One of the UK’s leading holiday letting agencies, The Travel Chapter is home to a growing network of brands that includes holidaycottages.co.uk, Big Domain, Canine Cottages, Farm Holidays, and Sally’s Cottages.
Handling over 35 million visits a year, the firm is dedicated to delivering exceptional service to owners and customers alike. Its diverse collection of holiday homes extends from quirky cabins and yurts to grand houses and castles, all set in some of the country’s most desirable locations.
Ambitious growth plans, fueled via a bold acquisition strategy, meant The Travel Chapter wanted to radically reduce the number of requirements it takes to maintain PCI DSS compliance for its contact center operations.
Streamlining how it manages compliance would not only help simplify the integration of new brands into the group’s operations. It would also minimize overall PCI DSS workloads and costs for the fast-growing business.
“Managing PCI DSS compliance is a time-consuming and onerous task that is only set to increase in complexity. We wanted bullet-proof certainty we could maintain an exceptional security posture, no matter how our business evolves – or how future compliance standards and requirements develop,” explains Tim Brading, Head of Technology Operations at The Travel Chapter.
The aim of the game was to find a reliable and efficient way of delivering a seamless and consistent payment experience for every customer calling into the contact center, while assuring the highest possible level of protection for agents and customers.
“Our goal was to proactively manage and reduce operational and brand risk, to the benefit of all stakeholders,” confirms Tim. “Any breach event, anywhere in the business, instantly puts card payments into the spotlight. By keeping customers’ card data out of our business environments we’d be able to demonstrate this sensitive information could not have been compromised.”
A Complex Set of Needs
Based at the company’s head office in Bideford, Devon; the contact center’s team of 90-strong reservation agents are available seven days a week. Flexible workforce policies and business continuity plans give shift teams the option of working from home, so keeping sensitive information out of these remote working environments would also be critical.
“We value and trust the people who work for us, so shielding them from any potential risk when they are not operating within the contact center itself is very important to us,” explains Tim. “We needed a resilient and streamlined way to keep our customers’ credit card information secure – which meant not exposing agents to this information in the first place.”
No easy task when The Travel Chapter is also obliged to record all customer calls for legal and regulatory reasons.
“We offer travel insurance as part and parcel of our service to customers, which means we have to adhere to the Financial Conduct Authority’s regulations on the recording of all customer communications,” said Tim.
Agents were utilizing a ‘pause and resume’ system to ensure sensitive payment card details weren’t captured on call recordings but the technology wasn’t fool proof. If this system failed the contact center agent would be unable to take a payment, and the customer would then be transferred to a different agent to complete the transaction. Not only was this an extremely inefficient process it also delivered a disrupted and poor customer experience.
“Finding a way to mask these details at the point of payment would eliminate this potential risk permanently – freeing agents to get on with helping customers without having to worry about potential PCI DSS compliance violations and transferring calls unnecessarily.”
Determined to descope the company’s contact center environment, The Travel Chapter quickly dismissed the option of outsourcing all payment transactions to an external accredited contact center.
“This meant our agents would have had to forward customers to an external provider, picking up the call again when a payment transaction was completed. Introducing additional complexity into the customer journey and taking calls out of our queuing process wasn’t ideal from either an operational or CX perspective,” explains Tim.
Instead, the decision was made to look for a dualtone multi-frequency (DTMF) masking solution that would enable agents and customers to stay in constant communication for the entire duration of a call. Plus, since DTMF masking technology meant no sensitive card data could never been heard or seen by agents, there would be no need to pause or resume calls. Everything is obscured for security purposes so it can’t be accidently recorded.
Feedback from the booking agents has been extremely positive and the newly streamlined payment process has helped boost contact center operational efficiency. Making it easier for agents to handle a sustained spike in customer demand for UK staycation holidays that has seen call volumes escalate in the past year.
“All our agents hear is flat tones on the line and can only see asterisks on the secure payment screen, but they are able to stay on the line to continue the conversation during and once the payment transaction completes.”
Semafone’s Cardprotect Voice+ secure payment solution ticked the box for every requirement we had. Once our reservation agents initiate Semafone’s SecureMode, customers are invited to use their telephone keypad to enter their payment information which is instantly transmitted to our payment service provider.
Tim Brading – Head of Technology Operations, The Travel Chapter
The simplified payment environment has not just proved a winner with call center agents and customers, it’s also enabled The Travel Chapter to initiate a future-proof PCI DSS compliance strategy that both reduces risk to the business and streamlines operational efficiencies.
In terms of reducing risk, I no longer have to worry about the PCI DSS status of new acquisitions because we have a scalable standardized solution that descopes all our contact center activities. And, because no card payment data ever touches our systems, processes or agents, we’ve significantly reduced the amount of PCI DSS controls in the business – giving me back valuable time each month that I can focus on more strategic business projects.
“With new PCI DSS standards and processes constantly on the horizon, we are no longer responsible for ensuring we keep up to date with the latest procedures and security controls – as a PCI DSS Level 1 Service Provider, Semafone now takes care of all that on our behalf,” concludes Tim.