Why Accepting Payments over the Phone is a PCI Concern.
PCI Compliance mandate works to protect Merchants and consumers from fraudulent activity that could occur during the payment process. Most businesses are familiar with PCI Compliance regarding online payment collection but may not be aware of PCI Compliance when processing payments over the phone. Whether your business is operating a singular phone line or multiple lines at once, it is important to familiarize yourself with the risks associated with accepting sensitive payment information during a phone call. To better help protect your business we will go through the most common concerns associated with phone payment as well as how PCI compliance implementation works to protect you.
One of the first opportunities for potential data breach presents itself during the interaction between the customer service representative and the client. While finalizing a purchase, the client would verbally provide their credit card information to the agent if there is no IVR present. The primary concern with the agent receiving the credit card verbally is that the merchant cannot control whether or not the information travels outside of the business. The client information can potentially be written down for later use or to be passed on to an outside party, therefore drastically increasing the scope of the business. The implementation of the IVR system would drastically reduce your PCI scope by separating the agent from the client’s payment information.
In relevance to the client and customer service representative interaction, most call centers are also known to record conversations for training purposes. These recordings can impose additional PCI compliance liabilities within a company. When finalizing a payment over the phone the customer representative goes over information such as client name, postal code, credit card number, expiry date, and CVV. With a lack of proper PCI mandate utilization, all the information discussed on the phone would not only be recorded but also stored within the company system. This drastically increases the merchant’s risk of a data breach. Another concern when using a recording device is that if the agent needs to turn it off before collecting the credit card number they may forget to turn it back on and therefore the rest of the call is no longer recorded. By utilizing a secure IVR to collect the credit card, merchants can continue to record all customer calls while removing their recordings out of PCI scope, therefore, minimizing the potential for a breach.
With a lack of proper PCI mandate utilization, all the information discussed on the phone would not only be recorded but also sorted within the company’s system.
The last major area of concern for merchants is the possibility of a phone line being intercepted maliciously. Historically a traditional landline can be more difficult to intercept resulting in a lower risk to the merchant, however with technology advancements and phone lines moving into the cloud the risk of a man-in-the-middle attack occurring becomes greater. Once a phone line is intercepted, an individual would be able to take note of sensitive information for later use. by implementing a secure IVR system, the PCI scope can be greatly reduced by removing the credit card number and CVV from the call altogether.
The use of a secure Interactive Voice Response (IVR) system from a third party has the ability to reduce a merchant’s scope from a self-assessment questionnaire type D all the way down to the minimal self-assessment questionnaire type A. There are a few different types of IVR solutions on the market today, the most common being a redirect from the merchant’s environment to the secure IVR. While from a PCI perspective this solution is secure it does impact the user experience because they are often left alone to enter their credit card before the IVR hangs up. A more recent form of the IVR solution allows merchants the ability to reduce their PCI scope while maintaining their customer experience because the agent remains on the line for the whole process. In order to maintain security, the IVR responsible for collecting the credit card will salt the credit card string with an additional DTMF tone to ensure the agent and any recording device remains out of scope. With the assistance of an IVR solution in conjunction with a tokenization service, your PCI scope can be reduced and potential breaches can be managed easily.
With technology always advancing, the security around protecting customer data can seem like a never-ending task and can be difficult to understand. Throughout this blog, we have outlined the most common concerns related to receiving credit card data over the phone, and we encourage merchants to actively stay up to date with the latest PCI mandates in order to remain compliant. While there are many options available for securing credit card data over the phone, the IVR solution is one of the most secure tools available to protect the customer’s data in today’s market. Not only will the implementation of an IVR Solution protect merchants, but it also builds long-lasting trusted relationships between you and your clients.