FAQ

One of the ways to do this is to not record calls where payments are taken. However, this is not always possible thanks to FSA regulations and your own internal requirements to record calls for quality assurance.

Using the Semafone solution means that the sensitive information the PCI DSS prohibits from being stored on recordings is masked. The PCI Standards Council has approved this method of keeping customer data safe, and has recently accredited Semafone. The solution has the added benefit of masking the information from agents, reducing the risk of fraud within your call centre.

Absolutely. FSA regulations exist to ensure that customers are treated fairly – and the entire conversation can be heard on call recordings using Semafone, with only that sensitive authentication data being masked. In fact, because there is no need to pause the call recording when the sensitive data is given by the customer, the FSA has an unbroken record of the transaction with that customer. 

Given that sensitive card data must not be stored post-transaction, many call centres have investigated the possibility of pausing the call recording for the period of the call when the caller is asked to read out their card information. There are a number of flaws in this approach in that it destroys audit integrity and fails to shield the data from the agent.

Audit integrity is important not only for providing evidence admissible in a court of law but, more importantly, partial call recordings are not acceptable for regulatory compliance (e.g. from SEC, FED, FSA). Call recordings also become less useful for training and coaching. Plus, failure to shield credit and debit card credentials from the agent results in another series of required controls within the physical call centre environment (see FAQ How does Semafone negate the requirement for a ‘clean room’ call centre environment? ).

Providing the pause and restart function to the agent is generally considered to be unacceptable as this allows the agent to determine when and where to call record. Furthermore, the agent can easily forget to either pause call recording for the payment or remember to restart call recording post the payment. Therefore integration to the agent application is required.

The integration of the recording controls with the agent application is complex and often unreliable. This is a result of the intermediary systems that must communicate to affect the pause and restart solution. This generally requires desktop integration with the ACD via the CTI component that communicates with the call recording platform with all the attendant vendor and version integration issues that are commonplace in a call centre's technical infrastructure. The experience of our clients who have investigated this option is that it is both complex and time-consuming and does not deliver a comprehensive and future proof solution. 

A ‘clean room’ environment is required where call centre agents have access to credit card credentials. In this environment agents cannot have access to email or web-based applications. Personal belongings are not allowed at desks including mobile phones and other personal communication devices. Where paper and pencils are allowed at desks, this has to be on a numbered page basis and all pages have to be collected after every shift. This creates a draconian environment in which it is difficult to motivate staff and maintain high morale.

Semafone negates the requirement for a ‘clean room’ by shielding all credit card sensitive details from the agent and the CRM application screen. Semafone passes the credit card details directly to the CRM application or the payment gateway without the agent ever hearing or seeing the credit card details.

Although the credit or debit card Primary Account Number (PAN) can be stored in an encrypted form the CVC should not be stored in any format (see FAQ Can we store the CVV on the call recording?). Encrypting the call recording presents a host of management issues that have to be administered downstream of the call recording. Encryption and decryption keys have to be distributed to the appropriate personnel, and policies have to be defined under which call recording can be decrypted (e.g. training, quality control, process optimisation, customer complaints).

Where call recordings are required by external bodies (e.g. regulators), then credit card credentials have to be “white noised” before they can be shared. This manual process has to be very carefully managed because of the risk of sharing credit cards details externally.

The agent, who remains in voice contact with the customer throughout the call, can reset the PAN or CVC field at any time and invite the customer to re-key the information.

Yes. Semafone performs a Luhn algorithm check on the validity of the credit or debit card number. This can avoid the delay of a failed authorisation on an invalid card number. Semafone notifies the agent that an invalid card number has been entered and the agent can invite the customer to re-key their card number.

From the first six digits of the card number Semafone is able to derive the length of the card, so the technology knows when the card’s last digit has been keyed. Semafone also detects the card type to determine the length of the CVC/CVV (These numbers are four digits on American Express cards and three digits on all other cards).

Semafone masks the DTMF tones from the agent. All the agent hears is a flat tone irrespective of the digit being keyed. In this manner the agent knows that the customer is keying in their card details, but is not able to interpret any digits. Additionally, Semafone provides a visual aid that can be incorporated into your CRM application that shows the credit card number and CVC/CVV numbers being added into fields as asterisks so that the agents is aware where the customer is in the input process.

