Call 0844 557 7800

Callstream Vault: PCI Compliant Telephone Payment

Take telephone payments, record all calls & achieve PCI compliance

Callstream Vault is our multi, award-winning PCI Compliant Secure Payment Platform.

  • Cloud based PCI level 1 approved payment application
  • Complete recording with agent on call from start to finish
  • Customer uses their telephone keypad to enter credit card details
  • DTMF tones are not audible to the agent or any call recording equipment
    Integrates with payment gateway and CRM systems
  • Process automated and live agent payments

Request a Callback

Vault allows customers to provide their credit card information without those details being shared or stored by the agent or call recording software. It is the only cloud-based PCI Level 1 certified solution for contact centre environments.

Callstream Vault provides the highest level of security, with no equipment costs and all the flexibility, scalability and resilience of the cloud.

With concern over security breaches rising and regulations tightening, you want to ensure that credit card transactions taken over the phone are both compliant and secure for the customers and your own peace of mind

More details

Calls are answered by call centre agents in the usual way, but when the customer is ready to make a payment, instead of having to read out their card number and security code over the phone, the customer simply enters the digits via their telephone keypad. Contact between the customer and call centre agent is maintained throughout, but all tones are muted so card details remain shielded.

By suppressing the data entered by the caller, the system prevents credit card information from being picked up by the call-handler, caller or recording equipment ensuring watertight security of data. The payment details are forwarded straight through to the merchant’s credit card processing platform in a secure format such as XML over HTTPs.

For automated payments, customers call the payment line and their calls are delivered straight to the Callstream Vault platform where again they enter their credit card details for secure processing.






What is PCI DSS?

PCI DSS originally began as five different company programmes which were aligned to create the Payment Card Industry Data Security Standard (PCI DSS). With examples of high profile security breaches increasingly common in the media, complying with the PCI standards has never been more important for companies wishing to take payments over the phone. PCI compliance firms up your corporate security and gives your customers added peace of mind when divulging their private card details. Companies often think PCI Compliance is all about building a security wall around vulnerable corporate areas such as databases and networks; this is not the case. Real PCI compliance means changing the culture of a company and building in security at every level and with every member of staff.

A secure PCI environment is as secure on the inside as it is on the outside.

In  November 2013 the PCI  Security Standards  Council (PCI SSC), published version 3.0 of the PCI Data Security Standard  (PCI   DSS) and  Payment  Application  Data Security  Standard (PA-DSS).  Version  3.0  became effective on 01  January 2014.

What  are the risks of non PCI Compliance to my organisation?

Fines may  be  levied  by  each  credit  card  company should your business become  subject to data hacking, breaches  in data  protection,  computer misuse  or  any form of  data loss  containing  credit card   details.    These    fines   could   be   substantial, amounting  to tens  of   pounds  for each  and  every transaction since  the breach;  but the problem  does not stop there. Any  breach of  security  will  be very damaging   to  your  organisation’s   reputation   and brand image.  You  may also be held  responsible  for ongoing legal costs to cover identity fraud caused by the  breach. Finally,  should   it  be  proven   that   any breach has originated  from your business  you may also be responsible for punitive damages.

Who is liable?

It is not acceptable to assume that a service provider or reseller has or is using a PCI compliant solution. It is your organisation’s responsibility to conduct due diligence against your provider to ensure the solution you are to utilise meets all of the PCI DSS controls. Many providers say and in fact promote that they are compliant, but in reality they are not. It is prudent to always obtain a copy of the provider’s certificate of compliance and ensure they have been audited by a PCI-DSS approved QSA.

We don’t store card details, does PCI apply to us?

Even if your organisation does not store credit card details you could still be subject to an attack causing breaches in PCI controls. Additionally, you must adhere to other PCI controls for any personal data stored. If, as an organisation, you want to limit the potential threat of PCI breaches, do not take or store credit card details if you can help it. The simplest solution is often to outsource the entire PCI approved payment application to an external service provider, such as Callstream’s Vault.

As most of our transactions are online, do we take sufficient amounts of transactions over the phone to warrant compliance above level 4?

The number of transactions conducted over the phone, internet and other applications are cumulative. It is the total number of transactions that are relevant regardless of where or how they have been processed. For example, if an organisation takes less than 20,000 Visa/MasterCard transactions over the phone but processes over 1 million via the internet, they must ensure they meet all the controls for level 2 compliance for phone calls, as well as e-commerce.

Are we compliant if we purchase PCI FAS approved equipment?

Many organisations are investing high levels of capital expenditure into PCI DSS approved equipment to address the requirement to be approved. Although it is useful to have PCI compliant hardware and software to meet certain requirements, the organisation still has to meet ALL of the controls in order to pass the audit.

“Along with Callstream’s extensive experience of working with insurance businesses, Vault provides an excellent solution allowing us to rapidly meet PCI & FCA regulations” Nigel Taylor, Group Director Coversure Insurance Services