10 steps to multi-channel payment security in contact centers

Contact center management, PCI DSS

10 steps to multi-channel payment security in contact centers

The Payment Card Industry Security Standards Council’s 2018 guidelines entitled ‘Protecting Telephone-based Payment Card Data’ shifted the emphasis from their 2011 advice to securing spoken card data (as opposed to securing recorded payment card data).

But now contact centers are embracing a multitude of newer digital channels in addition to voice, what are the best options for ensuring payments are always taken in a secure and PCI DSS compliant manner across all your customer engagement channels, both voice and digital?

  1. Mitigating controls for contact centers

Pause & Resume (stop/start call recordings), network segmentation and ‘clean rooming’ call center agents are all tried and tested ways of reducing the cardholder data environment (CDE) and taking the call recorder and call recordings storage out of PCI scope.  You then apply the applicable PCI Requirements and Controls to a smaller CDE.

But whilst these may still be acceptable as partial risk-reduction methods, QSAs and industry experts now generally regard them as out of date, as expressed in the PCI SSC guidelines which favour giving ‘consideration .. to techniques that minimize exposure of PAN and SAD to the telephone environment ..with the object of significantly reducing the CDE or eliminating the CDE altogether(author’s emphasis).

  1. DTMF masking/ DTMF suppression (agent assisted)

Letting your consumers enter their card numbers on the keypad of their own phone in the middle of an (uninterrupted) call with your agent is now the much better- accepted standard for keeping the card data out of your contact centers, de-scoping them from the PCI DSS requirements by eliminating the CDE altogether.

The dual tone multi frequency tones are suppressed, so as not to be fully audible or visible in your contact center, which means that call recordings can be full length and allowing homeworkers and BPOs to take payments in a fully-compliant manner too, using the same merchant account.  The card data is encrypted and sent to your payment services provider (PSP) via the DTMF masking service provider such as CardEasy for authorisation, to ensure that the card data completely bypasses your contact center, agents and call recordings.

Experience shows that consumers trust this technology and that it also speeds up transactions and reduces mistakes.

  1. DTMF masking (customer self- service IVR)

Touchtone entry by the customer of their card numbers using your IVR system and the same DTMF masking technology allows you to take payment securely where no agent is required, or when you are closed for service, which makes it convenient for your customers to pay whenever they want.

This also allows for automated payments which would not otherwise be cost-efficient to process using a live agent, or indeed where no agent assistance is needed e.g. for utility bills, subscriptions and charity donations, thereby increasing revenue opportunities.

  1. Payment by automated speech recognition (ASR)

For customers with disabilities or for whom it is otherwise inconvenient to enter their payment card details using their phone keypad, taking payment via ASR keeps the caller on the line when they are invited to speak their card numbers out by the agent or IVR system.  Their speech is muted however whilst this is in progress, so that the agent and call recordings cannot pick up the card numbers. The spoken numbers are converted to text to allow for verification and transmission to the PSP for authorisation (via your DTMF masking service provider as above), to maintain PCI compliance.

  1. Secure card payment in e-mail communication

Contact center agents can generate single-use secure html payment links from which customers can open a secure payment page on their PC, laptop, tablet or smartphone to pay by card, for instance during an e-mail communication with a customer.

The agent can remain in communication with the customer through to transaction completion, so they can see and support the customer’s progress in real-time – from when they open the secure payment page to enter their card numbers (only visible to the agent as asterisks) through to completing the transaction.

Alternatively, ‘fire and forget’ e-mails can be sent either by the agent or for payment collection.

Payment links can be set to expire at a chosen time or duration or be left without a time limit, for instance when links are embedded in outbound campaigns.

As with the CardEasy voice channel solutions, when you are using using the CardEasy Digital e-mail payment service (and other digital channel options below), the complete payment card numbers are not visible to the  agent.  They are sent via the integrated CardEasy service to your payment services provider for authorisation, bypassing your contact contact center environment and thus de-scoping it from PCI DSS.

  1. Secure card payment during webchat or WhatsApp conversations

As with e-mail payments described above, any contact center channel via which you can send an html secure payment link can be used to enable the customer to pay by card in-channel using the secure payment page which is opened up when the customer clicks on the secure link.

  1. Secure card payment using chatbots & AI

Many organizations are now embracing artificial intelligence and chatbots to improve operational efficiency and further streamline customer service, although taking payments is often not catered for.  But chatbots can also send a secure html link from which the customer can open up a secure payment page, to improve customer service and experience by facilitating seamless payments within the same channel.

  1. Secure card payment using social media

Secure links can also be sent to customers via social media channels, ensuring the widest possible range of opportunities for seamless revenue-generation and transaction completion, via whichever communication channel your customers choose.

  1. Secure card payment using QR codes in digital communication channels

QR codes can also act as secure links and can be sent or displayed to customers instead of an html link, for instance during video chat or screenshare sessions.  The QR code can be scanned by the customer using their smartphone, which then opens up the secure payment page in the same way as an html link (you can try this here to see how it works)

  1. One-stop shop for secure payments in contact centers

Syntec’s  patented CardEasy service provides you with a full suite of seamless and secure in-channel card payment options, so you can avoid having to ask customers to pay by alternative means or via an alternative channel. There is therefore no disruption to the customer experience or transaction, whichever channel they choose, whilst providing maximum compliance and reassurance across your entire contact center operations.

Real-time reporting is available for transactions, including tracking of the CardEasy Digital secure payment links, with analytics to allow further data interrogation such as successful and abandoned payments, as well as those which are part-completed and might benefit from direct follow-up.

Customers can also be sent messages or reminders to pay, including a follow up to an e-commerce enquiry or incomplete shopping cart with an invitation to use the secure link to pay there and then, to increase conversion.

CardEasy is agnostic to which telephony or digital channel service provider(s), PSPs and back office CRM systems you use – so no need to change suppliers or change your existing infrastructure.

Syntec is the global CardEasy managed service provider and is a Coalfire-verified PCI DSS level 1 Visa Merchant Agent and participating member organization of the global Payment Card Industry Security Standards Council.

For more information on CardEasy or a free scoping session, please get in touch.