With concern over security breaches rising and regulations tightening, you want to ensure that credit card transactions taken over the phone are both compliant and secure for the customers and your own peace of mind.
Callstream Vault is our multi, award-winning PCI Compliant Secure Payment Platform. It allows customers to provide their credit card information without those details being shared or stored by the agent or call recording software. It is the only cloud-based PCI Level 1 certified solution for contact centre environments.
Callstream Vault provides the highest level of security, with no equipment costs and all the flexibility, scalability and resilience of the cloud.
Almost 65% of credit card fraud in the UK in 2013 came from cardholders where the cards were not present at the time of the transaction Source: Financial Fraud Action UK 2014
Calls are answered by call centre agents in the usual way, but when the customer is ready to make a payment, instead of having to read out their card number and security code over the phone, the customer simply enters the digits via their telephone keypad. Contact between the customer and call centre agent is maintained throughout, but all tones are muted so card details remain shielded.
By suppressing the data entered by the caller, the system prevents credit card information from being picked up by the call-handler, caller or recording equipment ensuring watertight security of data. The payment details are forwarded straight through to the merchant’s credit card processing platform in a secure format such as XML over HTTPs.
For automated payments, customers call the payment line and their calls are delivered straight to the Callstream Vault platform where again they enter their credit card details for secure processing.
What is PCI DSS?
PCI DSS originally began as five different company programmes which were aligned to create the Payment Card Industry Data Security Standard (PCI DSS). With examples of high profile security breaches increasingly common in the media, complying with the PCI standards has never been more important for companies wishing to take payments over the phone. PCI compliance firms up your corporate security and gives your customers added peace of mind when divulging their private card details. Companies often think PCI Compliance is all about building a security wall around vulnerable corporate areas such as databases and networks; this is not the case. Real PCI compliance means changing the culture of a company and building in security at every level and with every member of staff.
A secure PCI environment is as secure on the inside as it is on the outside.
In November 2013 the PCI Security Standards Council (PCI SSC), published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Version 3.0 became effective on 01 January 2014.
What are the risks of non PCI Compliance to my organisation?
Fines may be levied by each credit card company should your business become subject to data hacking, breaches in data protection, computer misuse or any form of data loss containing credit card details. These fines could be substantial, amounting to tens of pounds for each and every transaction since the breach; but the problem does not stop there. Any breach of security will be very damaging to your organisation’s reputation and brand image. You may also be held responsible for ongoing legal costs to cover identity fraud caused by the breach. Finally, should it be proven that any breach has originated from your business you may also be responsible for punitive damages.
Who is liable?
It is not acceptable to assume that a service provider or reseller has or is using a PCI compliant solution. It is your organisation’s responsibility to conduct due diligence against your provider to ensure the solution you are to utilise meets all of the PCI DSS controls. Many providers say and in fact promote that they are compliant, but in reality they are not. It is prudent to always obtain a copy of the provider’s certificate of compliance and ensure they have been audited by a PCI-DSS approved QSA.
We don’t store card details, does PCI apply to us?
Even if your organisation does not store credit card details you could still be subject to an attack causing breaches in PCI controls. Additionally, you must adhere to other PCI controls for any personal data stored. If, as an organisation, you want to limit the potential threat of PCI breaches, do not take or store credit card details if you can help it. The simplest solution is often to outsource the entire PCI approved payment application to an external service provider, such as Callstream’s Vault.
As most of our transactions are online, do we take sufficient amounts of transactions over the phone to warrant compliance above level 4?
The number of transactions conducted over the phone, internet and other applications are cumulative. It is the total number of transactions that are relevant regardless of where or how they have been processed. For example, if an organisation takes less than 20,000 Visa/MasterCard transactions over the phone but processes over 1 million via the internet, they must ensure they meet all the controls for level 2 compliance for phone calls, as well as e-commerce.
Are we compliant if we purchase PCI FAS approved equipment?
Many organisations are investing high levels of capital expenditure into PCI DSS approved equipment to address the requirement to be approved. Although it is useful to have PCI compliant hardware and software to meet certain requirements, the organisation still has to meet ALL of the controls in order to pass the audit.
“Along with Callstream’s extensive experience of working with insurance businesses, Vault provides an excellent solution allowing us to rapidly meet PCI & FCA regulations” Nigel Taylor, Group Director Coversure Insurance Services