How to maintain PCI DSS compliance when your contact centre agents are working remotely
Danny Cresswell, Chief Sales Officer at Syntec
Many merchants have responded to the Covid-19 epidemic by either asking their contact centre agents to stay safe and work from home, or by routing calls to outsourcers handling calls on their behalf. Both of these present a number of unique security challenges and associated risk.
During these difficult times, it is clearly important for businesses to retain the ability to accept card payments from their customers, but with agents working remotely it is equally as important for payments taken over the phone to be handled securely and a PCI DSS compliant manner.
If your customers are providing their payment card data verbally (i.e. reading out their card number and security code to the agent) your contact centre agents and their remote working environment (which for many will be their home) will be firmly in-scope for PCI DSS. This is due to the fact that payment card data is accessible to the agent.
In order to ensure that payment card data is handled securely when your agents are working remotely, you need to change the way that this data is captured and prevent it from being exposed to the agent.
CardEasy from Syntec prevents contact centre agents (including home-based agents) from hearing or seeing payment card data, automatically blocking it from your screen and call recording s (without the need for a pause/resume function) and preventing it from entering your contact centre systems and networks.
Here are 2 ways CardEasy can allow remote agents to handle payments securely
CardEasy Digital Payments
This solution allows agents to deal with payments via any communication channel including voice, email, webchat, SMS & social media, without the agent ever having access to the payment card data. It is immediately available and provides a cost-effective and user-friendly solution.
Using CardEasy Digital, your agent simply sends the customer a secure html link or QR code. The customer can access this link using any device which is connected to the internet, including computers, laptops, tablets and smart phones. The link provides the customer with a secure payment page, where they can enter their card numbers and complete the transaction.
The solution does not require any integration with your order/payment application or the applications/platforms which your agents will be using to manage customer interactions (such as your telephony, email or social media platforms) and provides a number of advantages over and above the ‘Pay by Link’ options available from PSPs, such as a live display for the agent so that they can monitor the customer’s payment progress in real-time.
CardEasy Digital can of course be used as a long-term solution in contact centres to allow for compliant payments across all communication channels, minimizing PCI DSS scope for agents in contact centres, as well as remote agents. However, it is also ideal for use during the current COVID-19 epidemic as it provides an immediate solution.
CardEasy Voice Payments:
Using CardEasy Voice, the paying customer is asked by the contact centre agent to either:
Use their telephone keypad to enter their card number and security code. CardEasy captures the keypad entries via the DTMF touchtones.
Speak their card number and security code as they would normally. CardEasy captures the spoken numbers using Automated Speech Recognition (ASR).
Whether CardEasy is capturing payment card data via DTMF or ASR, there is no requirement for the call centre agent to transfer the call or put the customer on hold. This ensures a seamless, natural and positive customer (and agent) experience.
The agent remains in conversation with the customer throughout and is able to provide verbal guidance and instructions to the customer.
CardEasy Voice can be used with any telephony provider (ISDN and/or SIP), telephony platform and order/payment application without the need for any integration. There are no restrictions in terms of the payment or tokenization gateways that can be used. The solution provides the agent with live visibility during a DTMF or ASR capture so that they can monitor the customer’s payment progress in real-time, but the agent is never exposed to the card data.
Depending on your environment, CardEasy Voice can be deployed in a matter of days, which again makes it ideal during the Covid-19 epidemic but also as a long-term solution.
Danny Cresswell is Chief Sales Officer at Syntec
Founded in 1998, Syntec is an independent UK network operator and provides CardEasy as a managed service worldwide, as a participating member organisation of the global Payment Card Industry Security Standards Council and a PCI DSS level 1 Visa merchant agent.