Blog.

Financial institutions PCI DSS compliance & payment security

By Mandy Pattenden, Marketing Communications Director

One of the most heavily regulated industries in the world, the finance sector is required to comply with an extensive list of industry and governmental regulations at all times. In addition to this burden, finance institutions also typically process huge volumes of financial transactions. All of which creates the potential for a payment-related data breach.

This represents a challenge for companies operating in the sector. Mortgage brokers, banks, investment firms, credit unions, insurance companies and debt collecting firms all depend on their contact centers to deliver information, support, and services to customers. Typically, this also includes assisting customers with transactions and taking payments over the telephone and across digital channels.

This means it’s vital to maintain a full secure and compliant call center in line with the requirements set out in the Payment Card Industry Data Security Standards (PCI DSS) in relation to the handling and storage of cardholder and other sensitive personal data.

Failure to do so risks substantial fines, lawsuits, revenue loss, and potentially irreparable damage to a brand’s reputation.

Keeping card and customer data safe

Complying with rigorous security standards such as the PCI DSS is a complex proposition that requires the call center to maintain a careful balancing act between security and functionality and adherence to a raft of other regulatory responsibilities.

For example, many financial institutions are required, under the terms of the Financial Conduct Authority (FCA) in the UK and the Dodd-Frank Act in the US, to record their customer conversations. Yet PCI DSS regulations prohibit the recording and storage of any sensitive card payment authentication data, such as three-digit security codes (CID, CVC2, CVV2 or CAV2).

This creates a dilemma: how do you record calls and keep sufficient evidence of a transaction without recording sensitive payment card details? The answer for many finance firms has been to pause call recordings at the point of payment, resuming once payment is complete.

It is an approach, however, that is fraught with significant risk and places day-to-day compliance responsibilities in the hands of front-line personnel. Human error can result in recordings being paused at the wrong point, resulting in the accidental capture of card numbers. Added to which, the recording no longer constitutes a complete call record, which will conflict with the compliance requirements of any regulatory body that mandates calls must be recorded in their entirety.

Finally, the use of pause-and-resume methods does not make the call center PCI DSS compliant, since agents can still hear customer card details and the card data held in contact center systems is vulnerable to cyber-attack. The PCI SSC itself even recognized in its Guidance for Securing Telephone-Based Payments that pause-and-resume methods carry an inherent risk of cardholder data making its way onto call recordings inadvertently, either through agent or software error, and that there are far better alternatives available to ensure PCI DSS compliance.

Ensuring compliance and preserving customer trust

When it comes to securely and compliantly handling telephone payments, what is needed is a solution that delivers on multiple fronts. In other words, it must not disrupt the call recording at any point, needs to deliver full compliance with PCI DSS, and finally, eliminates agents completely from scope in order to protect both them and customers.

Fortunately, today’s dual-tone multi-frequency (DTMF) masking solutions make it possible to achieve all this and more. Solutions like Semafone’s Cardprotect Voice+ enables financial institutions to reduce risk and take secure and PCI DSS compliant card payments over the phone in a seamless way that does not compromise adherence to other regulatory requirements such as call recordings.

How it works

Customers simply enter their card number directly into their telephone keypad, rather than speaking these out loud. As a result, no sensitive payment card details ever appear on the call recording, which can continue uninterrupted. The solution masks the DTMF tones as the customer keys their payment card information into their handset, meaning the digits cannot be ‘heard’ by agents, who are able to stay on the line to assist customers with the payment process. Plus, it is impossible to reverse engineer card data from the call recording itself.

Finally, Semafone’s patented data capture solution transmits all customer payment data directly to the organization’s payment service provider (PSP). This enables financial institutions to significantly reduce their PCI DSS burden and ongoing compliance costs as payment card details never enter the contact center’s infrastructure.

Similarly, when it comes to handling customers that want to set up a recurring direct debit or one-off direct payment from their bank account, Semafone’s Bankprotect Voice+ provides a patented DTMF masking solution that enables the secure collection of account and routing or sort code numbers by shielding this sensitive banking information from call center agents.

Delivering enhanced operational flexibility

The COVID-19 pandemic has tested the operational resilience of contact centers, many of which have had to grapple with initiating the control processes that will enable agents to work remotely and continue to support customers in a seamless and secure way.

Providing everything that remote teams need to instantly take secure payments, Semafone’s solutions make it possible for agents working from home to continue to take PCI DSS compliant payments over the phone. All of which gives finance organizations the enhanced operational flexibility that will be needed to continue and extend their virtual contact center models.

Finally, with more and more customers now opting to transact via the engagement channel of their choice, Semafone’s Cardprotect Relay+ solution makes it easy for contact centers to securely generate secure digital payment hyperlinks that can be sent to customers via webchat, social media, email, SMS and QR codes. Enabling financial services organizations to transact with customers anywhere, without any need to invest in additional costly hardware, the solution takes any digital payment channel out of scope for PCI DSS. All of which gives financial services organizations the freedom to initiate flexible yet compliant payment solutions fast.