Key IVR Partner with Elavon to Offer Innovative and Secure Payment Processing in the US

Elavon and Key IVR are excited to announce a new partnership, making it easier for US merchants to access a wide range of innovative and secure card payment solutions. With a seamless integration between the Key IVR platform and Elavon gateway, businesses and consumers alike are protected to the highest level of payment security, PCI-DSS Compliance Level 1.

Elavon is one of the nation’s largest processors and is consistently rated among the top five global payment providers. They offer simple, cost effective payment processing solutions backed by reliable, helpful customer service. Elavon assists businesses by expanding payment choices and channels, and speeding up cash flow with some of the quickest funding in the industry.

Key IVR have over 15 years of experience providing secure cloud payment solutions to organisations across the globe. With an ever-expanding portfolio of solutions to meet a number of commercial needs, businesses across the globe have the ability to process payments over the phone, using an automated IVR, on the web, via SMS or on a mobile app.

By joining forces, both organisations are excited to see the fantastic contribution an extensive suite of payment solutions will bring to the US market.

Dianne Smith, Head of Partner Relationships at Key IVR said:

“From the very start of our relationship, we have always had a great dynamic. Communication and efficiency from all members of the team is always prompt and reliable, giving us the confidence that future opportunities will run just as smoothly”.

This new US partnership follows a long-standing relationship with Elavon’s UK division. This has recently secured the opportunity to implement a multi-channel solution into a prominent UK based business in the Hospitality and Leisure industry. The service will allow customers to pay for their stay over the phone, in a secure manner, de-scoping the entire organisation and network environment to ensure sensitive cardholder data (CHD) never reaches their systems.

If you’d like to find out more about Elavon and their innovative payment processing solutions, visit www.elavon.com

Web Chat Payments: Safe, Convenient and Diverse

Ecommerce purchases have been on the rise for years, as technology and the convenience that online shopping brings plays a massive part in assisting people’s busy lifestyles. The only downside is the lack of human interaction when it comes to queries or assistance, and asking a quick question over email can often be seen as a time-consuming task.

According to a survey by Emarketer, 63% of customers agree that they are more likely to return to a website if there is a possibility of speaking with a representative via Live Chat. This fast paced method of interaction allows customers to get the responses they need promptly and in a conversational manner, without the need for formal emails or the frustration of lengthy queues on phone calls.

In order to further increase convenience, having the option to pay for products or services during a live chat and offering assistance along the way, dramatically improves customer experience.

But how safe is it?

In 2018 popular ticket vendor, Ticketmaster, was caught up in a data breach which effected their web chat function, hosted by Inbenta Technologies, where 40,000 records may have been exposed. An array of information, including names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details were all included in the breach, as attackers were able to intercept live chat conversations.

With statistics from Furst Person showing that 77% of customers won’t make a purchase online if the site they’re using doesn’t have a live chat option, some organisations are looking to offer a full purchasing experience within the conversation, allowing customers to pay there and then. But, it isn’t as straight-forward as it sounds, with some contact centres asking for full card details within the chat, unmasked and a far stretch from PCI-DSS compliance.

Various live chat programs allow for in chat payments to be taken safely and securely, with little risk to the customer. Although, there are some things to consider as this can often mean a large cost to the organisation for switching suppliers, the software may come with limited branding and features and it could even lead to a possible loss of customer data. Finding an appropriate solution that benefits both the customer and the organisation can sometimes prove difficult.

Providers of web chat software or plugins have dedicated development teams that can continue to add valued features and benefits to their platforms. This is great and allows for a lot of customisation and freedom to make the webchat software configured to work with a diverse range of business operations.

It’s due to the diverse capabilities of this software to work as efficiently as it can as a method of conversation, that enables Key IVR to work alongside them, integrating a payment method that focuses on security and safety for the customer. As a secure payment solutions provider, the focus can remain on ensuring card data is processed, stored and transmitted in a way that fully abides by the guidelines set by the Payment Card Industry Security Standards Council (PCI-SSC).

The need to change suppliers is taken out of the equation, with the ability to work alongside the current business operations and systems.

