Curtis Nash, CEO of Cognia, a provider of cloud-based PCI compliance payment processing solutions, looks at how contact centres can cost-effectively meet the more stringent requirements of PCI DSS 3.0. With the introduction of the Payment Card Industry Data Security Standards (PCI DSS) version 3.0 at the start of the year, it’s a good time to assess how contact centres can comply while keeping both costs and the operational burden to a minimum.
Payment processing options
In order to de-scope as much of the contact centre as possible to reduce the compliance burden while ensuring security, there are several options. I will quickly summarise the pros and cons of the main ones here.
The first thing is having customers speak their card details to an agent, who then types them in to an application on their desktop, is not PCI compliant. Doing it is asking for a world of trouble, and yet according to the 2014 Contact Centre Decision Maker’s Guide over 66% of all contact centres and 74% of outsourcers still take payments manually.
Payment Processing Methods by Vertical
Any solution which can take call centre systems and staff out of the scope of PCI DSS by shielding them from card data, without negatively affecting operations, will reduce the cost and effort of compliance, and the risk of fraud.
However, many IVR payment processing solutions still leave parts of the contact centre infrastructure exposed to customer card data, meaning that compliance measures must be put in place.
In the case of hosted or cloud IVR payment processing services, payment card information can be entirely removed from the contact centre environment. This massively reduces the scope of the contact centre’s PCI assessment and with it the cost and complexity of compliance.
Solution 1: ‘Clean room’ environment and manual processes
This involves isolating staff who handle payments from other staff, and ensuring that they are not allowed pens, paper, mobile phones or any other recording and communications equipment at their desks. Staff need to be heavily trained in PCI compliant processes and constantly monitored. It is estimated that the cost of implementing a ‘clean room’ environment can be as high as £2,000 per agent.
Of course this method still exposes agents and IT / telephony systems to payment card details, so the organisation will be required to meet 100% of the PCI requirements. This is not only intensive to set-up and manage it also requires an exhaustive annual audit.
Solution 2: Pause and resume recording
The requirement that card details not be stored applies equally to call and screen recordings for quality purposes as much as it does to databases. For regulatory, complaint handling and anti-fraud purposes most contact centres routinely record a good percentage of interactions. In this case the agent can manually pause the recording at desktop level while payment details are given, or the system can automatically pause.
This can require complex integration of the call and screen recording software, and may lead to human error and incomplete records of interactions. And because agents and other internal systems are still exposed to card data, 100% of the PCI requirements will still be in play.
Solution 3: IVR payment processing
Rather than trying to integrate call recording with voice payments, like pause and resume, this method aims to separate payments from live agent conversations entirely. When the time comes for the agent to give payment details, the agent transfers the caller to an IVR system. There the customer can give payment details by speaking or typing, using their touchtone phone, and reconnect with the agent afterwards.
The downside is that customers may incorrectly enter details and the agent is not online to encourage and support them through the process leading to a fragmented customer experience. If the payment details still enter the contact centre’s internal systems then this solution does nothing to de-scope those applications, databases and equipment from PCI compliance.
In the case of hosted or cloud IVR payment processing services, payment card information can be entirely removed from the contact centre. This massively reduces the scope of the contact centre’s PCI assessment and with it the cost and complexity of compliance.
Solution 4: DTMF suppression payment processing outsourced to a Level One Service Provider
With this solution certain providers can de-scope over 90% of the contact centre requirements from PCI compliance, in a secure cloud-based environment. To put this into perspective, instead of meeting over 900 requirements the contact centre may only be required to meet just 69 to become fully compliant.
It works by ensuring that payment details never enter the contact centre ecosystem. Like IVR processing the caller is directed to give payment details, however the conversation with the agent is able to continue while they do.
The defining feature of this type of solution is that payment information is entered by the customer using their telephone keypad, and that the resulting tones are suppressed before they reach the call recording system (and the agent), to prevent the storage of card authentication information. Furthermore, the payment details are sent via the outsourced provider’s systems, where they are communicated to your merchant, so no payment card details touch or are stored on internal systems.
With more advanced systems the agent can still track the payment process on their desktop in real-time, but no card data is seen by the agent. It means the agent can support the process of the payment to help the customer and confirm when the payment has gone through.
Curtis Nash – CEO and Founder at Cognia
Curtis is the founder of Cognia and brings an unparalleled energy and enthusiasm for taking technology and applying it in new and unexpected markets. As a lifelong technology entrepreneur who founded his first company aged just 19, Curtis has unrivalled experience and success in technology, operations and business development. His passions include mobile telecommunications, cloud services and real-time communications such as instant messaging.
For additional information see Cognia’s Website