Making contact centre payments compliant and effective

What Is A Payment IVR?

Payment IVR

One of the tasks that many customers require of a contact centres is the ability to be able to make payments. This could be, for example, where the a person receives a call from an agent offering a product and the recipient decides that they want to purchase it. Another scenario may be that a customer engages with the contact centre to pay an invoice or set up a service upgrade.

In either case they will almost always want to pay for the service there and then.  If they can’t do this, either, you lose the sale completely in the case of a new enquiry or frustrate an existing client, making them more likely to want to find a different supplier.

Payment security

The main issue for making payments over the phone is security. In the past, there was little choice other than to give your card information over the phone. In fact, if you want to pay for a takeaway you are likely to have to read your card details over the phone. This means that there is a risk that card details can be misused. In order to minimise the risk of client’s card data being misused or misappropriated the vendor needs to comply with PCI DSS (Payment Card Industry Data Security Standards). Any company must meet the minimum standards for card data security. 

And for larger organisations that transact much larger number of payments, the standards become increasingly more onerous. And for contact centres, the fact that calls are often recorded leading to card details or keypad (DTMF) tones being recorded as well as the potential for back end systems to retain card details within a database. This means that there is much more potential for payment details to find their way into the wrong hands at scale.

What is PCI DSS Compliance?

If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant may be easier. Find the PCI DSS Standard document here.

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the Payment Card Industry Security Standards Council (PCI SSC) – American Express, Discover, JCB, MasterCard, and Visa International.

Most merchants that need to store credit card data are doing it for recurring billing. The best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a “token” that can be used for the purpose of recurring billing. By using a third party, you move the risk of storing card data to someone who specializes in doing that and has all of the security controls in place to keep the card data safe.

Types Payment IVR

There are several types of payment IVR. Each of these types of Payment IVR have uses, however, certain IVRs have much better customer experience than others.

Automated Payment IVR

This is an automated environment whereby the caller is directed through the contact centre system to a payment application.  The customer can pay for services through speech recognition and keypad tones. There is no human interaction.

Post Call Payment IVR

In this situation, the customer engages with an agent. At as result of this conversation, the customer needs (or wishes to) make a payment. The agent then sends the customer into a payment IVR. The agent is now no longer involved in the call and is free to talk to other customers. The customer completes the payment process and ends the call. This is sometimes called "fire and forget".

The issue with this is process is that the customer may choose not to complete the payment process or perhaps get stuck and not be able to proceed. As the customer cannot get back to the agent, they will have no choice but to drop the call. While it is possible that they absolutely want to make the payment and will call back and persist it is more likely that they give up and a sale is lost.  Or, in the case of debt collection, the opportunity to collect is lost and considerable effort needs to be made to contact the customer again.  

Agent Assisted Payment Process

In this situation the agent remains on the call with the customer. However, during the payment process, the customer is sent into a secure payment system where they will enter their card details via their phone keypad. The agent remains on the call and is able to monitor its progress through the payment process. The Agent can also break into the call, if it looks like the customer is in difficulty. Also, the customer is able to return to the agent as necessary.

The issue with this method is that the agent is exposed to the DTMF tones tapped into the keypad and it is possible to translate these tones into numbers and copy the credit card number. The result is that any agent assisted solution needs to find a way to not expose the agent to these DTMF tones, if it wants to be PCI-DSS compliant. The traditional way to do this is through DTMF tone suppression, but this technology is presently expensive and may involve the installation of hardware or routing your calls through your payment IVR provider. 

Choosing a payment IVR

Taking payments is a major issue for contact centres. Naturally, it is essential that they provide a secure service which complies with the law and customer requirements. However, it is also important that the system that the contact centre uses to process payments offers a good customer experience and maximises the number of payment completions. For many clients the Agent Assisted IVR offers a balance between user experience, security and cost.

Payment IVR Type User Experience Payment CompletionCost
Automated IVRLowLowLow
Post Call IVRMediumLow/ MediumLow
Agent Assisted IVRHighHighHigh

Hostcomm Agent Assisted PCI-DSS Payment IVR

Hostcomm's Agent Assisted Payment IVR is a great solution for businesses of all sizes. 

Certified to the highest level of PCI-DSS compliance, Hostcomm’s solution is the first to offer a contact centre and payment IVR in-one.

By integrating these services in one PCI QSA certified solution, we have been able to create an agent assisted payment IVR that eliminates the need for costly DTMF tone suppression, significantly decreasing upfront and ongoing costs for our customers. 

Click on the picture to learn more about Hostcomm's solution.

Hostcomm PCI-DSS Agent Assisted Payment IVR
Hostcomm PCI-DSS Agent Assisted Payment IVR

Connected by VOIP Communications

Trusted by

The Car Buying Group Logo 2 Case Study Beer 2 Case Study EE logo white2 Case Study David lloyd white Case Study Kantar white Case Study Hmrc white Case Study Lb redbridge white Case Study Peabody White Case Study Scottishpower white 150px Case Study Shelter 2024 Case Study


PCI DSS Certified, TPS Telephone Preference Service, ICOCSA Supplier Member, Cyber Essentials