By Aaron Lumnah, Senior Manager, Marketing Demand Generation
For many small and medium sized enterprises (SMEs), capturing sales – and retaining customers – increasingly depends on managing the risks and vulnerabilities associated with telephone-based payment environments, while providing the best possible customer experience.
When it comes to paying bills or buying goods and services over the phone, today’s consumers expect to be able to relay their debit and credit card details without a second thought. Consequently, they must feel confident that the company they are dealing with is handling their payment card and other personal data securely.
But that’s not the only challenge facing smaller businesses who accept telephone payments.
If a merchant loses a customer’s credit card details – in other words, suffers a data breach – and is not compliant with the appropriate security standards and regulations, they not only will be liable for the costs relating to the fraud itself. They could also face some potentially significant fines that will be difficult for the business to recover from.
PCI DSS – What Is It and Why Is It Important?
Credit card fraud is on the rise worldwide – and card not present fraud (CNP) has become a particularly easy method for criminals, who only need to obtain a few pieces of data (account number, cardholder name, expiration date or card verification code) to commit their crime. All these data points, in addition to other personally identifiable information, such as a postal code and shipping address, are typically provided by the cardholder during a telephone transaction.
For this reason, the major credit card brands have taken preventative action and created a set of widely accepted security standards known as the Payment Card Industry Data Security Standard (PCI DSS) that requires all merchants, regardless of size, to adhere to them in order to maintain the privilege of processing card payments. . These requirements are designed to reduce merchant risk and protect against payment data theft.
The PCI Security Standards Council (PCI SSC), the consortium of card brands maintaining the PCI DSS, requires smaller merchants and service providers submit a that is designed to check and validate they have appropriate security controls in place for protecting cardholder data.
Achieving PCI DSS compliance is a complex and challenging task, even for large enterprises. It’s an even more difficult arena for smaller resource-strapped businesses who need to navigate, understand and adhere to these formal compliance requirements.
Tackling the Challenge of Protecting Data – DTMF Masking Solutions
For many smaller businesses, achieving full compliance involves significant expense and changes to the IT and telephony infrastructure they can ill afford.
There are many methods that small contact centers and merchants often resort to in an attempt to reduce card fraud. These can range from physical methods, such as clean rooms, where pens, paper and mobiles are prohibited to using pause and resume – or pause-and-resume call recording – to prevent sensitive and confidential data from entering the call recording environment.
However, none of these approaches delivers the bullet-proof or sustainable operational compliance that’s needed.
The best way to prevent security exposure in the payment process is to eliminate – or de-scope altogether the customer card data that is held in their systems. The PCI SSC, as stated in their Guidance for Protecting Telephone-Based Card Payments, advises that the most effective methods available for securing phone payments can be found in DTMF masking. One such solution is Semafone’s Cardprotect Voice+, an award-winning DTMF masking solution which makes it possible for customers to enter their card payment number discretely and directly into their telephone keypad, rather than reading them out loud to an agent on the line.
Since all DTMF-tones are masked, payment details can’t be accidently captured on call recordings or interpreted by agents. Plus, agents are able to stay in contact with callers for the entire duration of the call as they use their keypad to make payments and provide support and instructions on the input process.
Because all sensitive payment information is transmitted directly to the payment service provider (PSP), no sensitive payment data enters the contact center organization, drastically reducing the scope of PCI DSS compliance.
Making It Easy and Affordable for SMEs to Take Secure Phone Payments
Here at Semafone we’ve made it both easy and affordable for smaller merchants and contact centers to take advantage of this enterprise-grade security and data protection solution for their own business.
Today’s SMEs can now quickly deploy Semafone’s Cardprotect Voice+ quickly and easily directly from the cloud. With flexible packages that are ideal for a range of small- to medium-sized enterprises – from a start-up with one or two customer service representatives (CSRs) to a contact center with up to 100 agents – you can scale the service up or down as required and take advantage of highly flexible payment options.
Designed to help SMEs that want to initiate a frictionless payment experience for customers and take the headaches out of achieving PCI DSS compliance, the solution features a choice of customizable options and easy integration into your existing business applications.
One thing is for sure, in the future, SMEs will no longer have to choose between cost or compliance where PCI DSS compliance is concerned. With solutions like Semafone’s Cardprotect Voice+, protecting reputations and customers doesn’t have to be an expensive or complex exercise.