If you manage a contact centre, there is a good chance that your agents take payment information over the phone. If you do, it is essential that you stay on top of your legal obligations and the appropriate compliance standards.
For most organisations, the main standard to consider is the Payment Card Industry Data Security Standard (PCI DSS, or often simply called PCI compliance). This exists to keep cardholder information secure and to set expected levels of security for merchants and payment card providers.
PCI compliance reaches across everything from staff training to role-based access to data. In this article, we’ll share our expertise in handling PCI-compliant payments – a key element of a contact centre’s obligations.
The challenge of PCI-compliant payments
When your agents take payment details over the phone, they are being put in a position of great privilege. In the wrong hands, those payment card details could be misused for fraudulent activity.
Most call centres that take payments over the phone face two major compliance obstacles:
-
Ensuring agents handle payment details appropriately
-
Recording calls and agent performance without recording sensitive data
There are several strategies that could overcome these obstacles. They include substantial agent training, obfuscating payment details, and encrypting recorded calls. However, there is an easier way to achieve PCI-compliant payments – take your agents out of the process altogether.
Using a PCI-compliant (IVR) Interactive Voice Response application
Rather than agents inputting card details that are taken over the phone, an Interactive Voice Response (IVR) application can take payments on your behalf. In this configuration, only the IVR application itself needs to be PCI-compliant. If your IVR application is remotely hosted, that means the burden of PCI-compliance is in the hands of your service provider.
PCI-compliant payment IVR applications work in different ways. The available options will include:
-
Fire and forget: Agents transfer customers to the IVR system then move onto their next call. Of course, this does allow agents to ensure payments are completed or help customers overcome any last-minute issues.
-
Connected with process indicator: Agents remain connected to customers while the customer makes their payments. The agents can see an on-screen progress bar through the payment process. This allows agents to assist customers as they enter their details, without handling the details directly. When a card payment is required, the agent presses a hotkey to transfer the customers to the payment IVR. The customer uses their telephone keypad to enter their card details and make payment. During this time, the agent can see a progress bar, indicating how the payment is progressing. When the payment is complete, the system automatically returns the customer to the agent.
-
Compliant call recording: Some systems include complete call recording through the payment process. This can be done on the agent’s side of the call only, so no recording takes place in the payment IVR. This means that the DTMF tones for the payment card number are not removed. As a result, contact centres can maintain monitoring without recording confidential information.
The cost of a PCI compliant payment IVR system varies hugely. The most powerful agent-assisted platforms can cost in excess of £30,000 – prohibitively expensive for most SMEs. However, a hosted IVR system is a good way to keep costs low – and put PCI-compliant payments in the reach of any business.
