6 steps to card payment security in call centers
- Payment card data can no longer be seen, heard or stored in contact centers & call recordings
- Improves customer experience & call handling times whilst reducing miskeying
- Flexible on-premise & cloud deployment options
Syntec’s patented CardEasy system lets your customers enter their card numbers using the touchtone keypad of their own phone, mid-call in conversation with the agent or using customer self-service autopay (IVR). This technology is called ‘DTMF masking’ as the dual tone multi frequency tones are suppressed, so as not to be fully audible or visible.
This de-scopes your call center and call recordings from PCI DSS, reducing the risk and costs associated with managing card payments in your contact center, whilst improving customer trust, call handling times and lost transaction rates.
Watch our demo to see how CardEasy works.
CardEasy enables you to fully comply with PCI DSS as follows:
- Your agents will not be exposed to callers’ sensitive card numbers
- Card numbers will not be stored in your call recordings or captured in screen recordings
- As the sensitive card numbers do not enter your contact center or network, this de-scopes this environment almost completely from PCI DSS regulations and audit requirements
Your agents can talk to the caller throughout to control the call and transaction
CardEasy also offers a customer self-service autopay option (IVR) for 24/7 service and when no agent assistance is required (such as balances payable, utility bills, charity donations and subscriptions)
- CardEasy helps GDPR compliance by avoiding capture and storage of the card data.
Note on ‘pause and resume’ (‘stop/start’) for call recording: this partial solution can still leave agents exposed to card data, whilst the the contact center remains in scope of PCI DSS regulations and exposed to the risk of fraud.
CardEasy live video demo
- A caller wishes to pay by card over the phone
- The contact center agent initiates a request for card authorization in mid-conversation with the caller
- The caller is prompted to enter their card number via their telephone keypad (DTMF/ dual tone multi frequency touchtones, which are masked)
- Audio from the agent to the caller remains open throughout
- Audio from the caller to the agent is cut briefly while they enter the middle six digits of their long card number (PAN) and CV2 on their phone keypad, to ensure that the agent (and call recording) cannot be exposed to the card numbers even if the caller reads out the numbers whilst entering them
- The complete call can be recorded but the sensitive DTMF tones are masked from the recording as well
- The agent is alerted via their screen when payment has been authorized
- Tokenisation, BIN look-up, recurring & multiple payments and multiple currencies are all supported.
Taking payment using CardEasy
What’s in scope before and after using CardEasy?
- PCI DSS has 12 main requirements. Within those requirements are various ”controls” that relate to the requirement title
- Red crosses show where controls need to be put in place by the merchant to achieve compliance (assuming no controls at present)
- Green ticks show where CardEasy removes the need for such controls for MOTO payments as it largely de-scopes your call/contact center environment from PCIDSS
- Legacy pause & resume solutions only resolve a handful of controls as they only de-scope the call recorder.
- From a PCI DSS perspective, using the CardEasy cloud offers you has the greatest control reduction opportunity.
- For merchants processing less than 6 million transactions a year, choosing CardEasy cloud solutions can allow for SAQ-A compliance, requiring only requirement 12 to be completed.
The following technical diagram illustrates what’s typically in scope of PCI controls before and after deploying CardEasy (the red shaded areas are in scope).
Using CardEasy saves you time and money by taking your call center operations out of scope from PCI DSS controls, whilst removing the need for time consuming oversight and PCI audits. Set up costs are low and ongoing managed service costs are ‘per agent’ or ‘per channel’ depending on your organization’s requirements, so can be linked directly with your channel/agent utilisation.
Automatic speech recognition (ASR)
Merchants are sensitive to the need for callers to be able to make payment by whichever means preferable or comfortable for the customer, even if they may have a disability which makes use of their phone handset difficult for DTMF touchtone entry of their payment card numbers.
To cater for this small but important minority of users, Syntec offers an automatic speech recognition option with CardEasy, so that everyone can use the service to make payments, whilst maintaining PCI DSS compliance at all times. This service is used by a number of Syntec clients including a major financial group who have been using it for a number of years.
CardEasy Speech Recognition keeps the caller on the line when they are invited by the agent or IVR system to speak their card numbers out (instead of entering them using their phone keypad as usual with CardEasy). Speech is muted however whilst this is in progress, so that the agent and call recordings cannot pick up the card numbers. The spoken numbers are converted to text to allow for verification by CardEasy and then transmission to the Payment Service Provider (PSP) for authorization.
Controls ensure that if the caller has any trouble whilst the call is muted whilst they read out their card numbers, then the call is reconnected with the agent to give further assistance. So when you de-scope your contact center with CardEasy, all your customers are catered for, even if they cannot use the more usual ‘keypad payment by phone’ technology.
About Syntec – the service provider behind CardEasy
CardEasy is Syntec’s proprietary and patented system. Syntec is a PCI DSS level 1 Visa Merchant Agent and Mastercard Service Provider and is a participating member organization of the global PCI Security Standards Council.
What our partners say