Our latest research has shown that failing to comply with PCI-DSS regulations could be more costly than realised:
63% of consumers surveyed would avoid an insurer or broker whose call centres were clearly not PCI compliant in the way they took payment details
75% of consumers surveyed would go elsewhere if the insurer or broker had actually been fined for non-compliance
As of 1st January 2015, all call centres – including those selling insurance policies – must comply with Version 3 of Payment Card Industry Data Security Standard (PCI-DSS) legislation. PCI-DSS requires handlers of debit and credit card cardholder information to take prescribed steps to reduce risks of fraud. Compliance is compulsory for any merchants in the UK who accept, process, store and transmit cardholder data, which includes insurers and brokers taking payments by credit card over the phone. Failure to meet these requirements can leave a merchant liable to a fine of £10,000s.
Callstream surveyed 2,000 consumers who had recently bought insurance through a call centre on whether insurers’ and brokers’ lack of PCI compliance would affect their buying habits:
This follows on from Callstream’s research into PCI-DSS compliance released in July last year. This market analysis discovered that, with only months to go to the deadline, 99% of call centres were failing to take the necessary steps to follow the rules and protect their customers’ payment details.
“Consumers are better informed about security legislation than we may think. Even if they don’t know the exact rules, they know the risks of giving their payment card details through insecure channels, such as verbally to a call centre agent – and they are voting with their feet,” said Mick Crosthwaite, CEO, Callstream. “For those brokers that are not compliant, the question is no longer ‘if’ they will lose customers, but ‘when’ and by how much this attrition will affect new business.”
“Most of the insurance industry is failing to minimise the risk of a security breach ensuring that those credit card details have no contact with IT infrastructure or staff and to achieve PCI compliance”, continued Crosthwaite, “and consumers are now too aware of the risks and insurers’ requirements to tolerate such poor service. If the threat of fines and penalties has historically failed to encourage compliance, surely the real danger of lost new business will make the industry sit up and take notice?”
Callstream achieves PCI compliance for its customers through Vault – our Level 1 call centre PCI compliance technology for the insurance industry. Callers enter credit card details via their telephone keypads, but Vault suppresses the tones so they are not audible to call recording systems or call centre agents. The details are then forwarded directly and securely to the insurer’s card payment gateway and not stored by the broker. This means that Vault achieves the highest possible PCI compliance levels, whilst at the same time continually recording dialogue between caller and contact centre agent, and therefore satisfying FCA recommendations on call recording.