How do retailers tackle the PCI Compliance challenge?

Any retailer that takes payments over the phone will be familiar with the challenges of keeping call centres compliant with Payment Card Industry (PCI) regulations. Not to mention the financial and reputational cost of a breach that compromises customer details.

Protecting customer data must be an absolute priority for retailers of any size. However, PCI Compliance is a regularly misunderstood topic, and a lot needs to be done to make the solutions available clearer to retailers.

Navigating complexity

Smaller retailers often complain that PCI Compliance requirements are too confusing and lack relevance to their particular business size. This is compounded by the fact that larger retailers, such as Level 1 or 2 merchants that process many millions of card transactions a year, are subject to the highest level or regulatory compliance.

Yet most independent retailers – such as Level 4 merchants that process 20,000 ecommerce card payments or 1 million Visa or MasterCard transactions annually – are not subject to the same level of stringency. For these retailers, compliance is simply a self-assessment form.

The danger here is that a retailer will not carry out the proper due process when completing the form, and will perhaps ‘self-certify’ their business as compliant when this isn’t in fact the case. This means that, if there is a data breach for the retailer, the form will be used as the basis to issue a punitive fine.

To tackle this risk, smaller retailers must invest in technology solutions that take the burden of compliance away from them and satisfy such regulatory requirements automatically.

What solutions are available to retailers?

If you accept card payments over the phone, for example, the main dilemma comes if you record calls in your contact centre. The Payment Card Industry Data Security Standard (PCI DSS) prohibits the recording of any sensitive card numbers, so taking card payments over the phone and recording the call without being in breach of the PCI DSS is a key consideration.

One common ‘quick fix’ has been the “pause and resume” method. The call recorder is paused just before the customer reads out the numbers and then resumes recording when they have finished. But this approach is unreliable, making the recording incomplete and leaving everything still ‘in scope’ for PCI compliance. Customer service agents, their computers, their desktops and the entire infrastructure of the contact centre must all be scrutinised regularly to ensure compliance with the regulations.

Another option, Interactive Voice Response (IVR), is effective in solving the PCI DSS problem but does not necessarily provide the best customer experience. Customers often find dealing with a machine frustrating, and can lose patience when a problem arises. For this reason, IVR usually has a high dropout rate and can increase negative customer sentiment towards a retail brand.

DTMF masking – the best tech to solve the problem

One of the most powerful solutions available to retailers is DTMF (Dual Tone Multi Frequency) masking technology. Whenever a customer decides to pay with their card details, the technology activates and conceals the sound of the keypad tones so customers can enter their numerical data through the handset.

There is no need to worry about the compliance status of contact centre agents because they cannot see or hear the numbers, leaving them free to help the customer while they pay. There’s also no need to secure sensitive card data within the retailer’s own telephony infrastructure because all card details are sent directly to the payment system.

Consequently, DTMF technology could be just the solution retailers need to tackle the challenge of PCI DSS compliance without risking customer dissatisfaction, and the severe penalties for a data breach.