Key IVR’s ability to process payments through a live chat is very flexible, not only is it able to work with those conducted by an agent, but through artificial intelligence (AI) chats also. This works with the platform pulling through information provided by the customer to generate a secure link which, when clicked on, takes them to a secure payment page with pre-filled information fields for a quicker and easier process.

Find Out More

For more information on our diverse range of services, take a look at our Payment Solutions or contact a member of our team on  +44 (0) 1302 513 000 or email sales@keyivr.com

Top 10 Facts About PCI Compliance

The Payment Card Industry Data Security Standard (PCI-DSS or PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Launched on December 15, 2004, it was formed to manage the ongoing evolution of the Payment Card Industry (PCI).

Here are the answers to some of the most asked questions surrounding PCI DSS:

1. There are different levels of compliance

Organisations fit into different levels of compliance depending on the number of credit card transactions they handle per year, these include:

    • Level 1: A merchant processing over 6 million transactions per year
    • Level 2: A merchant processing between 1 – 6 million transactions per year
    • Level 3: A merchant processing between 20,000 and 1 million transactions per year
    • Level 4: A merchant processing less than 20,000 transactions per year
       

2. Non-compliance could have significant ramifications on your organisation

If organisations aren’t taking relevant precautions to appropriately collect, process, store and re-use sensitive data, they will be at a much higher risk of a data breach. This can result in considerably high fines that can be extremely damaging to your business, especially after the implementation of the General Data Protection Regulation (GDPR). Other outcomes can include: increased transaction fees, prevention from accepting card payments, large forensic investigation fees for looking into the cause of a breach, bad publicity, a damaged reputation and expensive compensation fees to customers. Becoming PCI compliant, or more effectively, trusting a PCI level 1 third party payment services provider is a long-term solution to increasing the security of your business and network infrastructure.

 

3. All PCI compliant organisations need to prove they are following guidelines

There are different requirements depending on the merchant level your organisation falls into. However, all businesses will be asked to complete an Attestation of Compliance and conduct a quarterly network scan by an Approved Scanning Vendor (ASV). Level 1 merchants will also be required to conduct a Report on Compliance (ROC) which is an annual on-site assessment completed by an independent Qualified Security Assessor (QSA). Those falling into other merchant levels must submit an annual Self-Assessment Questionnaire (SAQ).

 

4. An Attestation of Compliance needs to be signed

Whoever is in charge of compliance within your organisation, may this be the Chief Financial Officer or Head of Compliance, is required to complete an Attestation of Compliance form. There are different versions of the form dependant on the scope of your business, but it essentially certifies that all the relevant PCI requirements have been met.

 

5. If you’re a Level 1 organisation, only a QSA can verify that you are PCI DSS compliant

Qualified Security Assessors (QSA) are independent security organisations that have completed the appropriate training from the PCI Security Standards Council, with the ability to validate an entity’s adherence to PCI DSS. You can find an up-to-date list of qualified QSA’s on PCI Security Standards Council official website.

 

6. The PCI DSS has specific SAQ’s for different types of organisations

Self-Assessment Questionnaires (SAQ’s) are completed by the business itself. They are a list of relevant questions that determine the security of your organisation when taking payments and are all different depending on the type of business and the methods they process transactions. Although, for level 1 merchants and service providers this will work differently, as they will need an independent QSA to assess and validate their compliance.

 

7. Just because your software is PA-DSS certified, doesn’t mean you’re fully compliant

Payment Card Application – Data Security Standard (PA-DSS) certified software has already undergone the relevant checks to ensure it is PCI compliant. Although using this software assists with PCI DSS, it does not mean that organisations are absolved of their overall responsibility of ensuring their networks are safe and secure. Services are not included in the PA-DSS list, it is only software applications or products.

 

8. There are simpler ways of becoming PCI compliant

By using a level 1 third-party PCI DSS payments solution provider, you can take a lot of the pressure away from your organisation when it comes to applying the appropriate levels of security. It’s often a very demanding and costly venture to become PCI compliant on your own, so by working with an already established PCI DSS compliant business to outsource and descope your payment services, you can remove your organisation’s network and environment away from the scope of PCI DSS.

