Transparency and openness are two of HCPC’s organizational values, and importance is placed upon adhering to these in its work with registrants and employees alike.
The organization quickly realized that many of the measures required to achieve compliance with the PCI DSS would compromise this; in particular a “clean room” policy, which would have severely restricted the freedom of registration agents, prohibiting pens, paper and mobile phones from work stations. Instead, the team needed to find a technology-based solution that would relieve employees from the responsibility of handling customers’ credit card information. An additional challenge was the fact that HCPC records all calls with registrants; the PCI DSS specifically prohibits the recording of any sensitive authentication data.
HCPC brought in a third party, the National Computing Center (NCC), to help find a solution. After a rigorous selection process, Sycurio.Voice was chosen. Sycurio.Voice allows the caller to enter their own card details into the telephone keypad. The numbers are sent directly to the acquiring bank, and the agent can neither hear nor see them; and the sound made by pressing the keys is disguised by Dual-Tone Multi-Frequency (DTMF) masking technology, so they cannot be identified.
Sycurio was selected for two key reasons. Firstly, Sycurio.Voice was the only solution that did not operate on the principle of “pause and resume”, which involves pausing the call recording at the point of payment while numbers are read out loud. The pause and resume method relies heavily on the agent pressing the right button at the right time and is therefore susceptible to human error. It also means that the agent can still hear sensitive card data and so the agent is subject to rigorous security checks.
Secondly, the experience for both the agent and the customer is significantly improved using Sycurio.Voice – the agent is able to continue to talk on the phone throughout the payment process, offering assistance if any problems arise. Agents are released from the cloud of suspicion and from onerous clean room measures. PCI DSS compliance challenges are removed, and agents are freed up to do their jobs.