It’s a conundrum many businesses face, especially in today’s digital era, where fraudulent attacks are becoming more and more frequent – How do we increase the security of contact centres when processing payments, but maintain a high level of customer satisfaction?
It’s important for businesses to make it as easy as possible for customers to pay for goods and services over the phone, but remain vigilant to the risks involved when capturing and processing sensitive customer details. Organisations can fail to maintain an even balance of both security and convenience.
When customers are calling to discuss their account, place an order, or to make a payment, they are entrusting you with Personally Identifiable Information (PII), such as full name, home address, email address, full payment card details (also known as Cardholder Data – CHD) and more. They expect their sensitive information to be handled with the upmost security, but no one wants to be on the phone for hours, with numerous security checks, and the only intention of making a simple payment.
What are the top 3 things you need to consider?
Stop Call Recording Sensitive Payment Information
For many industries, call recording is a standard obligation, as outlined in the UK by the Financial Conduct Authority (FCA) to “prevent, detect and deter market abuse”. Despite this, recording calls can cause some considerable issues when it comes to sensitive data management and processing payments.
The most efficient way to continue recording entire calls, whilst also maintaining a high level of customer service, is to remove any sensitive data from the call completely.
DTMF suppression is the most effective way to secure call recording, as it allows you to record the entire conversation, without needing to interrupt the call. Some call recording services will claim to be compliant by automatically stopping the call recording at payment stage, or waiting for the agent to do so. Both options can be unreliable. DTMF suppression is recommended by payment security guidelines, such as the Payment Card Industry Data Security Standard (PCI DSS). For UK organisations, this helps adhere to strict FCA regulation and achieve best practice payment security.
DTMF (Dual-Tone-Multi-Frequency) are audio signals generated by pressing the numbers (as well as the “#” and “*”) on a telephone’s keypad. Rather than reading out the information to the agent, a customer can enter their card details into their telephone keypad. That stops anyone writing down card details and drastically reduces card fraud risk. However, as each tone is unique to a specific number, they still have to be protected. You could mask each keypad press with a flat tone, but you can go one step further. DTMF suppression doesn’t just mask the tones, it completely removes them from reaching your call recording system.
Ensure You are PCI-DSS Compliant
If you accept, process, store or transmit cardholder data (CHD) then PCI DSS affects your organisation. The Payment Card Industry Data Security Standard (PCI DSS or PCI for short) protects customers and their data, assisting in the prevention of a data breach that could have a huge impact on a company’s future operations and customer reputation.
Ensuring PCI compliance within your contact centre highlights to customers that you take the security of their sensitive data very seriously, making you a much more credible organisation to do business with.
However, due to how thorough and detailed the guidelines are, becoming PCI compliant on your own can be a very timely and costly venture with a lot of room for error. If you can reduce how much of your organisation, such as staff, IT systems and processes, fall under the PCI “scope”, then you’ll find achieving PCI compliance will be easier and save you time and unnecessary cost.
How do you take things “out of scope”? Work with a trusted 3rd Party who understand the requirements indepth, and already have highly secure PCI compliant systems ready to use…
Work with a Trusted & Accredited 3rd Party Payment Provider
We help organisations become PCI-compliant, with already established PCI-DSS level 1 payment solutions. Key IVR can help take the pressure off the compliance process, by assessing your systems and providing secure services to suit your organisation.
Key IVR have been designing and deploying secure payment systems for over 10 years, working with small to large companies all over the world. We’re trusted by hundreds of clients providing a range of payment services across agent assisted payments, automated telephone lines, text messages and more, processing over £1.7 billion annually.
Our PCI DSS Level 1 v4.0 and ISO 27001 accredited platform is constantly evolving to keep ahead of the latest industry best practices, saving you time and money when compared to building and maintaining your own PCI environment.