A New Solution to PCI Compliance

The number of customers who still choose to pay by phone rather than the Internet is often underestimated. In Australia, 112 million Mail Order Telephone Order (MOTO) transactions are made every year, representing 16% of all Card Not Present (CNP) transactions.  Three quarters of these are telephone payments.  Furthermore, the average value of post and telephone orders is generally higher than for bricks and mortar transactions.

It’s a common but false belief that telephone sales will diminish as companies move their business from bricks and mortar to online. In fact the reverse is true.  As online business increases, contact centres have to expand to cater for the online customers who, mid-transaction, call a customer representative for help with a purchase. Addressing the security challenges of telephone payments is becoming increasingly important.

Regulations – necessary but expensive

Card Not Present fraud is a well-documented problem.  The growth in online retailing was accompanied by a corresponding growth in CNP fraud, which represented 75% of card fraud in Australia by 2012.  To combat this, the Payment Card Industry has introduced ever-stricter regulations designed to protect card data. To comply with the Payment Card Industry Data Security Standard (PCI-DSS), merchants must implement and maintain a set of checks and controls to ensure that data is secure. For organisations accepting telephone payments, however, this has proven difficult. 

The problem lies in the fact that the numerous telephony and data networks used by contact centres – from voice recording to CRM – are all inextricably linked to one another, creating a huge infrastructure that has to be controlled.  For full compliance, all of these areas may require up to 286 PCI controls, which can prove very expensive. Another difficulty arises when organisations are required to record all calls for customer service or regulatory reasons.  If card numbers are spoken aloud, this contravenes the PCI-DSS requirement not to store any card numbers.  Since card data is also exposed to the agents themselves, the physical contact centre environment must be secured too, involving draconian measures such as prohibiting the use of all personal telephones and writing equipment.

Take the contact centre out of the equation

The answer lies in treating the cause; we need to ensure that card data is kept out of the contact centre in the first place. Technology can help. While the agent and the customer are talking, rather than asking the customer to state their card details, it is now possible for the agent to ask the customer to enter the numbers using their telephone keypad. From here, the numbers can be sent directly to the customer’s bank, by-passing the contact centre and its technology infrastructure completely. As with online payments, no-one else can hear the card details so the risk of fraud by a member of contact centre staff is removed. Unlike online payments, however, the customer service agent is at hand to walk the customer through the transaction if they have any difficulty. This reduces the high drop-out rates that frequently occur when a customer is obliged to speak to a machine, and reassures the customer that their security is being taken seriously. 

Use voice to boost sales

Businesses which have removed the burden of PCI controls from their voice payments can also reap benefits from using the channel more effectively. An excellent opportunity exists for merchants to increase their contact centre sales closure rates by providing a secure voice channel where card data is not shared with agents. A “call me” button on the website not only offers a secure payment option for customers over the phone, but also provides an excellent up-sell opportunity. 

The number of customers paying over the phone continues to grow in spite of all predictions, and merchants need to make sure that they address the corresponding security challenge. With the right technology, however, there is an opportunity not only to cut the cost of PCI compliance, but to provide the customer with better security and better service at the same time.  There’s still a big market out there that wants to hear a human voice. 

If you are interested in an alternative to costly PCI accreditation, whereby your company could take payments over the phone securely without a call centre agent ever having to hear or see credit card details, please contact us

Related Content

Call tracking through Google: where the contact centre and digital worlds meet
The Contact Centre Industry’s Best-Kept Secret

Last updated on: October 26, 2022