Contact Centre

payMatic-PCI - taking card payments in a secure PCI DSS compliant way using Paypal

Hostcomm has launched payMatic-PCI which is a simple PCI compliant card payment system which is available to anyone wishing to take card payments in a call centre environment. The system is controlled by the call centre agent who moves the client to a secure IVR where the card details are taken, added to additional database information and sent to a payment gateway. If successful the client is informed and the database is updated. The system is secure because the agent is not exposed to the card details and the card details are not stored anywhere. Furthermore the agent's session is recorded from start to end with no breaks or pauses.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Hostcomm Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

payMatic-PCI overview

payMatic-PCI is a hosted payment IVR which is integrated into Hostcomm's automatic dialers and contact centre servers. The agent passes the client to payMatic-PCI by pressing a hotkey and the PCI compliant interactive voice response (IVR) system takes over. The client makes the payment by using their telephone keypad to enter their card details and is then automatically returned to the agent. This system is very easy for the agent's to understand and reduces the average cost per transaction as well preventing the agent from being exposed to the client's credit card details. The service is provided on a 'pay as you go' basis and there are no hardware / software costs to pay.

  • Low monthly cost - available from £199 per month for unlimited transactions.
  • High performance - multiple simultaneous card payments.
  • Works with all main payment gateways - uses secure API access.
  • Very Secure - complies with PCI DSS criteria.
  • Card details not stored - nothing to secure as no card details saved.
  • Agents do no see card details - reduces fraud considerably.
  • Paypal tested - Fully tested with Paypal for direct card payments.
  • Dedicated firewalled server with VPN - the only acceptable PCI / FSA solution.
  • Unlimited support and training - both are included in the monthly service fee.

payMatic-PCI PCI DSS compliance matrix

Control ObjectivesOFFICIAL PCI DSS RequirementspayMatic-PCI
Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder dataCompliant - Firewall installed.
2. Do not use vendor-supplied defaults for system passwords and other security parametersCompliant
Protect Cardholder Data3. Protect stored cardholder dataCompliant - Cardholder data not stored.
4. Encrypt transmission of cardholder data across open, public networksIt is not possible to encrypt DTMF tones over the public switched telephone network (PSTN). It is not easy to tap telephone calls but it is possible.
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software on all systems commonly affected by malwareCompliant
6. Develop and maintain secure systems and applicationsCompliant - Cardholder data not stored or visible to any personell.
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-knowCompliant - Cardholder data not stored or visible to any personell.
8. Assign a unique ID to each person with computer accessCompliant
9. Restrict physical access to cardholder dataCompliant - Cardholder data not stored or visible to any personell.
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder dataCompliant
11. Regularly test security systems and processesCompliant
Maintain an Information Security Policy12. Maintain a policy that addresses information securityCompliant

Trusted by

Pharm N Case StudyLogo New V Case StudyFirst Data Logo 2018 N Case StudyHelp Lin N Case StudyShelter Logo N Case StudyHome Logic Icynene Case StudyOrbit Logo Purple 2 Case StudyInspire Logo 2 Case Study


PCI DSS Certified, TPS Telephone Preference Service, ICOCSA Supplier Member, Cyber Essentials