In some examples, you could be starting with 233 detailed requirements from a Self-Assessment Questionnaire (SAQ). By outsourcing and descoping your payment channels this can reduce your SAQ to 13 ‘yes’ or ‘no’ questions.

 

9. Outsourcing your payment systems to PCI compliant provider doesn’t mean you’re not responsible for data security

The quarterly network scan and annual Attestation of Compliance still needs to be completed as the organisation itself is ultimately responsible for the overall security and safety of any data they capture, process, store or transmit. It’s essential to choose a level 1 payment service provider that will offer the best service possible with the right experience and credentials, in order to avoid any possible problems.

 

10. PCI compliance isn’t going away

Cybercrime is almost unavoidable with most organisations choosing to move their operations and offer front-end payment services online. Hackers are continuously on the look-out for new ways to steal personal data, so by following the requirements of the PCI-DSS it can drastically limit their chances of success. PCI compliance isn’t going away, so it’s essential to ensure you know how to appropriately meet the guidelines.

Contact Key IVR for PCI compliant solutions that protect your customers’ sensitive payment data and descope your organisation’s network. Call 01302 513 000 or email sales@keyivr.com to discuss your requirements.

Is Pause and Resume Really Protecting Your Customers’ Data?

Organisations that accept card payments over the phone are recording calls for training and monitoring purposes, an obligation the Financial Conduct Authority (FCA) put in place to prevent, detect and deter market abuse. This becomes difficult for those wanting to achieve the Payment Card Industry Data Security Standard (PCI-DSS) which states that no sensitive card data can be recorded.

“But, I’m already PCI compliant, I use pause and resume call recording so my customers’ card details aren’t stored anywhere”

Many organisations believe “pause and resume” or “stop/start” call recording technology is a solution. The agent pauses the call recording at the point where the customer reads out their card details and resumes the recording afterward. The end result is a recording with the payment portion and sensitive information removed.

 

Pause and Resume Through Manual Intervention isn’t Compliant

The PCI-DSS guidelines stipulate that sensitive card data is removed from call recordings automatically, without the need for an agent or other members of staff to intervene.

 

Your Staff Are Responsible for Pausing the Recording

If an agent is able to pause the recording, it allows them to say something to the customer off-record. This isn’t compliant and can cause serious customer service issues. Additionally, the agent could forget to pause the recording before taking payment, putting the particular customer at risk and defeating the point of having a solution in place.

 

Card Details Can Still Be Heard by an Agent

Even with call recording paused, agents can still hear sensitive card details. They could potentially write them down and use or share them for malicious purposes, or simply leave them exposed on their desk for others to see.

 

Information Can Be Missed

Similarly to agents speaking off-record, a customer can mention something important that isn’t captured in a call recording for future use. Especially relevant if the transaction has just taken place and the agent forgets to resume recording.

 

Cost and Time of Maintaining

In order to follow the FCA rules related to call recording, the audio files would need to be maintained and monitored regularly to ensure it is only the sensitive card data that agents are excluding from the call. A timely and costly process for any organisation.

 

The Correct, Complete and Compliant Solution

With an Agent Assisted Payments Solution from Key IVR, the customer still uses their keypad to enter payment details but Twin Clamp Technology DMTF suppression is applied to the keypad presses, ensuring no sensitive information enters the Contact Centre payment system and isn’t present on the call-recording, allowing them to record the entire call.

It’s still easy for a customer to make a payment when on the phone with an agent. At the point of taking payment an agent simply asks a customer to enter their card details onto their phone keypad, the agent stays on the phone to communicate to the customer and assist them with the payment process via a live webpage. Improving customer experience and increasing payment conversion without the need to rely on an agent to pause the call, removing the risk of human error.

Talk to Key IVR and let us help you reduce serious security risks within your Contact Centre with our PCI-DSS compliant solutions. We work in partnership and integrate with a wide range of payment providers and suppliers with the aim to design a solution that meets your individual business requirements.

 

Find out more about our services:

Alternatively, please contact us on 01302 513 000 or email sales@keyivr.com to discuss your requirements.