In contact centers, security is a constant balancing act. Strict clean desk policies make traditional authentication methods like hard tokens impractical, and many contact centers have had to find creative ways to meet compliance requirements without disrupting operations. But that balance is about to shift.
PCI 4 introduces new password management rules directly impacting contact center IT and security teams. PCI had numerous changes that took effect during its initial implementation in March of 2024, but the future-dated requirements will become standard in just a few weeks. Preparing now is crucial to avoid disruptions.
One of the most significant changes is password management. Contact centers, especially BPOs, will see an increase in password rotations for client-owned systems like CRMs and other applications.
As these new requirements take effect, BPO agents must rotate passwords more frequently, creating challenges for BPOs and their clients. One immediate consequence will be a surge in password reset requests as agents struggle to remember their new credentials. This will overwhelm customer helpdesks, increase operational costs, and reduce agent productivity.
Under PCI 4, passwords must meet these updated standards:
8.3.6 If passwords/passphrases are used as authentication factors, they meet the following minimum level of complexity:
8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse as follows:
“Best practices are to consider password changes at least once a year, a password/passphrase length of at least 15 characters, and complexity for the passwords/passphrase of alphanumeric characters, with upper- and lower-case letters, and special characters.”
For BPOs and outsourced contact centers, there is an extra sub-requirement under PCI 4:
Simply put, as a BPO, the organization is responsible for ensuring that its customers rotate its agent's credentials in accordance with PCI 4.
There is a way to avoid the 90-day password rotation requirement: implementing continuous identity risk assessment. According to NIST 800-207 Zero Trust Architecture, a dynamically analyzed security posture must continuously evaluate user behavior, system configurations, network activity, and other security factors.
Twosense Behavioral Multi-Factor Authentication (MFA) achieves this by leveraging behavioral biometrics to establish and verify user identity in real-time. Instead of relying on static credentials, Twosense continuously analyzes user behavior, ensuring that each authentication event is validated against a constantly evolving trust baseline.
With Behavioral MFA, organizations can:
For BPOs, this means significantly reducing the complexity and cost of password management while maintaining compliance. With high employee turnover in the industry, reducing password rotations to once yearly could eliminate frequent disruptions, ensuring that only long-term employees ever need to reset their credentials.
With the March 2025 enforcement deadline approaching, BPOs and their clients must act now to adapt to PCI 4. The increasing complexity of password policies and the responsibility placed on BPOs for compliance make traditional authentication methods more unsustainable than they already are.
By adopting Behavioral MFA, BPOs can seamlessly navigate these new requirements, reducing the burden on IT teams and customer helpdesks while maintaining security and compliance. For organizations looking to stay ahead of these regulatory shifts, investing in behavioral-based authentication solutions is no longer an option—it’s a necessity.