If your business is accepting credit cards as a form of payment for good and services over the telephone either collected by live agents or using an automated IVR you MUST be PCI Compliant.
The way businesses take payments with credit cards is undergoing significant and continuous change as a result of the Payment Card Industry (PCI) security requirements, and the efforts of PCI Security Standard Council to secure credit card holder information. What used to be accepted practices are being changed with much more restrictive measures to ensure that credit cardholder information is protected. This industry transformation is impacting how businesses take and process payments over the telephone.
When your customer is calling you to pay for products and services over the telephone, you are responsible for securing your customer’s credit card information while you are collecting and transmitting this highly sensitive information. You must ensure that all credit card collection and transmission points, your staff, telephone systems, software solutions, network segments and data storage solutions comply with the PCI security standards; this includes any wired, wireless, private and public networks. Security starts at the point where payment card information is collected whether given to an employee of your business over the telephone, a live contact center agent over the telephone or entered into an Interactive Voice Response system (IVR).
When you have live agents interacting with your customers, the people, systems and processes that accept and process payment cards, must comply with PCI standards. Any person or system that touches or stores in text or voice, credit card data is subject to PCI. This includes: PBX/VoIP phone systems, ACD’s, IVR’s, Call recording solutions, PC’s, Servers, customer relationship management (CRM) software, customer tracking solutions.
At the top of your watch list:
- Ensure that all systems including your PBX (VoiP), PCs, Switching equipment, Network servers, routers, CRM software are fully PCI compliant
- Ensure that all your employees who will handle credit card payments adhere to an information security policy which is PCI compliant.
- Ensure that transmission of cardholder data across your networks and on to public networks is encrypted.
- DO NOT store Sensitive Authentication Data after authorization (CVV / CVC code)
- Try not to store credit card numbers, if you need to store it, make sure all stored credit card data (card number) is rendered unreadable (encrypted).
- Ensure you have an appropriate data retention policy in place and followed. All disposal of stored card data should be done in a secured manner.
And the list goes on.
The cost of managing payment security is becoming of greater concern to organizations, as the measures to protect credit card holder information and adherence to payment card Industry security requirements are becoming stricter. To help manage the costs of payment security, organizations have two options, (a) managing payment security in-house by retrofitting their Organization or (b) Outsourcing payment related components that can minimize their risk. Understanding the impact of a payment security approach to overall payment security management costs requires an analysis of infrastructure and technology costs, as well as the cost of personnel. Choosing the the right approach is paramount.
One such solution that can help organizations manage their costs of PCI Compliance effectively is implementing a secure IVR Payment solution by a PCI Compliant service provider. This approach removed the handling of sensitive credit card information away from live agents.
At Datatel, we help business solve this problem, by delivering an IVR Payments solution on the cloud which removes the handling of all credit card information by sales, service delivery and customer service agents. Datatel’s CryptolVR is the most robust, cost-effective and easy to deploy IVR Payment platform on the Cloud to process Credit Card and eCheque payments 24/7, in a PCI compliant environment.
Datatel has been providing IVR Payment Solutions on the Cloud to Hundreds of Businesses, Healthcare Providers, Governments, and Non-For-Profit Organizations for over 10 years.
Whether you are receiving payments for Bills, fees, Contributions, and more, Datatel has an IVR Payments Solution for your business. Implementation is quick and simple with industry-specific templates.
Before choosing any solution to address PCI compliance we highly recommend contacting your merchant service provider who will be able to guide you with resource and expert assistance to meet your specific PCI compliance requirements.