Keep calls on the record - but beware eavesdroppers
You might be forgiven for assuming that the continued growth in online shopping will mean the death of telephone sales. Who would pick up the phone when they can order via a website? Do people really still want to flick through catalogues and place an order over the phone?
The answer is yes. Telephone sales are alive and well. And what's more, the number of transactions is growing in tandem with the growth in ecommerce - as more people shop online, more people pay by telephone. Many more shoppers will begin their search online, but they frequently find that they need assistance – they can’t see what they need on the website, or they don’t understand the process, or they simply prefer to make a payment to a person rather than a machine. If you have a helpline, you are wasting an opportunity if you don't accept payments via this channel.
As telephone payments increase, so do the security challenges. One of the most debated is that of call recording. There are many reasons why organisations may want to record telephone calls with customers. In the financial services industry, for example, the “Treating Customers Fairly” Act requires calls to be recorded in full if they concern the sale of particular regulated products. The Data Protection Act of 1998 also offers customers the right to copies of recordings if they believe they have been subject to mis-selling. Even in less regulated environments it can be difficult to demonstrate the principles of fairness and good customer service without comprehensive call records so the recording of calls is widely considered to be good practice in contact centres.
Call recording can mean that you face an awkward dilemma when it comes to payments, however. In order to reassure your customers that their card data is safe in your hands, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard strictly regulates the handling of credit and debit card data and prohibits the recording of any sensitive card numbers, such as the three digit code on the back of the card. So how can you take card payments over the phone from customers and still record the call without putting yourself in breach of the PCI DSS?
Essentially, you have three options.
Option 1: Don't take credit card numbers over the phone. As already discussed, being able to accept payments by phone is becoming more, not less, important, so you risk seriously damaging your business if you remove this option from your customers.
Option 2: Deal with the data
The most popular 'quick fix' solution to the recording dilemma has been what is known as the “pause and resume” method. This means that the call recorder is paused just before the customer reads out the numbers and resumed when they finish. There are a number of difficulties with this approach.
- It's unreliable: if it is paused manually, the wrong element can be removed by the agent either by accident or deliberately. If it's automated, there's nothing to stop the customer saying their number at the wrong moment.
- It makes the recording incomplete, which is unacceptable if it is needed for legal reasons.
- It leaves everything 'in scope. If customer service agents are listening to card numbers and entering them manually into a system, then they themselves, their computers, their desktops and the entire infrastructure of the contact centre will be subject to strict checks and controls in order to be PCI DSS compliant.
Option 3: Remove the data altogether
This is by far the most effective system for securing telephone payments within a contact centre. If customers are able to enter their card details themselves and have these sent directly to the payment processor, the contact centre is “de-scoped” completely from PCI DSS, resulting in significant savings in costs and effort.
There are two ways of doing this:
A. Interactive Voice Response (IVR)
Here, the customer is passed onto a machine for the payment part of the transaction. A recorded voice and a series of menu options will guide them through the process. This is effective in solving the PCI DSS problem, but is unsatisfactory from a customer service point of view; any problems are likely to result in the customer abandoning the process – IVR has a high drop-out rate.
B. Remove the data
We have found that the only way to truly remove the contact centre and the call recording from the scope of PCI DSS is to send it directly to the bank from the customer. We have developed a method of masking the key tones so the agent doesn't see or hear the numbers and can't identify them by their sound. This means that they can be safely recorded along with the rest of the call. If the customer has more questions, or makes a mistake while entering the card details, the agent is still on hand to help.
For peace of mind, companies have two real options; keep spending on security to stay one step ahead of the bad guys or hand your card data in its entirety over to payment specialists. The second of these options is becoming increasingly appealing: make it someone else's headache, and keep on talking to your customers.