Beware third party payment processing services for your contact centre…

Contact centres need to pay close attention to the guidance from the PCI Security Council as MOTO (mail order telephone order) transactions become a target for fraud.  Choosing a payment processing solution carefully is more important than ever as merchants are ultimately liable for any breach of their account.
A common solution is to outsource the payment processing function to a compliant third party, to remove card holder data from the contact centre environment altogether, either by intercepting calls outside of the network or transferring calls at the point of payment. Job done? It can be – however, there are some gotchas that may in fact bring your organisation into scope of PCI DSS compliance and therefore in the firing line if the worst happens….

Here are some checks that will help you make the right choices and protect your organisation from the devastating consequences of being responsible for the loss of your customers’ payment information:

  1. Review your call flow and identify the mechanism by which calls are routed via your third party supplier. If this is within your infrastructure or under your control, it is within scope of the PCI DSS and must be secured accordingly to achieve compliance. This may be your phone system, a desktop application or some third party equipment installed on your premises. If anything or anyone, within your organisation, can effect the call flow in any way then it is your responsibility if that facility becomes compromised and your business is in scope of PCI DSS and must therefore meet the standard to avoid liability.
  2. Review your contracts to ensure that your supplier is accepting responsibility for the security of card holder data, and that you are aware of your responsibilities for system components within your infrastructure or under your control.
  3. Regulary check that the solution is working as expected by reviewing call recordings, call flows and business processes. Especially important when onboarding new campaigns, moving premises or deploying new software – bake this into your processes!
  4. Finally, ensure that your backup and disaster recovery processes are fully compliant in the event that your supplier becomes unavailable.

For more information, click here.

Tom Davies
Technical Director, Ultracomms

Tom currently heads up Research and Development at Ultracomms and has a seat on the Contact Centres Council for the Direct Marketing Association in the UK. With a background in Electronic and Software Engineering, Tom co-founded Ultracomms in 2004, building the first cloud contact centre service offering in Europe. In 2007, Tom led the team that developed the Ultracomms PaySure product portfolio in response to the emerging PCI standards, and has since worked with Ultracomms’ customers and QSA partners to secure their contact centre payment processes. Tom helped Ultracomms achieve their own PCI DSS Level 1 Service Provider status for delivering contact centre services from the cloud in 2016. To contact Tom, email

How contact centres can achieve and action real operational visibility

Contact centres have come a long way from the days of operational improvement being down to guesswork.In as little as the last 5 or 6 years, the capabilities of technologies available to call...

How to make your data work harder: 6 steps to better contact centre reporting

In our last blog, we looked at which platforms can give contact centres real operational visibility, and offered some advice on how those at the helm could use the insights from these data sources...

How to adapt your Customer Experience to the 'New Now'

During these difficult times, most businesses have experienced a negative impact on staffing. 


Take advantage of Ultracomms solutions

Let's chat