Robert Crutchington, director of payment solutions company Encoded, takes a closer look at contact centre payments…
The UK Contact Centre Decision-Makers’ Guide (DMG) revealed several surprises in terms of PCI compliance and card fraud reduction in its 15th edition. This major report studying the performance, operations, technology and HR aspects of UK contact centre operations is produced annually by analyst ContactBabel. Taking a random sample of the industry, 218 contact centre managers and directors answered a detailed structured questionnaire during the summer of 2017.
In the PCI DSS* Compliance and card fraud reduction section of the report there were three main surprises highlighted by the research:
- Pause and resume or stop-start recording which aims to prevent sensitive authentication data and other confidential information from entering the call recording environment remains consistently the most popular method of compliance with 60% of respondents using this method.
- The number of respondents using DTMF tone suppression, the often promoted alternative to pause and resume, fell from 22% last year to 14% last year.
- The cost of compliance is causing organisations to rethink how payments are taken in contact centres, with 7% of respondents no longer accepting payments in this way.
What do these surprises mean?
Increasingly at Encoded we are seeing that the requirements and costs associated with payment technology, processes and training outweigh the benefits of taking payments by phone in contact centres. However, there are ways to reduce these costs and the complication often associated with PCI DSS compliance.
For almost three-quarters of survey respondents software and/or payment technology is the single largest cost associated with compliance (particularly in small and medium-sized operations). While in the largest contact centres, training staff in card fraud prevention techniques and processes is the greatest cost in 36% of cases.
It would appear the cost of compliance is therefore causing many organisations to rethink how they take card payments. We find an agent processing card details is still the preferred method and offers the best customer service, but there is confusion around the need for tone suppression (whereby DTMF tones are captured and altered making them unidentifiable), and this in particular is pushing up the cost of technology to support card payments.
However, one of the other surprises of the report was that the use of DTMF tone suppression was down this year from 22% to 14%. While price and reliability may be contributing factors to this decline, there is the added problem of discrimination and a potential legal and social media backlash. By restricting the contact centre to only accept card data via DTMF tones could mean that some people are effectively being discriminated against by not being able to make a payment or have increased difficulty to do so, particularly if they are either elderly or disabled in anyway.
Therefore, it was good to see “pause and resume” still performing well. Despite some commentators claiming pause and resume is dead, ContactBabel’s Report shows that it remains consistently the most popular method of compliance and used by over 60% of respondents. It is typically far cheaper to implement than almost any other option and offers the highest level of customer service.
It was also good to see other less expensive options for maintaining PCI DSS compliance mentioned in the report for example:
- Improving agent processes and training – according to the report, this is the second-most widely used method by contact centres. The relatively low cost of training and education of the risks can go a long way in making staff vigilant to safeguarding data. Regular training including the perils of phishing emails, often a far bigger risk than a rogue staff member writing the odd card number down, can prove vital to securing data.
- IVR Payments – although used by only a few, especially large contact centres, automated IVR process to take card details from the customer cuts the agent risk out of the loop entirely.
- Third-Party Cloud-Based Payment Solution – no cardholder data is passed into the contact centre environment, whether infrastructure, agents or storage. As such, this can de-scope the entire contact centre from PCI compliance, but does rely on the security processes and operational effectiveness of the service provider.
Before implementing any new technologies or processes relating to achieving compliance, it’s important to consider the level of risk, the time and effort required to complete self-assessment questionnaires (SAQs), the cost of technology and the effect on customer experience.
Whatever solution a contact centre employs, if compliance is being achieved at the expense of customer service, then maybe it’s time to think again.
*Payment Card Industry Data Security Standard (PCI DSS) – the creation of five of the largest card providers: VISA, MasterCard, American Express