The Health and Care Professions Council (HCPC) regulates 16 different professions within the health and care sector, including chiropodists, clinical scientists, dietitians, occupational therapists, orthoptists, paramedics and physiotherapists. The Council ensures that standards are maintained for training, professional skills, behaviour and health within these professions; anyone wishing to
use these titles must be registered with HCPC in order to practice legally.

The Challenge

Health and Care Professionals renew their registration every two years in order to continue practicing using their protected title. This means that HCPC takes registration fees on a regular basis. While many people choose to pay via direct debit or online, there is still a significant number of practitioners who prefer to make payments over the phone. This is sometimes as a result of a problem with an electronic payment or because an individual decided to pay immediately following a telephone query.

Alternatively, it can be simply a matter of personal preference. As a regulator, HCPC has to adhere to the highest industry standards. For payments, this involves compliance with the Payment Card Industry Data Security Standard (PCI DSS), which governs the way organisations handle customer payment card data. HCPC’s legacy system for taking payments over the phone made PCI DSS compliance impossible, so the organisation needed to find a new solution.

Finding A Comprehensive Solution

Transparency and openness are two of HCPC’s organisational values, and importance is placed upon adhering to these in its work with registrants and
employees alike. The organisation quickly realised that many of the measures required to achieve compliance with the PCI DSS would compromise this; in particular a “clean room” policy, which would have severely restricted the freedom of registration agents, prohibiting pens, paper and mobile phones from work stations. Instead, the team needed to find a technology-based solution
that would relieve employees from the responsibility of handling customers’ credit card information. An additional challenge was the fact that HCPC records all calls with registrants; the PCI DSS specifically prohibits the recording of any sensitive authentication data.

HCPC brought in a third party, the National Computing Centre (NCC), to help find a solution. After a rigorous selection process, Cardprotect from Semafone was chosen. Cardprotect allows the caller to enter their own card details into the telephone keypad. The numbers are sent directly to the acquiring bank, and the agent can neither hear nor see them; and the sound made by pressing the keys is disguised by dual tone multi frequency (DTMF) masking technology, so they cannot be identified.

Semafone was selected for two key reasons. Firstly, Cardprotect was the only solution that did not operate on the principle of “pause and resume”, which involves pausing the call recording at the point of payment while numbers are read out loud. The pause and resume method relies heavily on the agent pressing the right button at the right time and is therefore susceptible to human error. It also means that the agent can still hear sensitive card data and so the agent is subject to rigorous security checks.

Secondly, the experience for both the agent and the customer is significantly improved using Cardprotect – the agent is able to continue to talk on the phone throughout the payment process, offering assistance if any problems arise. Agents are released from the cloud of suspicion and from onerous clean room measures. PCI DSS compliance challenges are removed, and agents are freed up to do their jobs.


The first implementation took place in 2011 on HCPC’s single site in Vauxhall. The go-live was very straightforward, with the new system bolting onto the organisation’s existing infrastructure. To train agents, Semafone first instructed a group of “super users” how to use the system. Once these were up to speed, they went on to train the rest of the team.

As a testament to the successful, longstanding relationship between the two companies, HCPC migrated Semafone’s Cardprotect solution from old ISDN lines onto SIP trunks in 2016 when it decided to upgrade its entire system. SIP is highly scalable and offers HCPC increased flexibility, which is essential for resilience and business continuity. The adaptability of Semafone’s solution meant that HCPC could easily transfer its system and continue to take payments securely over the phone in its contact centre.


The ability to take payments securely and in full compliance with the PCI DSS has been fundamental to HCPC. “This is not a secondary or unimportant system,” explained Guy Gaskins, Executive Director of Information Technology & Resources at HCPC. “Our registration payments are essential to our operations and our position as a regulator means that our reputation is paramount. We must ensure that we adhere to the highest industry standards for security.”

“For our registrants, it’s a question of their livelihood. If they don’t renew their registration, they won’t be entitled to practice using their professional title. If someone contacts us to request payment of their fees by credit card over the phone and we have to tell them that the service isn’t available, you understandably have a very stressed person on your hands.”

“As an organisation, we uphold strong standards when it comes to data security. If we are to expect our own data to be handled securely, this is a service that we must also deliver to our registrants; they too deserve their data to be protected to the highest standard.”

Guy Gaskins – Executive Director of Information
Technology & Resources, HCPC

Another big benefit has been the smooth technical operation of the Semafone system; since implementing Cardprotect, issues with payments have reduced. “I can count the number of problems we’ve had on one hand. We just don’t get tickets raised about the system. What’s more, I don’t get requests for improvements to the Semafone system – that’s because it already does exactly what the team needs it to do.”

“Our employees have benefited from a fuss-free experience using the solution – everything from training to day-to-day use has been incredibly simple. Plus implementing Cardprotect has also meant that we don’t have to put arduous security restrictions on our team. By removing the air of suspicion hanging over agents as they take card payments, and the need for clean rooms to
ensure data security on the contact centre floor, we have been able to build a positive and open workplace culture.”