Key IVR Partner with Elavon to Offer Innovative and Secure Payment Processing in the US

Elavon Featured image

Elavon and Key IVR are excited to announce a new partnership, making it easier for US merchants to access a wide range of innovative and secure card payment solutions. With a seamless integration between the Key IVR platform and Elavon gateway, businesses and consumers alike are protected to the highest level of payment security, PCI-DSS Compliance Level 1.

Elavon is one of the nation’s largest processors and is consistently rated among the top five global payment providers. They offer simple, cost effective payment processing solutions backed by reliable, helpful customer service. Elavon assists businesses by expanding payment choices and channels, and speeding up cash flow with some of the quickest funding in the industry.

Key IVR have over 15 years of experience providing secure cloud payment solutions to organisations across the globe. With an ever-expanding portfolio of solutions to meet a number of commercial needs, businesses across the globe have the ability to process payments over the phone, using an automated IVR, on the web, via SMS or on a mobile app.

By joining forces, both organisations are excited to see the fantastic contribution an extensive suite of payment solutions will bring to the US market.

Dianne Smith, Head of Partner Relationships at Key IVR said:

“From the very start of our relationship, we have always had a great dynamic. Communication and efficiency from all members of the team is always prompt and reliable, giving us the confidence that future opportunities will run just as smoothly”.

This new US partnership follows a long-standing relationship with Elavon’s UK division. This has recently secured the opportunity to implement a multi-channel solution into a prominent UK based business in the Hospitality and Leisure industry. The service will allow customers to pay for their stay over the phone, in a secure manner, de-scoping the entire organisation and network environment to ensure sensitive cardholder data (CHD) never reaches their systems.

If you’d like to find out more about Elavon and their innovative payment processing solutions, visit www.elavon.com

Top 10 Facts About PCI Compliance

Padlock Featured

The Payment Card Industry Data Security Standard (PCI-DSS or PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Launched on December 15, 2004, it was formed to manage the ongoing evolution of the Payment Card Industry (PCI).

Here are the answers to some of the most asked questions surrounding PCI DSS:

1. There are different levels of compliance

Organisations fit into different levels of compliance depending on the number of credit card transactions they handle per year, these include:

    • Level 1: A merchant processing over 6 million transactions per year
    • Level 2: A merchant processing between 1 – 6 million transactions per year
    • Level 3: A merchant processing between 20,000 and 1 million transactions per year
    • Level 4: A merchant processing less than 20,000 transactions per year

2. Non-compliance could have significant ramifications on your organisation

If organisations aren’t taking relevant precautions to appropriately collect, process, store and re-use sensitive data, they will be at a much higher risk of a data breach. This can result in considerably high fines that can be extremely damaging to your business, especially after the implementation of the General Data Protection Regulation (GDPR). Other outcomes can include: increased transaction fees, prevention from accepting card payments, large forensic investigation fees for looking into the cause of a breach, bad publicity, a damaged reputation and expensive compensation fees to customers. Becoming PCI compliant, or more effectively, trusting a PCI level 1 third party payment services provider is a long-term solution to increasing the security of your business and network infrastructure.

3. All PCI compliant organisations need to prove they are following guidelines

There are different requirements depending on the merchant level your organisation falls into. However, all businesses will be asked to complete an Attestation of Compliance and conduct a quarterly network scan by an Approved Scanning Vendor (ASV). Level 1 merchants will also be required to conduct a Report on Compliance (ROC) which is an annual on-site assessment completed by an independent Qualified Security Assessor (QSA). Those falling into other merchant levels must submit an annual Self-Assessment Questionnaire (SAQ).

4. An Attestation of Compliance needs to be signed

Whoever is in charge of compliance within your organisation, may this be the Chief Financial Officer or Head of Compliance, is required to complete an Attestation of Compliance form. There are different versions of the form dependant on the scope of your business, but it essentially certifies that all the relevant PCI requirements have been met.

5. If you’re a Level 1 organisation, only a QSA can verify that you are PCI DSS compliant

Qualified Security Assessors (QSA) are independent security organisations that have completed the appropriate training from the PCI Security Standards Council, with the ability to validate an entity’s adherence to PCI DSS. You can find an up-to-date list of qualified QSA’s on PCI Security Standards Council official website.

6. The PCI DSS has specific SAQ’s for different types of organisations

Self-Assessment Questionnaires (SAQ’s) are completed by the business itself. They are a list of relevant questions that determine the security of your organisation when taking payments and are all different depending on the type of business and the methods they process transactions. Although, for level 1 merchants and service providers this will work differently, as they will need an independent QSA to assess and validate their compliance.

7. Just because your software is PA-DSS certified, doesn’t mean you’re fully compliant

Payment Card Application – Data Security Standard (PA-DSS) certified software has already undergone the relevant checks to ensure it is PCI compliant. Although using this software assists with PCI DSS, it does not mean that organisations are absolved of their overall responsibility of ensuring their networks are safe and secure. Services are not included in the PA-DSS list, it is only software applications or products.

8. There are simpler ways of becoming PCI compliant

By using a level 1 third-party PCI DSS payments solution provider, you can take a lot of the pressure away from your organisation when it comes to applying the appropriate levels of security. It’s often a very demanding and costly venture to become PCI compliant on your own, so by working with an already established PCI DSS compliant business to outsource and descope your payment services, you can remove your organisation’s network and environment away from the scope of PCI DSS.

