How to Maintain PCI DSS Compliance When Working Remotely

Many merchants have responded to the COVID-19 epidemic by either asking their contact centre agents to stay safe and work from home, or by routing calls to outsourcers handling calls on their behalf. Both of these present a number of unique security challenges and associated risk.

During these difficult times, it is clearly important for businesses to retain the ability to accept card payments from their customers, but with agents working remotely it is equally important for payments taken over the phone to be handled securely and in a PCI DSS compliant manner.

If your customers are providing their payment card data verbally (i.e. reading out their card number and security code to the agent) your contact centre agents and their remote working environment (which for many will be their home) will be firmly in-scope for PCI DSS. This is due to the fact that payment card data is accessible to the agent.

In order to ensure that payment card data is handled securely when your agents are working remotely, you need to change the way that this data is captured and prevent it from being exposed to the agent.

CardEasy from Syntec prevents contact centre agents (including home-based agents) from hearing or seeing payment card data, automatically blocking it from your screen and call recordings (without the need for a pause/resume function) and preventing it from entering your contact centre systems and networks.

Here are two ways CardEasy can allow remote agents to handle payments securely.

1. CardEasy Digital Payments

This solution allows agents to deal with payments via any communication channel including voice, email, webchat, SMS and social media, without the agent ever having access to the payment card data. It is immediately available and provides a cost-effective and user-friendly solution.

Using CardEasy Digital, your agent simply sends the customer a secure html link or QR code. The customer can access this link using any device which is connected to the internet, including computers, laptops, tablets and smartphones. The link provides the customer with a secure payment page, where they can enter their card numbers and complete the transaction.

The solution does not require any integration with your order/payment application or the applications/platforms which your agents will be using to manage customer interactions (such as your telephony, email or social media platforms) and it provides a number of advantages over and above the ‘Pay by Link’ options available from PSPs, such as a live display for the agent so that they can monitor the customer’s payment progress in real time.

CardEasy Digital can of course be used as a long-term solution in contact centres to allow for compliant payments across all communication channels, minimizing PCI DSS scope for agents in contact centres, as well as remote agents. However, it is also ideal for use during the current COVID-19 epidemic as it provides an immediate solution.

2. CardEasy Voice Payments

Using CardEasy Voice, the paying customer is asked by the contact centre agent to either:

• Use their telephone keypad to enter their card number and security code. CardEasy captures the keypad entries via the DTMF touchtones.
• Speak their card number and security code as they would normally. CardEasy captures the spoken numbers using automated speech recognition (ASR).

Whether CardEasy is capturing payment card data via DTMF or ASR, there is no requirement for the call centre agent to transfer the call or put the customer on hold. This ensures a seamless, natural and positive customer (and agent) experience.

The agent remains in conversation with the customer throughout and is able to provide verbal guidance and instructions to the customer.

CardEasy Voice can be used with any telephony provider (ISDN and/or SIP), telephony platform and order/payment application without the need for any integration. There are no restrictions in terms of the payment or tokenization gateways that can be used. The solution provides the agent with live visibility during a DTMF or ASR capture so that they can monitor the customer’s payment progress in real time, but the agent is never exposed to the card data.

Depending on your environment, CardEasy Voice can be deployed in a matter of days, which again makes it ideal during the COVID-19 epidemic but also as a long-term solution.