Hostcomm has launched payMatic-PCI which is a simple PCI compliant card payment system which is available to anyone wishing to take card payments in a call centre environment. The system is controlled by the call centre agent who moves the client to a secure IVR where the card details are taken, added to additional database information and sent to a payment gateway. If successful the client is informed and the database is updated. The system is secure because the agent is not exposed to the card details and the card details are not stored anywhere. Furthermore the agent's session is recorded from start to end with no breaks or pauses.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Hostcomm Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
payMatic-PCI overview
payMatic-PCI is a hosted payment IVR which is integrated into Hostcomm's automatic dialers and contact centre servers. The agent passes the client to payMatic-PCI by pressing a hotkey and the PCI compliant interactive voice response (IVR) system takes over. The client makes the payment by using their telephone keypad to enter their card details and is then automatically returned to the agent. This system is very easy for the agent's to understand and reduces the average cost per transaction as well preventing the agent from being exposed to the client's credit card details. The service is provided on a 'pay as you go' basis and there are no hardware / software costs to pay.
- Low monthly cost - available from £199 per month for unlimited transactions.
- High performance - multiple simultaneous card payments.
- Works with all main payment gateways - uses secure API access.
- Very Secure - complies with PCI DSS criteria.
- Card details not stored - nothing to secure as no card details saved.
- Agents do no see card details - reduces fraud considerably.
- Paypal tested - Fully tested with Paypal for direct card payments.
- Dedicated firewalled server with VPN - the only acceptable PCI / FSA solution.
- Unlimited support and training - both are included in the monthly service fee.
payMatic-PCI PCI DSS compliance matrix
| Control Objectives | OFFICIAL PCI DSS Requirements | payMatic-PCI |
|---|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data | Compliant - Firewall installed. |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters | Compliant | |
| Protect Cardholder Data | 3. Protect stored cardholder data | Compliant - Cardholder data not stored. |
| 4. Encrypt transmission of cardholder data across open, public networks | It is not possible to encrypt DTMF tones over the public switched telephone network (PSTN). It is not easy to tap telephone calls but it is possible. | |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware | Compliant |
| 6. Develop and maintain secure systems and applications | Compliant - Cardholder data not stored or visible to any personell. | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know | Compliant - Cardholder data not stored or visible to any personell. |
| 8. Assign a unique ID to each person with computer access | Compliant | |
| 9. Restrict physical access to cardholder data | Compliant - Cardholder data not stored or visible to any personell. | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data | Compliant |
| 11. Regularly test security systems and processes | Compliant | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security | Compliant |
