New regulatory guidance will turn up the pressure for companies that rely on home workers for customer service, writes Ben Rafferty, Chief Innovation Officer at the data security software company Semafone.
According to the TUC, around 1.5 million people regularly work from home in the UK alone, and many more would like to do so if they had the opportunity. When it comes to customer service, brands have long recognised the model for its flexibility; employing home workers to boost numbers in busy times without incurring the overhead costs of additional workstations in a contact centre. And it’s a model that works well for employees. In the spirit of the gig economy, customer service agents can work hours that suit them, and with commuting times on the rise, they can save hours spent travelling into the office.
When it comes to taking payments, however, brands need to pay attention to new guidance that has been issued by the Payment Card Industry Security Standards Council – the first update since 2011. Many customers who call to enquire about a product or service – whether that’s an item on an ecommerce site, an insurance policy or charitable cause – inevitably will want to complete a financial transaction at the same time. But the rules on handling this just got stricter.
Taking payments over the phone has always been a particularly tricky security issue. The Payment Card Industry Data Security Standard (PCI DSS), created by the major credit card companies to protect their customers, has strict rules about how card data is treated. Sensitive authentication data, such as the three-digit number on the back of the card, must be handled with extreme care to protect it from cyber-criminals. When customer calls are recorded, for example, this three or four digit number must not be stored on the recording. Hundreds of checks and controls may be required if card-holder data is held in an IT or telecommunications system, meaning that it is “in scope” of the PCI DSS and its sometimes invasive audits.
For home workers, the problem is even worse. The brand cannot carry out the physical controls that can be exercised in a contact centre, such as prohibiting agents from carrying pens and paper and preventing them from having access to mobile phones or other devices that might be used to record or distribute numbers. For many organisations, this has meant that home-based workers are simply unable to take payments over the phone. For those organisations who choose to carry on asking customers to read out their numbers, one work-around solution has been to pause recording systems while a payment is made in order to avoid capturing the digits. Another has been to transfer a call to a separate system during the payment process itself. The new guidance, however, means that these workarounds may lead to more invasive auditing when it comes to PCI DSS compliance.
Consider the digital “softphones,” used by most home-based agents can cause headaches. If any card details spoken into the phone could potentially filter into the wider IT systems, then everything becomes “in scope” of PCI DSS and subject to its stringent controls.
Additionally, any cardholder data accidentally or otherwise captured in call recordings now brings more checks than ever. Qualified Security Assessors (QSAs), who are employed to assess a company’s compliance with security regulations, have been given clear guidelines regarding call recordings and the capture of sensitive card details. Using “pause and resume” systems, whether manual or automated, is no longer considered a guarantee that no card data has been captured. The position is simple: “Recordings may capture CHD or SAD if pause-and-resume is used, depending on the accuracy of the pause-and-resume process”.
The answer is to avoid asking customers to read card details out loud at all. Customers should be able to enter their own card numbers via their telephone keypad so that there’s no chance of anyone – including the agent – hearing them. It’s now possible to disguise the bleeps made by the keys so that the numbers can’t be identified by their sound. This means that the agent can continue to speak to the customer, and help out with any glitches, while the payment takes place. Systems like this also transmit the card details directly to the bank, so nothing is “in scope” of PCI DSS and there is no need to worry about the new guidance.
Home workers are likely to grow in importance in the customer service field. As more organisations choose to have smaller in-house teams, the ability to increase and decrease capacity easily and quickly is crucial. But the security of customer data is non-negotiable, so getting it right with telephone payments is crucial. Whether you are a charity or a major brand, if you’re taking payments over the phone, don’t make your customers read their card numbers out loud. It’s just not worth the risk.
Case study: RNIB
One organisation that has enabled its home workers to take payments over the phone safely and securely is the Royal National Institute of Blind People (RNIB), which has 140 home-based telephone fundraisers. Many of its supporters and donors are elderly, while others are blind or partially sighted, and a large proportion of them prefer to speak to someone on the phone when they make a donation. Security is essential, as is compliance with the Payment Card Industry Data Security Standard (PCI DSS), but so too is a very high level of service for all of its supporters, no matter what their age or physical abilities.
The RNIB has used Cardprotect from Semafone; a solution which means that its supporters are now able to input payment card details into their telephone keypad while they are still on the call. The numbers are obscured using dual tone multi frequency (DTMF) masking, so the agent cannot see or hear the numbers. This means that agents can stay in full communication with the customer at all times to help with any issues that arise during the payment process.
Catherine Lloyd, senior telemarketing manager at the Royal National Institute of Blind People said: “An increasing number of RNIB donors have high expectations when it comes to data security. As such, supporters have been impressed with the difference made by having a secure payment method via the phone; they have reported being happier with not having to verbally supply their card details when paying using the telephone. Many donors are elderly, while some are blind or partially sighted, so the simplicity of Semafone’s solution has been essential.”
