PCI DSS compliance & payment security for utility companies

By Mandy Pattenden, Marketing Communications Director

When it comes to payment processes, many utility companies are stuck using outmoded practices that were never designed to support a changing regulatory compliance landscape and today’s rigorous privacy and data security requirements.

It is easy to understand why utility firms struggle when it comes to focusing their efforts on addressing this issue. All too often, the intensively competitive nature of this sector means a lot of time and energy is devoted to maintaining the best possible customer experience. Plus, historical mergers and acquisitions have resulted in, many utility companies inheriting a patchwork of legacy operating models and systems which make it difficult to apply a consistent approach to risk management and regulatory compliance.

In recent years, the rapid pace of digital transformation has added further complexity to the challenge. During the COVID-19 outbreak, utility firms had to fast-track the multi-channel enablement of customer interactions at scale.

As they prepare to re-shape operations for the next normal, now is the perfect time for utility companies to put their payment processes onto a more compliant footing. Ideally, without incurring burdensome cost or unnecessary complexity for the business.

Tackling the payments challenge

With data breaches continually hitting the headlines, utility companies need to demonstrate they are using the latest approaches when it comes to handling and processing sensitive customer data. No easy task when the breadth and variety of payment options on offer to customers is so extensive.

While a large proportion of customers choose to set up regular monthly recurring bills, using either payment cards or direct debits from their bank accounts, others prefer a more ‘in-the-moment’ approach. One that involves making a one-off remote payment via the telephone or another channel after receiving a bill or demand notification.

To enable all these customer scenarios, a huge number of security controls need to be in place to maintain compliance with PCI DSS requirements for card payments. Added to which, utility firms need to implement a raft of additional measures to assure compliance whenever customers want to set up a regular BACS or ACH payments over the phone.

Reducing the complexity and cost of compliance for telephone payments

Many of today’s business and retail customers like the convenience and ease of making a telephone call to pay a bill and it is easy to understand why. Being able to talk to a knowledgeable service agent who is on hand to smooth out any problems or deal with any billing queries means that calling in to a contact center continues to be a popular choice for making payments.

However, this means that large volumes of card data end up flowing through a company’s IT and telephony infrastructure. Since PCI DSS regulations require extensive security checks and controls wherever card details are stored, this can add up to a lot of time and money to simply maintain compliance.

One of the best ways to ease the burden of PCI DSS compliance is to keep payment data out of the business infrastructure entirely by completely removing sensitive card data from the contact center environment.

Today’s modern dual-tone multi-frequency (DTMF) solutions make it easy for customers to input their credit and debit card details via their telephone keypad rather than speaking them out aloud. Card details are then transmitted directly to the payment service provider (PSP), avoiding the contact center infrastructure – thereby reducing the number of checks and controls needed to meet PCI DSS regulations.

By eliminating this data from entering the internal IT infrastructure – including the VoIP Network – in the first place, solutions like Semafone’s Cardprotect Voice+ offer a simplified solution for complex card-not-present payments. Indeed, Northumbrian Water Group was able to reduce the number of PCI DSS controls it needs to adhere to from 406 to just 14.

Because Semafone’s solution mask the key tones, agents can stay on the line during the transaction to help should a customer accidentally miskey their card number.

Securing banking transactions

With data breaches becoming more sophisticated, frequent, and expensively, maintaining proper security controls when capturing the sensitive banking details of customers is a must have.

Solutions like Semafone’s Bankprotect Voice+ now make the collection of bank account and routing numbers for direct debit or direct bank payments over the telephone a secure and highly compliant process for organizations. Plus, because the solution integrates seamlessly with any existing contact center technologies, there is no need to upgrade CRM or call recording platforms.

By removing banking information from contact center infrastructures and using DTMF masking to shield sensitive banking details, utility companies can deliver a secure and frictionless experience for customers that want to take advantage of the telephone to set up their payment. Once again, customers enter their bank account and routing numbers via their telephone keypad; these numbers are then verified for accuracy to ensure the right account is always debited. Since call handlers can’t ‘hear’ a customer’s sensitive bank details, they are able to stay in constant voice communication with customers for the duration of the transaction.

Keeping customer payment data safe

Today’s modern payment solutions make it easy for utility companies to take secure PCI DSS compliant payments over the phone in a streamlined and simplified way that de-scopes the contact center and protects payments against fraud and data breaches.

Available for implementation in the cloud or on-premises, today’s payment solutions make it easy for organizations to achieve bullet-proof PCI DSS compliance across all their contact centers. There are also options that make it easy to exploit new multi-channel contact center technologies and handle secure payments via email, SMS, or web chat.

All of which enables today’s utility companies to introduce new advanced payment options and time saving self-service features that will continue to delight customers.