Technology Toolkit – PCI compliant card payment handling

In this series we look at how technology can help to solve contact centre problems. This week we look at PCI compliance.

PCI compliant card payment handling

The problem

Any organisation that stores, processes or transmits sensitive cardholder data must now be compliant with the Payment Card Industry Data Security Standards (PCI DSS) – an internationally recognised set of technical and operational requirements designed to protect cardholder data. This includes organisations that take card payments through their customer contact centres.

Merchants that fail to comply with the PCI DSS run the serious risk of costly fines, damaged customer relationships and bad PR.

The solution

PCI DSS compliant technology solutions can remove contact centre advisors from access to credit card details.

How it works

There are broadly two types of PCI DSS compliant technology solution used within customer contact centres today:

Fully automated PCI solutions (i.e. non advisor-assisted) that use Interactive Voice Response (IVR) technology.
Advisor-assisted PCI solutions: these allow advisors to collect customer payment information without ever seeing or hearing card details. Advisors are, however, able to remain on the phone and assist customers throughout the payment process, minimising confusion and the chance of customers ending calls before their transactions are complete. Advisors prompt customers when each piece of information is required, with customers using their telephone keypad to type in card details. The tones generated by the phone are then collected, bypassing the recording and advisor, into the PCI application and payment gateway. All calls can be recorded as normal to ensure that, if applicable, FSA regulations are met.

Advisor-assisted PCI technology solutions can be delivered from the Cloud or via an OnPremise system. The architecture of a typical OnPremise solution is as follows:

The steps involved in an advisor-assisted card payment handling transaction are typically:

STEP 1: At the point of payment, advisor opens payment screen.
STEP 2: Advisor guides customer through payment, requesting each piece of information when needed.
STEP 3: System collects card details.
STEP 4: Advisor receives payment confirmation and authorisation code for customer.
STEP 5: Captured details are sent to acquiring bank.
STEP 6: Payment is made to beneficiary.

Fig 1: Advisor notified that data is being collected

Fig 2: Advisor notified that CVN details are invalid

Fig 3: Advisor notified that all card details are correct

Benefits

A professional PCI compliant technology solution can:

Completely de-scope contact centre advisors from PCI DSS audits
Reduce audited controls (in one recent case, from 240 SACK levels at SACK level 4 to under 60 at SACK level 1)
Ensure PCI DSS compliance without affecting use of performance-optimisation applications or other regulatory/legislative principles and practices (such as the requirement to record entire client interactions relating to FSA regulations)
Be simple to use with little advisor training required
Have a positive effect on both the advisor’s and customer’s experience
Reduce the scope for human error
Ensure that no one in the contact centre has access to card payment details – thus preventing advisors from sharing or selling card details and reducing the likelihood of them being asked to do so
Remove the need for ‘clean room’ environments where advisors aren’t allowed paper, pencils and personal belongings at their desks (including mobile phones and other communication devices) and not allowed to use email. It is estimated that implementing a clean room environment can cost around £2,000 per advisor.

Companies using this solution

There are a number of companies using this type of solution, including a leading global tax and advisory company and a railway infrastructure company.