If you handle payments through your contact centre, read on. Things have changed.
It’s now a lot easier for your customers to pay you securely, and for the transactions to be handled in a manner that is totally PCI-DSS compliant, and not painful for the customer.
Before we reveal how, it’s important to understand why PCI-DSS compliance is critical for taking payments.
If you accept credit card payments, you are required to adhere to the Payment Card Industry Data Security Standard compliance standards, otherwise known as PCI DSS. These are the standards laid down by the Payment Card Industry Security Standards Council, comprised of the five major credit card companies. It’s a framework for maintaining a robust payment card data security process —including prevention, detection and appropriate reaction to security incidents.
What’s involved for contact centres to become compliant?
Becoming PCI-DSS compliant is a very tough process, and requires significant investment in technology, processes and staff security. Certification is only issued for one year, and renewal requires rigorous assessment every year. Malicious hackers improve their techniques at rapid speed, and companies must continuously monitor their security controls.
In a Contact Centre environment, there’s three areas of requirements to be addressed:
- The process for accepting payments needs to be well-documented
- You need to ensure that no-one can write down or record credit card details
- Access to sensitive information needs to be role restricted
- You need to have conducted background checks on employees
- You need to provide regular Security Awareness training
- You need a large number of security measures in place to ensure your network, systems and access meet all required security protocols
This is just the start. See 10 best practices to prepare for PCI assessment for full details on what is involved.
Is there an easier way to take payments securely?
Yes there is.
Many contact centres have opted to use PCI-DSS compliant third-party solutions. Whilst the contact centre still needs to go through a PCI-DSS compliance assessment process, it is typically far less an ordeal and less expensive but allows the contact centre to still take payments in a secure and compliant manner.
Managing secure payments – the old way
There are several methods that Contact Centres use to take payments.
The most unsecure method is for customers to read out their credit card details aloud, for the agent to enter into a credit card POS terminal or an online payment interface. Whilst the interface may encrypt the details so they can’t be retrieved by anyone with access, there is opportunity for the agent or a silent listener to write the credit card details down. This is why contact centres ban mobile phones and pens and paper from agent’s desks.
Methods with better security are in place in contact centres where conversations are recorded for regulatory, security or training purposes.
In this situation, the recording must be stopped when it comes time for an agent to take payment.
- The agent can manually hit pause whilst the data is relayed by voice or on a touchpad, and hit resume when payment is complete. This is not recommended because the onus lies with the agent to remember to do this.
- The third-party solution might mask the DTMF touch-tones so there’s no need to stop the recording, as it means that the agent or anyone listening to the recording cannot guess the numbers entered on the touchpad.
- Auto pause and resume functionality pauses the recording when the agent accesses the payment page and resumes it again when the page is closed.
- Auto mute and unmute functionality is similar, except the call recording continues and silence or a tone signal replaces sound during payment page access.
Whilst these latter four methods are more secure than the first one, there are still some challenges associated with these systems:
- They often involve transferring the customer to a third-party solution rather than having them stay on the line.
- Some don’t entirely remove the risk of details being captured by the agent, or another staff member or hacker “listening”.
- The overall customer experience isn’t good, particularly if they lose access to the agent whilst making payment.
Managing secure payments – the NEW way
The ideal solutions are ones which remove all risk for the customer and the contact centre, and provide a great customer experience.
Premier Technologies has been providing hosted phone and web payment solutions for over 15 years. It currently processes 1 in every 15 phone and web payments in Australia, including for the Commonwealth Bank of Australia who has rebranded Premier’s white label payments solution as CBA BPOINT.
MerchantSuite is Premier’s direct to market, all in one payments solution which empowers contact centres and other organisation to deliver the ultimate omni channel payments experience. MerchantSuite is essential for organisations looking to improve their processes by lowering costs, reducing risks and improving customer experience. MerchantSuite offer a suite of PCI compliant solutions enabling staff to take payments securely over the phone which are currently being used by State and Local Government organisations as well as a number of corporate users.
The MerchantSuite solutions integrate seamlessly with Premier’s cloud contact centre software – Premier Contact Point.
1. Payment Request
The Payment Request solution enables the agent to send a link to the customer’s phone via email or SMS, where they can pay via credit card or Apple Pay on a secure hosted payment page. Depending on what the customer prefers, agents can either stay on the line and monitor payment status in real time and provide the customer with assistance if required or end the call if the customer is happy to continue without assistance.
2. Secure Call Interface
The Secure Call Interface (SCI) solution provides agents with a safe and flexible process to accept payments over the phone in a PCI-DSS compliant manner. When it’s time to take a payment, the agent initiates ‘secure mode’ and asks the customer to enter their card details into the phone’s keypad. There’s no need for the agent to stop call recording because the DTMF tones are masked and not captured in the call recording. At each step of the card entry process, the agent can provide immediate assistance to the customer, like resetting things if the customer makes a mistake entering a number. Once all the details have been entered, the agent can confirm that the payment has been successful and can send the customer a receipt via email or SMS.
3. IVR – Automated Phone Payments
To receive payments without agent assistance – eg: after hours, the Automated Phone Payments solutions enables customers to make payments securely through an Interactive Voice Response (IVR) system.
These secure payment solutions significantly improve the customer experience and reduces security risk within the contact centre.
With a staggering 76% increase in card-not-present fraud in the 12 months to June 30, 2018, representing 1.8 million dodgy transactions in Australia, it’s more important than ever for businesses to be unwaveringly vigilant about accepting payments in a PCI-DSS compliant manner.