Posted by: Mike Clarke
For many businesses, the ability to take card payments over the phone is essential. If this is something that your business is looking into you’ll soon discover that to do so you need to be “PCI Compliant”. Data breaches are unfortunately commonplace and their consequences can put your entire company at risk. The goal of PCI compliance is to ensure that payment card data is protected at every stage of processing and ultimately exists to protect your business and your customers from the risk of your customer’s card details falling into the wrong hands.
Below I’ll provide an overview of what’s required to get your organisation PCI compliant, but before I do let’s take a run through some of the penalties for failing to be compliant, which exemplify just how important compliance is.
- Failing to be PCI compliant can result in a standing fine of $5,000 - $100,000 per month (approximately £4,000 to £80,000).
- Data breach penalties don't have a fixed value and range from a small figure up into the millions based on the breach's scale (although this can be reduced depending on how PCI compliant your company is).
- Court proceedings can also be filed against your company following a data breach, so in addition to penalties, you may face further costs from those impacted by the breach.
- Reputational damage from a breach cannot be underestimated with the loss of trust in your brand and loss of customers potentially making your business no longer viable.
No company is exempt from the need for PCI compliance if the business interacts with credit or debit cards in any form. In recent years, we have seen large scale penalties as Equifax settled claims for $425 million, and it's not over for them with claimants still able to issue new claims until 2024. Equifax is an example of how civil court proceedings can lead to much larger damages, and each individual impacted can claim a settlement.
The PCI DSS checklist contains 12 requirements with 300 Items to check off your list to ensure you are fully compliant. Full compliance means that you will incur the lowest possible penalties if you suffer from a data breach. You can access the latest version of the guidance from the PCI Security Standards Council.
Quick wins if you are not currently compliant
Implementing a complete solution and checking a 300 item to-do list is a daunting challenge for a business. However, it is essential if you wish to take card payments as part of your business operations. However, quick solutions to take payments over the phone don't always require different technology and could be implemented quickly with minimal disruption.
- You should never read a customer's card details back to them; if you need to verify any information, ask the caller to repeat the information.
- If you have the functionality on your existing telephony platform, pause the call recording when taking card payments to ensure you are not keeping an audio recording of customers' payment card details.
- Operate a clean desk policy and don't allow paper, mobile devices etc., in the environment where card details are processed.
- Reduce the number of people processing payments to reduce the potential for a breach.
- Introduce a data retention policy and ensure card details are securely deleted as soon as they are no longer required.
- Payment card information should be encrypted as you receive it and any time it is stored or transmitted.
Technology that can help
Firewalls and access rights
First and foremost, if you intend to connect any devices to the Internet, regardless of the purpose, having firewalls to secure your network is a primary concern. GDPR and PCI DSS are very clear that it is not just how you take and process information that is important but that you must ensure it is kept secure throughout the process.
Implementing a firewall to secure your network will ensure that your colleagues can access the sites they need to without there being any means for those outside your organisation to get into your internal network. This is both common sense and a mandatory requirement for the most basic level of compliance. Access rights should be restrictive, and the most straightforward approach to take is if someone doesn’t require access to a resource then don’t give them it.
By reducing the number of people with access to sensitive data, you reduce the number of sources available for a potential attack. If a breach occurs, fewer attack vectors means it is easier to identify and rectify any flaws to limit any damage done.
There are many methods of processing payments but Virtual Terminals are the most secure. They provide a link between your system and the bank processing the transaction without the need for a card to be present. Crucially, during payment processing they ensure that you never need to store a customer's payment information on your network.
It is worth noting that processing payments without the card present will increase the chances of fraud occurring, which means banks could reclaim the charge even after the customer's transaction has been fulfilled. While this is unfortunately unavoidable, having a clear Identification and verification process for customers will help mitigate this risk.
DTMF and DTMF Suppression
We have all heard the dial tones when pressing numbers on the phone keypad. This noise is a simply a means of transmitting numeric data via sound, with a different tone for each number from zero through nine. The technical terms for these beeps is Dual-Tone Multi-Frequency signalling (DTMF) and describes the way telephone devices transmit numeric information by pressing numbers on the telephone keypad without the person on the other end understanding the content.
Nowadays DTMF is often used when processing card payments as an alternative to having the cardholder read out their card details. The customer uses the keypad to enter the card information and the information goes directly into the bank's virtual terminal, bypassing the call handler.
In a scenario where you operate a line with the sole intention of receiving fixed payment amounts, you could also utilize DTMF to allow the customer to identify themselves by a reference number, confirm the payment amount and process the payment without interacting with a human at all. An additional benefit of this method is that the customer doesn't have to wait in a queue since the telephony platform can simultaneously process multiple requests.
When processing sales where the amount can vary you could have the call proceed as usual then utilize DTMF just for processing the payment. Once done, the system reconnects the customer to your advisor the conclude the call and provide any additional support needed.
DTMF processing can operate in two ways. It can either use a third-party solution to blend a live call with the DTMF processing system via a call conferencing facility, or it can be implemented as part of your call centre telephony solution. Each method has its benefits and can be used to reduce your risk effectively.
However, the catch is that if someone can gain access to a recording of the call combined with some simple software it’s possible to decode these tones so that the underlying card number or other data can be easily deciphered. DTMF suppression is a technology that can be implemented to make these tones either disappear completely from any call recordings or cause them to sound indistinguishable from one another, essentially encrypting the audio and making it impossible for anyone with a recording of the call to access any card details transmitted in this way.
Not all systems can provide DTMF suppression, but those that do mean that even if your systems are compromised and someone gains access to your live calls or recordings, your customer’s card details are still protected and your organisation avoids a serious breach.
Processing payments over the phone is unlikely to go away any time soon. Even with technology evolving, many customers still prefer to hear a friendly voice on the other end of the line meaning that effective solutions to ensure maximum protection of card details is essential. If a customer feels more secure, they are also more likely to commit to a purchase and, in turn, likely to mention you to others even if they don't proceed themselves.
By implementing a secure payment process, you protect your customers and your business and, in turn, build trust in your brand.