Alternative PCI solutions
Any call centre involved in payment card processing must address the issue of PCI compliance in addition to the more familiar data protection obligations that they face as merchants or as outsourcers.
This means making sure that no sensitive payment information is recorded, even though auditable recordings are needed to fulfil other regulatory requirements. Operators in the past have addressed these issues using a number of solutions, which include IVR solutions, compliant call recording and encryption. However, these have failed to provide a comprehensive answer to the problem, as summarised below:
| Challenge | Potential solution | Comments | Resolved? |
|---|---|---|---|
Sensitive data appearing on call recording |
Pause/mask call recording during transaction | Technically challenging. It also fails to meet other compliance requirements, such as those imposed by the FSA. | no |
| Delete sensitive data post-call | Analysis software used to find card data within a call can be used to extract the data for deletion. PCI has invalidated this approach. | no | |
| Encryption of the call recording | Requires extensive key management, creating other challenges. PCI does not recognise encryption as an adequate solution for sensitive authentication data storage. | no | |
| Secure voice transactions with Semafone | No information is recorded or stored anywhere on the call centre's system and the agent remains in voice contact with the customer. | yes |
Semafone provides an easy-to-install, fully compliant solution that addresses all of the disadvantages related to other potential solutions such as IVR solutions, stop/start call recordings, encryption and post-processing controls. Find out more
PCI compliant IVR solutions
Automated IVR payment solutions – whether using voice recognition or keypad entry – can help organisations comply with PCI DSS, as they allow payments to be taken in a secure way without the card details being recorded.
However, customers tend to dislike IVR systems and are likely to drop out at the first sign of any difficulty. Even a small drop-out rate at this stage in the process can be costly, as time and resources will have been invested in handling the call to that point. In the worst case, the customer hangs up and the sale is lost. In the best case the customer returns to a live agent and you still have the challenge of PCI DSS to contend with.
Automated IVR payment solutions might be applicable where payments have to be made e.g. for parking fines. However, again, you will still require an alternate payment mechanism where customers elect to leave the IVR and request a live agent.
Many automated payment IVR systems solutions are not compliant in their own right, in that they have logging in capabilities. If DTMF tones can be logged then the IVR can not capture the CVC even if these logs are encrypted. Semafone can be integrated with existing automated IVRs and capture the PAN and CVC in a PCI DSS compliant manner for these automated payment IVRs.
Semafone ensures the agent remains in constant contact with the caller throughout the process and is available to support the caller in the event of any payment difficulties. Watch a video demonstration to see how.
PCI compliant call recording solutions
Pausing the call recording at the precise moment that a payment is being taken over the phone – either through CTI integration or by giving the agent control of the recording – is often suggested as a way for call centres to comply with PCI DSS.
But this does not solve all the issues associated with PCI. Advisors still hear the sensitive data and remain a potential 'leakage' point for significant security breaches. To prevent such a breach, call centres need to spend time and resources creating a 'clean room' environment, where strict controls are placed on workers. This is on top of the investment required in the underlying call recording solution.
Most critically for any organisation that needs to keep a full audit trail of any interaction with customers, the lack of an unadulterated, end-to-end call recording is a major challenge. FSA regulated organisations in particular need to be attentive to keeping the call recording complete.
Semafone ensures the card details are never recorded in the first place, allowing the call recording to run uninterrupted and capture every part of the customer interaction. Find out more
Encryption of call recordings
Many organisations believe that encrypting their call recordings will manage the risks of storing sensitive card data. Indeed, encrypted storage of some data items is allowed – but the CVC security code should not be stored under any circumstances.
And in fact, encryption still requires the complex management of authorisation keys for playback access and if these procedures are breached then there is no benefit to the encryption in the first place. There is a risk that the call recording system could be compromised – and with customers still reading out their card details to agents over the phone, card details can be stolen before they have a chance to be encrypted.
Semafone addresses the risks still present in any solution relying on encryption of the call recording. It also delivers compliance without the need to upgrade or install the latest versions of your call recording software. Watch a video demonstration of how the solution works.