In some examples, you could be starting with 233 detailed requirements from a Self-Assessment Questionnaire (SAQ). By outsourcing and descoping your payment channels this can reduce your SAQ to 13 ‘yes’ or ‘no’ questions.

9. Outsourcing your payment systems to PCI compliant provider doesn’t mean you’re not responsible for data security

The quarterly network scan and annual Attestation of Compliance still needs to be completed as the organisation itself is ultimately responsible for the overall security and safety of any data they capture, process, store or transmit. It’s essential to choose a level 1 payment service provider that will offer the best service possible with the right experience and credentials, in order to avoid any possible problems.

10. PCI compliance isn’t going away

Cybercrime is almost unavoidable with most organisations choosing to move their operations and offer front-end payment services online. Hackers are continuously on the look-out for new ways to steal personal data, so by following the requirements of the PCI-DSS it can drastically limit their chances of success. PCI compliance isn’t going away, so it’s essential to ensure you know how to appropriately meet the guidelines.

Contact Key IVR for PCI compliant solutions that protect your customers’ sensitive payment data and descope your organisation’s network.

Call +1 888 765 3109 or email sales@keyivr.com to discuss your requirements.

Is Pause and Resume Really Protecting Your Customers’ Data?

PauseResumeCallRecording

Organisations that accept card payments over the phone are recording calls for training and monitoring purposes, an obligation the Financial Conduct Authority (FCA) put in place to prevent, detect and deter market abuse. This becomes difficult for those wanting to achieve the Payment Card Industry Data Security Standard (PCI-DSS) which states that no sensitive card data can be recorded.

“But, I’m already PCI compliant, I use pause and resume call recording so my customers’ card details aren’t stored anywhere”

Many organisations believe “pause and resume” or “stop/start” call recording technology is a solution. The agent pauses the call recording at the point where the customer reads out their card details and resumes the recording afterward. The end result is a recording with the payment portion and sensitive information removed.

Pause and Resume Through Manual Intervention isn’t Compliant

The PCI-DSS guidelines stipulate that sensitive card data is removed from call recordings automatically, without the need for an agent or other members of staff to intervene.

Your Staff Are Responsible for Pausing the Recording

If an agent is able to pause the recording, it allows them to say something to the customer off-record. This isn’t compliant and can cause serious customer service issues. Additionally, the agent could forget to pause the recording before taking payment, putting the particular customer at risk and defeating the point of having a solution in place.

Card Details Can Still Be Heard by an Agent

Even with call recording paused, agents can still hear sensitive card details. They could potentially write them down and use or share them for malicious purposes, or simply leave them exposed on their desk for others to see.

Information Can Be Missed

Similarly to agents speaking off-record, a customer can mention something important that isn’t captured in a call recording for future use. Especially relevant if the transaction has just taken place and the agent forgets to resume recording.

Cost and Time of Maintaining

In order to follow the FCA rules related to call recording, the audio files would need to be maintained and monitored regularly to ensure it is only the sensitive card data that agents are excluding from the call. A timely and costly process for any organisation.

The Correct, Complete and Compliant Solution

With an Agent Assisted Payments Solution from Key IVR, the customer still uses their keypad to enter payment details but Twin Clamp Technology DMTF suppression is applied to the keypad presses, ensuring no sensitive information enters the Contact Centre payment system and isn’t present on the call-recording, allowing them to record the entire call.

It’s still easy for a customer to make a payment when on the phone with an agent. At the point of taking payment an agent simply asks a customer to enter their card details onto their phone keypad, the agent stays on the phone to communicate to the customer and assist them with the payment process via a live webpage. Improving customer experience and increasing payment conversion without the need to rely on an agent to pause the call, removing the risk of human error.

Talk to Key IVR and let us help you reduce serious security risks within your Contact Centre with our PCI-DSS compliant solutions. We work in partnership and integrate with a wide range of payment providers and suppliers with the aim to design a solution that meets your individual business requirements.

Find out more about our services:

Alternatively, please contact us on +1 888 765 3109 or email sales@keyivr.com to discuss your requirements.

Key IVR Secures a Multi-Year Partnership with UK Charity, Marie Curie

MarieCurieNewsBanner 1


Key IVR are pleased to announce a new partnership with Marie Curie, the UK’s leading charity for people living with any terminal illness and their families. The charity helps people make the most of the time they have together by delivering expert hands-on care, emotional support, research and guidance.

Key IVR will work with Marie Curie to ensure credit and debit card donations made over the phone are processed securely, thanks to a new Agent Assisted Payments Service. The DTMF suppressed payments solution will channel contact centre calls through a robust PCI-DSS Level 1 version 4.0 compliant platform.

Sophie Chan, Key IVR Account Manager said:

“Marie Curie has a long history of being an invaluable source of support for many people, and their trust in our service is a testament to Key IVR being an industry leader that continues to set the benchmark for secure and intelligent payment systems.”

Marie Curie will benefit from the secure payments platform, taking donations on the phone from their supporters in a convenient and compliant manner. The staff accepting the payments will be able to stay in full conversation with the supporter throughout the donation to ensure payment is successful and to thank the caller for their generous donation.

As the card details are entered via the phone keypad, the service hides the sensitive information on the staff member’s screen and as there are no card details spoken out loud calls can be recorded with minimum security risk. To ensure a smooth transition to the new system, Key IVR Account Managers will be delivering on-site training and face-to-face consultation with all staff.

Key IVR looks forward to working closely with Marie Curie and supporting them in the tireless work they do in providing excellent care to those in need.

Find out more about Marie Curie.
Find out more about Agent Assisted Payments.