Data security compliance is a growing concern for merchants and service providers that rely on outsourced contact centers, which may not be prepared for the surge in pandemic-related payment volume.
Because many agents at a call center or employees at small businesses take credit card information over the phone and input it into a computer or jot the numbers down on a piece of paper, they fall directly into the scope of Payment Card Industry data security standards by handling or storing that data.
PCI-DSS compliance solution provider Semafone wants to put an end to that type of security risk by providing
"In general, card-not-present remote transactions have definitely been impacted by COVID, there is no question about that," Semafone CEO Gary Barnett said. "Particularly with COVID, you have agents taking payment information who are working from home. The last thing you want to do is leave your credit card number with remote agents."
The practice of collecting card numbers in the voice channel without PCI controls is a legitimate problem, though mostly with smaller merchants, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"These practices of taking card data over the phone are absolutely contrary to PCI," Conroy added. "I think it goes back to the age-old topic discussed many times, that smaller merchants don't fully believe they are targets of cybercrime, so they do not take PCI compliance and cyber best practices as seriously as they should."
With its Cardprotect Voice+ service, Semafone delivers PCI compliance for outsourced service and business process providers by integrating with the Session Initiation Protocol, or SIP, telephone industry standard to immediately route the data away from the business IT network and move it to the payment service provider.
SIP integration does not come into play when protecting a digital channel like chat boxes or text messaging. In those cases, Semafone delivers its Relay Plus compliance software through API integration with partners or customers to embed the technology in their digital channels.
Semafone is partnering with DataDivider of Carlsbad, Calif., to address situations in which an agent is using a sales application provided from another business when selling services or products to a customer. An insurance broker selling different policies for different companies or a travel agent selling flights from various airlines would fall into this category.
"By tucking DataDivider technology into our solution, we are able to provide the same protection to those third-party applications accepting credit card data," Barnett said. "This removes the agent from scope of PCI even when on a third-party website they don't control."
Semafone and DataDivider operate as certified PCI-DSS Level 1 service providers.
Semafone also works with the contact center technology provider Avaya in assuring its PCI compliance software will work with Avaya technology, whether at a large or small business.
"When you call your bank or utility or any contact center of any size, there is a good likelihood that the center's tech was provided by Avaya," Barnett said. "We do extensive testing with Avaya to assure we work flawlessly together, and it's important to them because they have customers ask them often about PCI compliance, so our technology has to work with theirs."
Pancreatic Cancer UK, which works with researchers, policy makers, hospital partners and other health professionals to improve access to treatment and advance care for patients, turned to Semafone to bring its call center into compliance and protect card data during fundraising efforts.
"Despite lockdown restrictions, Semafone moved heaven and earth to get us up and running with a solution, and even spoke with our payment service provider to help move things along," Anne Davies, support care manager at Pancreatic Cancer UK, said in a written statement.
Semafone organized Zoom video training sessions for the center's team so that everyone was clear with how the system would work. "Everyone was familiar and confident with the system and knew how to monitor progress and deliver successful completion of donation transactions," Davies said.
Pancreatic Cancer UK continues to work with Semafone to expand upon its call center operations and fundraising efforts. They are investigating ways to potentially extend the solution by incorporating QR codes into direct mail letters that, when scanned, will take recipients directly to the personalized secure payment link, Davies added.
In working in both North America and the U.K. through Boston and Guildford offices, Semafone is monitoring which technologies are taking hold in each market. In the U.K. it is common for customers to input card numbers through their phone to initiate a transaction, whereas in North America it is not yet as prevalent.
Notably, the demands of PCI complaints aren't getting easier during the pandemic.
"To be PCI compliant becomes stricter and stricter all of the time, and that is good for us," Barnett said. "What worked a few years ago for PCI is not always going to work now. It highlights the importance of our solution."
And Semafone directly addresses a considerable problem in data security, Conroy noted. "Our research has shown that the contact center remains a primary point of compromise, because the human remains the weakest element in the security chain," she said.