How to make IVR payments (and your call center) PCI DSS compliant

Contact center management

How to make IVR payments (and your call center) PCI DSS compliant

Let me start with an important distinction here first.

If you want to take payment over the phone via an automated IVR system without call center agents involved, then it’s correct to talk about this as ‘an IVR payment system’. 

But if it’s compliant card payments between customers and call center agents that you are looking for, then it’s almost certainly NOT an IVR payment system but – to use the correct generic term – a mid-call DTMF system. 

Mid-call DTMF is not the same as IVR

Confusing these two can lead to problems, as brought home to me recently by an enquiry from a major brand who’d mistakenly (in their own view) tried to implement an IVR system in their call center for their agents taking payment over the phone from customers, in order to achieve PCI DSS compliance.  But for them, this effectively turned out to be mis-selling of an ‘IVR payments system’ which has subsequently caused major problems because it radically changes the customer experience and breaks the conversations, as the agent has to hand the customer off to an automated IVR system to take card payment in the middle of the live sales or service conversation.

Problems can occur for instance if the customer has problems with their card (for example that it has expired) or wants further information, as the call has now entered ‘customer self-service’ mode and as a result the customer cannot usually get back to the same agent (or even the call center) as they will have probably moved onto another call or the call center may now be busy. The result is a poor customer service experience, lost payments or sales and increasing customer complaints.

Even one of our major Payment Gateway integration partners recently referred to our CardEasy keypad payment by phone PCI solution as ‘an IVR payment system’ but, as explained above, this is only really the correct term for it when it is used in customer self-service autopay mode. 

Take secure payments without using IVR

The whole point about the CardEasy mid-call solution is that it allows for a normal conversation between the agent and customer, with no IVR involved at all and so no change to the customer experience, except that the agent prompts the customer to enter their PAN and CV2 card numbers mid-call using their telephone keypad (without passing the call to an IVR).

And interestingly, evidence indicates that not only do customers embrace this willingly as a more trustworthy method of paying over the phone (compared to reading their card numbers out to a stranger), it can reduce average handling time (AHT) and leads to less mis-keying, as it cuts out the process of the agent taking the card numbers verbally and then manually entering them into a system which interacts with the payment gateway.

Confusingly perhaps, both the IVR autopay and the mid-call with agent versions of CardEasy keypad payment by phone use the same DTMF technology (dual tone multi-frequency – which is the keypad touchtones) for the capture of card numbers (PAN & CV2).  But importantly, whilst these touchtones translate into the card data conveyed by CardEasy for the payment authorisation, they are not audible to the agent or call/screen recordings and this data no longer enters your contact center environment. This not only de-scopes your contact center from PCI DSS compliance and reduces your annual audit, it also prevents this data from being stored or potentially misued.

How does this apply to your current IVR environment?

  • What proportion of your card payments are handled by IVR vs the call center? If low usage, do you in really need to continue to accept payments via IVR? Have you considered taking payments via the call center instead, using the agent mid-call CardEasy system which is often considered to be more customer- friendly as it’s driven by a person and not an automated service?
  • Sometimes customer self-service IVR is of course still best, for instance for customer convenience (they can pay whenever they want) or for cost-efficiency where no agent is required e.g. for final balance payments, subscriptions and charity payments.  So if you do want to continue to use IVR for this, have you considered using a hosted IVR solution such as CardEasy, which is PCI DSS level 1 v3.1compliant and already integrated with the major payment service providers? Such hosted systems are quick to provision as they work with your existing telephony and IT infrastructure on a ‘cloud’ model, without any on-premise kit to purchase. So billing is on a monthly managed-service fee basis, rather than upfront capital cost.     
  • If you are using an on-premise IVR solution, have you considered integrating it with a solution such as CardEasy, which prevents your IVR from handling the sensitive payment card data (PAN & CV2) via the DTMF technology explained above, which means the data is kept out of your environment (including your on-premise IVR) as it’s handled by CardEasy in Syntec’s PCI DSS compliant cloud environment?

As with all technology or industries, there’s a lot of acronyms and jargon which is fine for those in the know but can sometimes lead to confusion and potentially the deployment of the wrong solution. Used well, IVR can help the customer find their way quickly and easily to get the service or information they want – including making secure payments.  But it can be a minefield and is best deployed with expert support from IVR and telephony specialists – and ideally, when it comes to PCI DSS compliance as well, a specialist who can combine expertise in both such as Syntec.