BPOs how to manage PCI DSS compliant payments & secure data

By Mandy Pattenden, Marketing Communications Director

If you’re a service provider or merchant that acts on behalf of others, then you’ll be all too aware of the challenges relating to managing sensitive data and interactions with a variety of third-party systems.

Working on behalf of multiple clients, you need to be confident you can get critical integrations up and running fast and in the most cost-efficient way possible. It’s vital to have the ability to initiate short term engagements or streamline the onboarding of new strategic partners and affiliates with the minimum of delays.

When handling online or phone payments on behalf of others, however, you also need to be able to demonstrate the very highest achievable security levels when it comes to capturing and processing sensitive cardholder or personally identifiable information (PII). In other words, demonstrating your compliance with Payment Card Industry Data Security Standard (PCI DSS) security controls.

This comes as no easy task if your contact center agents need to be able to deal with a variety of complex card not present payment (CNP) scenarios for the brands or partners you represent.

Secure payments – a hot topic for a range of service providers

Taking telephone payments on behalf of multiple entities represents a top challenge for a variety of different service providers. Today’s BPO call centers need to be able to handle hundreds of inbound calls on behalf of organizations whose customers want to seize the moment and place their orders by phone.

Similarly, insurance brokers frequently need to update policyholder information on flood, fire, or earthquake databases. Or support the direct purchase of additional or specialist insurance cover for customers. In the state of California, for example, brokers frequently need to help people supplement their home insurance policies with earthquake coverage purchased from the state’s own earthquake insurance website.

In much the same way, travel agents are frequently asked by customers to create bespoke itineraries that may involve the purchase of flights, hotel rooms, or entry vouchers in addition to the tour package itself.

What’s at stake

In all these cases, everyone in the service delivery chain needs to be confident that agents on the end of the phone can enable truly seamless customer interactions – and that payments undertaken via third party websites will be both secure and PCI DSS compliant.

The financial and reputational consequences resulting from a data breach  from these interactions are significant. In terms of risk, the stakes get even higher if you are also required to record calls or agent screens for monitoring or quality purposes. Ensuring that sensitive card data is not accidentally captured on recording systems is a must-have for maintaining adherence to PCI DSS security standards.

Initiate effortless PCI DSS compliant interactions fast

Semafone’s SecureWeb+ solution enables you to handle PCI DSS compliant transactions via a locked down browser that enables agents to inject a customer’s payment card details direct into a pre-determined and merchant specified website page.

Acting as an extension to Semafone’s Cardprotect Voice+ solution, your agents simply navigate to the required third-party webpage and click into the payment field. This action activates a secure mode that allows callers to use their telephone keypad to enter their card payment details, which are masked by DTMF tones. These details are then securely injected into the web payment page. No sensitive data is ever heard or seen by your agents, and the card data entered via the webpage cannot be copied, is not visible in the browser code, and screenshots cannot be taken.

Throughout the entire process, your agents can stay on the line to support customers and monitor the progress of their payment transaction. Since no sensitive payment details are ever spoken or displayed, all recording activities can continue without interruption.

Delivering full protection for your contact center, your clients and their customers, as well as any other third-party merchants involved, Semafone’s SecureWeb+ makes it easy to look and operate like an extension of your clients with a single integration process.

A better way to transact

Simplifying compliance across multiple business entities and third-party systems, Semafone SecureWeb+ makes it easy to demonstrate a strong security posture when it comes to assuring payment security for commercial partners.

Enabling the efficient handling of multiple CRM and integration touchpoints, it eliminates time-consuming and costly development overheads for organizations that need to initiate third-party system access and transaction handling―even if there is no requirement with the third-party system provider.

Payments can now be handled faster and more securely, which in turn generates both operational efficiencies and the delivery of a better experience for callers. Plus, because sensitive payment data never touches your contact center environment, the network and your contact center systems are de-scoped for PCI DSS compliance.