Outsourcers and homeworkers need to be PCI DSS compliant too


Outsourcers and homeworkers need to be PCI DSS compliant too

Organizations taking payment over the phone, both private and public sector, are now rapidly embracing the regulatory requirement to ensure that card payments over the phone are secure.

In the early days of tackling compliance, ‘clean rooming’ agents was a method used to ensure card numbers couldn’t be inadvertently stored or misused, by ensuring that agents did not write them down or have any means of storing them or communicating them. But this can lead to a very sterile working environment (no pens, paper or mobile phones for instance and often with CCTV monitoring too) and is also not practical to implement or oversee for homeworkers.

Another piecemeal method used was ‘pause and resume’ for call recordings, although whilst this might fix one part of the compliance jigsaw in contact centers, by avoiding capturing the card numbers in the recording, it still leaves the agent and the call center environment in scope of the regulations.

So the current industry buzzword is ‘descoping’ i.e. ensuring that the customer’s card data doesn’t enter the call center at all, by letting the customer use new keypad payment by phone technology (DTMF touchtones) to enter their own card numbers, either with the agent live on the phone or using a menu-driven IVR customer self- service system (or both options to suit the circumstances).

Such DTMF payment systems are often hosted or ‘cloud based’ managed services (including Syntec’s CardEasy system), which means that as they are web-based they can be used by your home and remote workers just as easily as in your contact center.
And this is very timely when it comes to outsourcers too.

As Jamie Liddell, Editor of Outsource says, “Compliance is a hugely complex issue and businesses retain final legal responsibility for their customers’ data even if they have outsourced pretty much everything to do with its handling – but of course for outsourcers there is a huge reputational risk associated with bad practice”

DTMF transmission of the card numbers via a hosted system integrated with the merchant’s own PSP is just as relevant for use by outsourcers as it is for the merchant, whether servicing the merchant’s outsourced calls for them or just for disaster recovery back-up. And since v 3.0 of the PCI DSS standard now requires merchants to take responsibility for the security of their service providers too, this provides outsourcers with an ideal way to offer reassurance to their own merchant customers that they can provide a fully PCI DSS compliant phone payment service ‘out of the box’, working seamlessly with the payment gateways and back-office CRM systems of their various merchant customers if they choose the right hosted systems provider.

At Syntec we’ve recently seen a surge of interest in such PCI solutions from outsourcers both in the UK and internationally, either because they are taking the pro-active approach of adding competitive advantage to their own service offering; or because their merchant customers are pushing them into it as part of their PCI DSS compliance projects, with v 3.0 of the regulations in mind and an annual PCI audit looming .

Either way, another part of the PCI DSS jigsaw is now falling into place, which can only be re-assuring for end- consumers, who our research continues to indicate remain very concerned when asked still to read their card details out over the phone, whoever it is by and wherever that phone payment is being taken.