• Security and Compliance

Why you shouldn’t ignore PCI

The total value of card payments made in the UK is projected to reach £932 billion by 2027 with forecasts predicting 64.8 million card payments being made daily accounting for 58% of all payments – up from 42% in 2017. With this continued growth in the use of debit and credit cards by consumers, fraud continues to be a hugely topical issue.

In the first half of 2019, losses due to unauthorised financial fraud rose to £408.3 million. Of this, £237.4 million was from card-not-present (CPN) fraud which is when a criminal uses stolen card details to buy something online, over the phone or via mail order. Data for this fraud is gained through data theft such as 3rd party data breaches and phishing scams.

If you process payments using your customer’s card details, then you need to be aware of how you are handling that data to ensure that it is processed securely and can’t fall into the wrong hands. The payments industry standard for ensuring you are conducting transactions securely is PCI DSS. (Source)

What is PCI DSS?

PCI DSS is the worldwide Payment Card Industry Data Security Standard. It is not a law, instead it is a standard which was created by the major card brands including Visa, Mastercard and AMEX to ensure that all businesses which transact using customer’s card details have the systems and processes in place to process card payments securely and prevent a data breach leading to card fraud.

The standard is enforced through contracts between merchants, the acquiring banks which process the payments and the business taking the payment. It is achieved through enforcing tight controls surrounding the storage, transmission and processing of cardholder data by businesses.

There are 4 levels of PCI compliance depending on how many card transactions you process each year. Each level brings with it a more rigorous set of requirements your business must adhere to in order to remain compliant, with level 1 being the most strict.

Why is PCI compliance important?

In short, if you accept debit or credit card payments from your customers, PCI DSS is something that you must do. While PCI is not law, so it is not illegal for your business to not be compliant, if you lose card data ie suffer a data breach and you are not PCI DSS compliant, you could incur the following penalties:

  • Card Scheme fines for the loss
  • Liability for the fraud losses incurred against these cards along with the operational costs associated with replacing the accounts
  • Requirement from your acquiring bank to move up a level in compliance, making the adherence requirements which apply to your business more stringent
  • Withdrawal of your ability to accept card payments
  • Fines for the GDPR breach relating to the loss of cardholder data – up to €20 million or 4% of annual global turnover, whichever is greater (Source)
  • Loss of the customers affected

Being compliant with PCI DSS means that you are doing your very best to keep your customers’ valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. Not holding on to customer card data reduces the risk that your customers will be affected by fraud.

How can I become PCI compliant?

One of the biggest hurdles for PCI compliance is around taking a payment over the phone. Telephone payments will often breach PCI security standards as the sensitive data is exposed to additional people and potentially systems that aren’t PCI compliant. There are multiple methods and technologies to help negate risk and strive for compliance. These include:

Stop taking payments via telephone, instead push customers towards other payment methods such as completing the transaction online.

Pros: Completely removes any risks associated with PCI DSS compliance.
Cons: Can result in a poor customer experience and less payments being taken. Also open to malicious attacks from fraudsters using “digital skimmers” to gain card details.

“Pause and Resume” and “Automatic Pause and Resume” of call recording.

Pros: The call recording is paused when the sensitive card details are being spoken meaning they are not stored.
Cons: The agent receiving the card data is still able to access and manually record the details.

Outsource payments to a 3rd party PCI compliant payment specialist via an IVR on the phone system or live agent transfer when a payment is required.

Pros: Effective solution for PCI compliance
Cons: Can add significant costs to the contact centre operation and you also lose control of the customer experience once the handoff to the outsourced call centre has been made.

Automated IVR (Interactive Voice Response) / ChatBots can be used to identify and verify who someone is and then also take a payment and update a record.

Pros: Removal of all human risk factors along with the costs associated with paying a member of staff to process the payment.
Cons: Many customers can get frustrated due to dealing with a robot instead of a human agent and hang up on the process due to poor “self-service” experience.

DTMF (Dual-Tone Multi-Frequency) masking can be used to allow the customer to input their card details on the phone keypad, while the agent hears a flat tone which masks which keys the customer is pressing.

Pros: No sensitive card data is exposed to the agent or call recorder. The agent can see the progress of the payment with a censored version appearing instead of the full sensitive data.
Cons: Can be costly to set up and maintain.

Utilise Link Pay + to ensure PCI DSS level 1 secure payments across all customer engagement channels by sending customers a secure link at the relevant stage of the sales process to complete the payment.

Pros: The payments process is completely separate from the call meaning the agent does not see any card details – not even censored versions – however they can see progress of the payment within the dashboard. Overall improved customer experience with faster and more convenient payments.
Cons: Customers may be wary of an online payment portal sent via a link. Some education may be required to help these customers understand how this is a more secure way of processing their payment.

Conclusion

While PCI compliance isn’t a legal requirement, any business which processes card payments from their customers would be foolish to ignore it. There are a number of options available to business owners to mitigate the risk associated with taking card payments over the phone, all of which have have their pros and cons. You should weigh up these when choosing a PCI solution to implement in order to ensure that you not only get a solution which suits your business but also provides a great customer experience.