Security friction in contact centers has skyrocketed with the rollout of new PCI 4 requirements—for organizations that did not adopt a proactive authentication solution. The recently updated standards aim to enhance access controls but have also brought operational challenges that disrupt workflows and impact productivity. Here’s what you need to know about PCI 4 Requirement 8 and how to mitigate its impact.

Recap of PCI 4 Requirement 8

At its core, Requirement 8 focuses on improving identity and access management to prevent unauthorized access to sensitive cardholder data. Two critical changes stand out:

1. Mandatory MFA at Multiple Checkpoints
   • PCI 4 now requires multi-factor authentication (MFA) not just for initial logins but also at various points within a session, such as when accessing specific applications or sensitive resources.
2. 15-Minute Session Timeouts
   • User sessions must terminate after 15 minutes of inactivity, requiring reauthentication to resume activities.

These changes reflect an industry-wide push for stronger security measures but have significant implications for contact center workflows.

For a more detailed technical breakdown of these requirements, read PCI 4.0: Required 15-Minute Timeouts.

The Impact on Contact Center Workflows

Repeated MFA Challenges

For contact centers, time is money. Handling high call volumes demands efficiency, but repeated MFA prompts can severely disrupt agent's workflows:

• Multiple MFA steps add friction to routine tasks, slowing agents down as they move between applications or access restricted resources.
• Delays during shift changes or workstation transitions compound productivity losses.

Session Timeouts

Frequent session timeouts due to 15-minute inactivity create additional headaches:

• Agents must repeatedly reauthenticate, diverting their focus from customer interactions.
• Productivity takes a hit as session resets disrupt the natural flow of work.
• Frustration grows among agents juggling time-sensitive customer requests.

Operational Strain

Beyond individual agent challenges, these requirements strain the broader contact center ecosystem:

• Increased authentication-related requests overload IT teams and systems, creating peak-hour tie-ups.
• Help desk teams face a surge in support tickets related to MFA issues or session timeouts.
• Higher operational costs arise from lost efficiency and the resources needed to manage these challenges.

The intent behind these rules is clear: to enhance security by reducing the risk of unauthorized access. For BPOs handling sensitive cardholder data, this is a critical priority. However, the trade-offs between security and usability cannot be ignored.

A Smarter Approach: Balancing Security and Efficiency

While the new requirements add complexity, they don’t have to break workflows or productivity. Behavioral MFA offers a solution that ensures compliance without sacrificing efficiency. Unlike traditional methods, behavioral authentication continuously validates user identity in the background, eliminating the need to complete repetitive MFA challenges manually.

Twosense validates the user's identity and authenticates them not by what they’re doing but by how they’re doing it, generating a level of trust for every interaction in the background. That trust score is then used to authenticate the user continuously throughout the day or flag unauthorized access. This approach enhances both security and usability, empowering contact centers to thrive under the new strict PCI 4 requirements.

Conclusion

The new PCI 4 MFA and session timeout rules mark a significant shift in security requirements for contact centers. While the intent is to bolster access controls and safeguard data, the operational impact will be significant without the right solutions. To maintain productivity while staying compliant, contact centers must adopt smarter, frictionless authentication solutions like Behavioral MFA.