PCI-PAL is the Level 1 PCI DSS approved solution to your contact centre PCI problems. PCI-PAL allows contact centre agents to take credit card payments while in conversation with a caller in a PCI compliant fashion. PCI-PAL will remove your contact centre PCI risk, with sensitive credit card data restricted from entering your premises, network, and even your agents’ headsets. PCI-PAL can work within your current infrastructure and integration is easy with no effect on operational performance.
PCI-PAL is developed by IPPlus PLC, a group of companies specialising in the fields of contact centres and call handling technology. PCI-PAL was created to service the group’s 150 seat contact centre; PCI-PAL truly is a solution from contact centre people, for the contact centre industry.
Businesses are facing increasing pressure to become PCI compliant as the bank acquirers drive to improve security of payments globally. With cyber data theft on the rise, companies are moving to protect their organisation from potential reputational and financial loss that almost always follows a data breach.
How it works
The process for the caller is simple. At the point of payment, rather than ask the caller to speak their 16 digit PAN, expiry date, and security code (CVV2), your agent will ask them to enter these details using their telephone keypad. While this is happening, the key depressions are denoted by asterisks (****) on the agents desktop within the PCI-PAL Agent App. The caller and agent remain in conversation at all times. At no point during the call is the conversation channel interrupted.
PCI-PAL operates within our Level 1 PCI DSS compliant environment, where no card data get stored and communication between caller and agent continue throughout all phone calls.
Once all three sensitive elements are collected, the adviser hits the ‘Process Card’ button on screen which invokes a web communication between the PCI-PAL network boundary and your given payment service provider (PSP). Your PSP will instantly receive the data and respond with an authorisation or decline signal. A message is displayed to your agent within the PCI-PAL Agent App, and a back-end communication occurs from PCI-PAL to your back-end environment with all relevant payment details. There are various ways by which this process can be achieved, and we retain flexibility by controlling our own network
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard created by five major credit card companies (VISA, Mastercard, American Express, JCB, Discover) for businesses who handle cardholder information. The standard was designed to increase controls around cardholder data to reduce global credit card fraud.
Contact centres come under particular focus as a business area where fraudulent activity is higher than average. The exposure to call centre agents of credit card data is high, and the requirements for the typical call centre operation to adhere to PCI compliance are extensive.
What’s the risk?
The risk to businesses handling sensitive cardholder data is significant, both regarding potential financial loss and brand image. The major card companies have indicated that fines can be as high as $500,000 for a total breach of sensitive cardholder data, with lesser penalties for general non-compliance to PCI standards. Of course, the financial ramifications may pale by comparison to the adverse effects on brand and reputation, with a loss of trust from consumers towards businesses with well publicised breaches.
Becoming PCI compliant is an expensive, time-consuming, and ever-evolving process. It involves invasive procedures, interrogating infrastructure and personnel at every level. For the contact centre, the problems range from the operational difficulties of clean room environments to the technical challenges of data encryption, deletion, and storage management.
What is the solution?
The solution is PCI-PAL. PCI-PAL allows contact centres to de-scope their PCI risk, preventing sensitive cardholder data from entering their network, but allowing agents to take card payments over the phone through operationally sound methods. The adviser remains in conversation with the caller at all times, ensuring a neat and secure process for the customer and the contact centre.