Beware third party payment processing services for your contact centre…

Contact centres need to pay close attention to the guidance from the PCI Security Council as MOTO (mail order telephone order) transactions become a target for fraud.  Choosing a payment processing solution carefully is more important than ever as merchants are ultimately liable for any breach of their account.
A common solution is to outsource the payment processing function to a compliant third party, to remove card holder data from the contact centre environment altogether, either by intercepting calls outside of the network or transferring calls at the point of payment. Job done? It can be – however, there are some gotchas that may in fact bring your organisation into scope of PCI DSS compliance and therefore in the firing line if the worst happens….

Here are some checks that will help you make the right choices and protect your organisation from the devastating consequences of being responsible for the loss of your customers’ payment information:

1. Review your call flow and identify the mechanism by which calls are routed via your third party supplier. If this is within your infrastructure or under your control, it is within scope of the PCI DSS and must be secured accordingly to achieve compliance. This may be your phone system, a desktop application or some third party equipment installed on your premises. If anything or anyone, within your organisation, can effect the call flow in any way then it is your responsibility if that facility becomes compromised and your business is in scope of PCI DSS and must therefore meet the standard to avoid liability.
2. Review your contracts to ensure that your supplier is accepting responsibility for the security of card holder data, and that you are aware of your responsibilities for system components within your infrastructure or under your control.
3. Regulary check that the solution is working as expected by reviewing call recordings, call flows and business processes. Especially important when onboarding new campaigns, moving premises or deploying new software – bake this into your processes!
4. Finally, ensure that your backup and disaster recovery processes are fully compliant in the event that your supplier becomes unavailable.

For more information, click here.

Tom Davies
Technical Director, Ultracomms

Tom currently heads up Research and Development at Ultracomms and has a seat on the Contact Centres Council for the Direct Marketing Association in the UK. With a background in Electronic and Software Engineering, Tom co-founded Ultracomms in 2004, building the first cloud contact centre service offering in Europe. In 2007, Tom led the team that developed the Ultracomms PaySure product portfolio in response to the emerging PCI standards, and has since worked with Ultracomms’ customers and QSA partners to secure their contact centre payment processes. Tom helped Ultracomms achieve their own PCI DSS Level 1 Service Provider status for delivering contact centre services from the cloud in 2016. To contact Tom, email tom.davies@ultracomms.com.