find themselves automatically logged out after a period of inactivity, ensuring that sensitive data remains protected even if someone steps away momentarily. Once the timeout period is reached, all of the sessions expire and need to be re-authenticated with MFA for the network connection, and MFA again to each CDE application.

Read more about 15-minute session timeouts in PCI 4.0 here.

Furthermore, there will also be a shift in password policies. With PCI v4.0, organizations will be required to rotate passwords every 90 days and implement heightened complexity requirements– meaning password/passphrase length of at least 15 characters and complexity for the passwords/passphrase of alphanumeric characters, with upper- and lower-case letters, and special characters. This means goodbye to those simple, easy-to-remember passwords and hello to more robust, harder-to-crack ones.

Read more about 90-day password rotations in PCI 4.0 here.

If you’re not already implementing complex passwords, this will be a significant lift to get all your systems to implement the change and have all your users reset their credentials to meet the new standards. The bad news is that this process will almost certainly result in a heavy IT workload over the following few weeks, spiking credential resets as users struggle to adapt.  This will be a recurring load as these credentials rotate every 90 days on a rolling basis.

However, if you can show assessors that you’re dynamically assessing identity risk in real-time –continuous authentication– you’ll be allowed to relax rotation to once a year. According to NIST 800-207 Zero Trust Architecture, a dynamically analyzed security posture is a continuous and real-time evaluation of an organization's security risk posture. Simply put, an organization's security posture is assessed automatically and in real time based on various factors such as user behavior, system configurations, network traffic, and threat intelligence.  While challenging to achieve (Twosense can help), once accomplished, you can eliminate credential rotation for all but your best employees who stay with you for more than a year, cutting password resets by over 75%. 

Navigating these changes isn't going to be easy, especially considering the intricate nature of PCI standards. Alongside PCI 4.0 guidelines, BPOs and contact centers must familiarize themselves with the information supplement on MFA provided by PCI in 2017. Understanding these standards is crucial as MFA's implementation can significantly impact workflows and overall efficiency within these organizations.

Timeline Update

There's been confusion swirling around about the PCI 4.0 timeline and when specific requirements need to be met. But here's the thing—when it comes to the new MFA (Multi-Factor Authentication) rules, waiting until the eleventh hour isn't the best move. You've got to ensure your identity security measures and policies are up to par with the PCI DSS v4.0 standards sooner rather than later.

So, let's break it down with a bit of a timeline update:

  • March 31, 2024: Say goodbye to PCI DSS version 3.2.1. It's officially retiring.
  • March 31, 2024: Hello, PCI DSS version 4.0! It's in full swing, with a few exceptions. Specific requirements are future-dated for about a year later, and it's strongly encouraged that orgs start aligning with these standards ASAP.
  • March 31, 2025: This is the big one. Future-dated requirements become mandatory in PCI DSS v4.0 land. So, while they're friendly nudges until then, they'll be must-haves post-March 31, 2025. 

Here's the kicker: Even though some of these updated requirements aren't set in until 2025, many customers and partners are starting to expect them sooner, especially after March 2024.  It is a "better safe than sorry" situation for many customers. Still, our team has also seen numerous PCI assessors push organizations to have solutions in place before their next recertification–regardless of whether it is in the next month.

Let the record reflect, however, that things will get a bit complicated when it comes to the new requirements. Particularly the updated password complexity and rotations requirement, and even more so for BPOs who'll need to enforce these requirements with customers and partners. 

Navigating this can be a maze, especially for BPOs, contact centers, and their clients. If you're looking for more details on PCI v4.0 and MFA, check out the Twosense Blueprint to PCI DSS v4.0 Authentication. For weekly updates, subscribe to the Twosense blog or hit the notification bell on the top right corner of the Twosense LinkedIn to get the latest information on PCI and MFA!


Delaying the implementation of solutions aligned with PCI standards can lead to various challenges, with cost being a significant concern. Waiting too long to upgrade systems and processes to meet PCI requirements often results in higher expenses down the line. This includes the initial investment in new technologies and infrastructure and potential fines and penalties for non-compliance should you run over the deadline.

Implementation hurdles also arise when organizations procrastinate on PCI compliance. Rushed deployments can lead to errors, inefficiencies, and even agent and system downtime, disrupting operations and affecting productivity.

