Case Study – Municipality
This municipal client of ours required the ability to accept credit cards from their clients in a PCI compliant way to reduce their PCI scope as much as possible. The biggest trouble was to collect the customer’s card over the phone while being able to provide guidance to their clients regarding the transaction process and also collect the card during off-hours with an unassisted IVR. While this client also collects credit cards online a large number of their clients typically call in for convenience and comfortability. Once the credit card is collected our client needs to process not only the bill fees but also a standard service fee. The trick was that while both charges remained on the same invoices they needed to be sent to different merchant accounts.
For this client, it was easy to determine the collection method required, for their phone systems they needed our attended IVR and the HostedPCI iFrame to be able to collect credit cards through 2 different avenues while having all the credit cards within 1 vault. The HostedPCI IVR solution is a 3-way conference call where the agent can remain on the line with the customer while they enter the credit card through the DTMF tones into the IVR. This allows for a more comfortable customer experience. To maintain PCI compliance the IVR salts the credit card information with additional tones so that the agent and any recording device remain out of scope. Our client also required an unattended IVR when the agent was not available on the line during off-hours. For this they were able to use the same HostedPCI IVR system however in place of the agent their IVR system initiated and conference the call, from there the customer would enter their credit card details while the HostedPCI IVR salted with additional tones and once complete the HostedPCI IVR would hang up and the clients IVR would continue with the transaction.
“To maintain PCI compliance the IVR salts the credit card information with additional tones so that the agent and any recording device remain out of scope.”
The final collection method that was required was the HostedPCI iFrame. The iFrame can be embedded into the client’s checkout page allowing them to remain in control of the entire transaction process without being required to handle the credit card internally. The HostedPCI iFrame tokenizes the credit card directly from the browser before the customer details. The client is provided with an independent and durable token which can be used with any third-party or supported gateways as many times as required.
Once we had resolved the collection issue HostedPCI was then tasked with providing a solution for their multiple payment processing methods. Since our merchant worked with multiple different vendors to process payments on their behalf they required the ability to send real-time payments through specific gateways as well as a batch file upload to different additional third-party payment processors in a few unique situations. HostedPCI was happy to announce that there was no additional cost associated with the multiple connection endpoints required for use and that we supported multiple different gateways while the merchant only needed to manage one token. When it came to batch file processing HostedPCI was also able to provide our merchant the ability to upload real credit card files to specified SFTP locations for other third parties to retrieve the credit card information.
Once the credit card is collected the municipality needs to be able to split the transaction into 2, one for the bill fees and the second for the service charge which is applied to every invoice. The benefit with HostedPCI is that we do not have a limit on the number of gateways or merchant connections you have within a single vault and there is no additional charge for it either. Essentially the client makes their first payment request call with the amount for the bill which is being paid, this first transaction is sent through HostedPCI using our standard SALE API request. Within this request, the client will identify the specific merchant ID being used for this specific transaction. Once that transaction has been sent to HostedPCI the municipality then sends the second transaction for the service charge which needs to be sent to a different merchant account. The benefit of the HostedPCI solution is that both transactions can be sent and approved within real-time which means the agent or customer will receive feedback regarding their payment in real-time.
HostedPCI was able to remove all the credit card collection process out of the municipality’s scope reducing their PCI audit form and SAQ type “D” to an SAQ type “A”.