Case Study – Insurance

This client needed the ability to securely collect and store the credit card information that they received from their customers within their call centers and then send this information along with the customer data over to their designated Payment Gateway to complete the transaction. In this case, the client had a different merchant account for each of their call center sites, in total 7 different gateway merchant accounts needed to be configured. The client also required the ability to select the merchant account on the file with each API request that they sent.

Our first step was to determine the appropriate collection method for this client. Since the client wanted to securely collect the credit card data that they received from their call center we were able to determine that our Interactive Voice Response (IVR) solution would best suit their needs. This was an apt solution because our IVR solution is easy to use while maintaining the customer experience. The HostedPCI IVR is a simple three-way call between the customer, the agent, and our IVR. While the customer is entering their credit card information using the DTMF tones on their phone the agent can guide them through it if they require assistance. To remove the agent from PCI scope, HostedPCI adds additional tones to the credit card DTMF string resulting in a total number of 20 – 24 digits. Since it is directly integrated with our Payment Vault, the tokenized credit cards are stored securely and the client is then provided with a token which they can use multiple times with any third party.

The HostedPCI tokenization solution is extremely flexible, where our clients can choose from a variety of number combinations for the tokenization. Our client chose the combination of 1+11+4 which means that the first digit and the last four digits of the credit card number remain intact and the remaining eleven digits are tokenized. This turns the sensitive data into non-sensitive data as the entire 16 digits number after tokenization does not resemble any real credit card number. Hence it secures the data from any breach.

Once our client has collected the credit card through the HostedPCI IVR, they are then able to construct a real-time API AUTH request and follow up with a capture once the fraud checks have been completed by the gateway. While our client is constructing the API request they will use a specific parameter called the PayName to identify the exact merchant account required for these specific transactions.

By using this strategy, the client was able to reduce their PCI scope, as the entire process of collecting, storing, and exchanging data was moved to a secure third party proxy. This essentially reduced their PCI scope from SAQ Type D which is a tedious process of carefully answering around four hundred questions to an SAQ Type A which is approximately eleven questions.