Moreover, regarding operations, the chosen solution's impact on floating desks and work-at-home agents (WAHA) cannot be overlooked. The incompatibility of desktop OTP authenticators and floating desks leaves BPOs looking at security solutions that are much more costly and time-consuming such as YubiKeys, which are often the last options for BPOs to be able to authenticate agents and meet PCI standards. But that doesn't make them any less of a logistical and cost nightmare. When compared to YubiKey, Twosense is 2.5 times less expensive. 

Read the latest Cost Saving Blueprint here to learn more about how Twosense is replacing YubiKeys as the go-to identity security solution for BPO contact centers.  

Ask Our Experts

Q: What are the specific PCI requirements related to multi-factor authentication that are being overlooked that could cause significant problems come certification time?
A: There are two here that we find to be particularly troublesome when overlooked, and that is the need for MFA for all system access, not just initial login, and the requirement for MFA re-authentication for every access to the card data environment (CDE), and 90-day password rotations with increased password complexity. Both will cause significant troubleshooting if left until the last minute.

Q: How does MFA implementation impact agent workflow and efficiency?
A: MFA can disrupt agent workflow and efficiency by introducing additional security friction, i.e., authentication steps for accessing systems and applications, causing delays and frustration. This is why we designed our product to automate the MFA challenge response, reducing the amount of time agents spend engaging with security processes and enabling them to focus on customers.

Q: What standard authentication methods are currently used, and how well do they comply with PCI DSS standards?
A: Common authentication methods include traditional single-factor login such as user names and passwords, desktop OTP authenticator applications, and hard security tokens. While these methods are widely used, they may not fully comply with PCI DSS standards, especially if they lack multi-factor authentication components.

Q: How does our MFA solution cater to the user experience of agents without negatively impacting their workflows, and what strategies are in place to address potential resistance to MFA adoption?
A: Our solution prioritizes user experience by minimizing disruptions to workflows. Automating the MFA challenge-response via behavior can remove the user from the process, making organizations more secure and efficient.

Q: What monitoring tools and processes are in place to continuously track authentication events, identify unauthorized access, and respond to potential security incidents related to multi-factor authentication?
A: Twosense continuously authenticates the user throughout the session and workday with behavior-based authentication.  Unauthorized access, even on an open session or unlocked device, is detected instantly, automatically remediated, and/or escalated to the SOC for further steps. 

Q: How do we integrate multi-factor authentication seamlessly with our existing contact center systems and applications, and what measures are in place to ensure compatibility and minimal disruption?
A: Twosense integrates with existing systems as an authentication factor at both the endpoint and IdP level, integrating with existing authentication policies for seamless and passive authentication that’s instant and invisible to the user. 

Q: Can you outline our organization's approach to ongoing education and training for agents regarding the proper use of multi-factor authentication and its importance in maintaining PCI DSS compliance?
A: Eliminating the user from the security process is one of the primary pillars of our organization. Twosense provides identity verification via behavior, making ongoing training for agents unnecessary. 


In conclusion, the road to PCI 4.0 compliance is paved with challenges, especially for those who procrastinate. Cost implications loom large, with delayed implementation resulting in higher expenses, from technology upgrades to potential fines for non-compliance.

Rushed deployments also pose risks– leading to errors, inefficiencies, and operational disruptions and dooming those who delayed implementing solutions to have hard tokens foisted upon them for a full headcount at the 11th hour, with the cost and operational nightmare that entails (read more here). Additionally, the impact on floating desks and remote agents cannot be ignored, requiring solutions that align with security standards while maintaining flexibility and efficiency.

Amidst these challenges, proactive measures are essential. Organizations must prioritize compliance efforts and invest in solutions that meet PCI standards, streamline operations, and reduce costs. With the right approach and solutions, the transition to PCI 4.0 compliance can be navigated smoothly, ensuring increased security and operational effectiveness in BPOs and contact centers.

Step into the future of BPO and contact center identity security.

More from the Blog

May 31, 2023

Protect Your Contact Center From Work-At-Home Collusive Threats

Complicit agents and insider fraud is something most contact centers refuse to acknowledge publicly, and it makes...
January 8, 2024

Phishing-Resistant Behavioral Multi-Factor Authentication For Contact Centers

BPO contact centers face an ever-increasing threat of phishing attacks against agents. In fact, according to IBM,...
January 24, 2024

Why Behavioral MFA Stands Out for BPO Contact Center Security

Selecting the optimal Multi-Factor Authentication (MFA) solution for your BPO contact center is a high-stakes decision....

Sign Up for our Blog

We will never share your email address with third parties.