The call recording will capture all of the call. Where DTMF tones are used during the payment part of the call, the recording will register each digit of the card PAN and the CVC/CVV as a flat tone. Credit card credentials cannot be derived from these flat tones.

All DTMF tones are enabled at the origination of the call and only when moving to the payment part of the application are DTMF tones masked as Semafone goes into its SecureMode. Once the CVC/CVV has been captured Semafone returns to StandardMode where DTMF tones will work completely normally.

Yes. Semafone taps the telephone lines prior to any call recording device and therefore has no impact on the call recording solution other than the fact that DTMF tones are masked during the taking of payments.

Semafone will need to tap your phone lines prior to your hosted call recording solution. Semafone will then operate in the same manner as a non-hosted solution.

Yes. Semafone taps lines prior to your Automatic Call Distributor (ACD) and has no impact on its operation.

Yes. Although not required for PCI DSS compliance, both bank account numbers and sort code details can be protected by Semafone. Stolen bank account details demand a higher value than credit cards on the criminal market and so should be equally protected. Semafone can be used to collect any numerical data in this manner.

From a PCI DSS compliance viewpoint it is not necessary to use Semafone to capture credit card related dates. Should you wish to secure this information with Semafone, it is easy to do so.

Semafone has been designed to optimise average handling time. Whilst it is not likely to reduce AHT, most client experiences have been either no impact on AHT or less than a ten second increase in time to take the payment. With further exposure of Semafone’s secure voice transactions in the market place, we expect AHTs to reduce.

Our clients have designed alternate approaches for capturing card details in this very small proportion of calls. QSAs have signed off these processes without any issues.

Semafone passes credit and debit card credentials directly into your CRM or payment gateway. In doing so it masks these fields from the screen by either eliminating these fields from the screen application or by masking these fields with asterisks. Screen-recording solutions are not exposed to any credit or debit card details and so are PCI DSS compliant.

By eliminating any credit and debit card details from the call centre/agent environment, so that no details are heard or seen, it is now possible to consider home working environments for agents that will potentially take sensitive information. This can offer a very cost effective solution especially for handling peak call volumes.

No. All credit card security sensitive information can remain in the country of origin and not be exposed overseas. Overseas call centres can take payments without ever being exposed to the credit card details and therefore are not at risk from any credit card security breaches.

The PCI DSS states that the CVC/CVV should not be stored. In December 2008 the PCI Council issued a directive relating to CVC/CVV on call recording. Within this directive it states: “To clarify, these call centres and all cardholder data are IN SCOPE for PCI DSS”.

On any call recordings it is possible, with commercially available software, to detect which call recordings contain payments and at what exact time within the call the card PAN and CVC/CVV are communicated. With standard speech recognition software it is then possible to extract this information from the call recording. Alternatively, having identified on which calls and at what time within each call payment details are shared, this information could easily be manually transcribed. Therefore any organisation capturing the CVC/CVV on their call recordings, even when encrypting these, is still exposing itself to a potential security breach.

Semafone provides a number of standards-based API, including HTTPS, XML, SQL for ease of integration. Services include the visualisation of the payment process, including the number of digits a customer has entered while keying their PAN and CVC/CVV. Agent guidance scripts can also be embedded into your CRM system for different scenarios, such as re-setting a field should the customer have made a data entry error.

Semafone can integrate with your payment gateway by integrating with your CRM system and using its current gateway integration, or by integrating directly into your payment gateway. Semafone has already been integrated into a number of the leading industry payment gateways.

Semafone provides a middleware solution that passes the PAN and CVC directly into the PAN and CVC fields within your client’s CRM application. These fields are masked so that the agent is not exposed to this security sensitive data. The solution works for browser-based applications, Windows applications and green screen applications. Furthermore, Semafone’s middleware solution will operate successfully in a Citrix environment.

Semafone provides a web-based application that shares all credit card credentials with the agent. The agent can then ‘cut and paste’ these details into their standard CRM. Whilst this solution is PCI DSS compliant, it does expose the agent to the security sensitive data and therefore a clean room environment would still be required (see FAQ How does Semafone negate the requirement for a ‘clean room’ call centre environment). The Semafone web-based application provides clients with an excellent opportunity to pilot the Semafone solution and gather customer feedback on their experience without having to build the integration with their CRM first.

Agents hear a flat tone for each DTMF tone entered on the customer’s telephone keypad. Semafone also provides a visualisation of the customer’s data entry displaying an asterisk for each digit pressed by the customer.