Get the answers to our most frequently asked questions.

How does Agent Assist work?

Our Agent Assist solution is very easy to understand from a user perspective. When the point of payment is reached in the call, the agent secures the line. PCI Pal’s secure cloud then captures all sensitive credit card details as it’s either spoken or entered via their telephone keypad without the agent hearing or seeing it, and it’s instantaneously sent to the payment provider for processing. Crucially, the voice path between the customer and agent remains open nearly all the time while this happens, so they can communicate should there be a problem. Watch the short video on our Agent Assist solution page to find out more.

How much does it cost?

The majority of our solutions are available on a pay-per-use model, whether your business is a large, multi-national organisation or a single-site privately owned business. This ‘light touch’ approach is in line with how we deploy our technology. Yes, we ask for some minimum commitments from you (we work hard to get the service ready for you, so why shouldn’t we?), but in the main, we operate a pay-per-use model wherever possible.

How long will it take to deliver my project?

We have a lot of experience in this space – even though it’s a fairly youthful market! We follow a structured project delivery process that we’ve designed using PRINCE2 methodology and then moulded from our own experience. We use ‘collaborative working’ project management tools where we can, and we’re happy for our PMs to use your own project management software if you prefer (they’ve used most!). Deployment depends on the solutions you’ve chosen to use and your specific requirements, but at a push, we can – and indeed, have – delivered projects from end-to-end within weeks. The main point is that once we’ve agreed a plan with you, we’re fully committed to delivering the project successfully, on time, every time. Give us a call if you’d like to chat through our methodology in more detail.

What is DTMF bleed?

DTMF bleed is the term used to describe short duration snippets of DTMF tones that can sometimes be heard at the call centre side even when a DTMF masking solution is in place. This can occur in some DTMF masking solutions because the algorithm to detect the presence of a tone can take several milliseconds to detect the presence of a tone. During this time the masking solution may not supress the tone and a small portion of the tone slips through and reaches the contact centre environment. The biggest consequence of this is that when it occurs, the contact centre is brought back in scope of PCI DSS.

Should I be worried about DTMF bleeding?

If you’re a customer of PCI Pal, the answer is no. Some other DTMF masking solution providers rely on masking the tone only after the DTMF detection algorithm has signalled a tone is present.  PCI Pal uses a “step-back” solution which detects the tone and winds back the stream of audio several milliseconds before masking the audio stream to ensure that the tone is completely masked. PCI Pal’s platform also prevents DTMF duplication errors causing a similar leak of tone-based information through to the call centre. For example, where the DTMF sent by a customer happens as in-band tones and is also erroneously duplicated as out of band messages. Some solutions may mask one type of tone transport but allow the other to pass through and thereby end up in call recordings.

What is digital engagement and what are digital engagement channels?

Digital engagement can be defined as anything that is an online interaction, and digital engagement channels are ways in which customers are able to interact with an organisation digitally, for example:

  • Webchat
  • AI and Chatbots
  • Social Media (i.e. Twitter, Facebook etc)
  • Websites
  • Email
  • SMS

These channels increase engagement between customers and organisations beyond sales. Digital engagement channels allow organisations to open up the conversation with their audiences for support, service and marketing activities, offering a convenient way to increase reach.

What’s the difference between multichannel and omnichannel?

Both multichannel and omnichannel involve interactions across multiple channels with one major difference, the customer journey and how it is joined up between them. Multichannel tends to see different platforms siloed from one another. Omnichannel is where all these platforms are joined together so that, whatever journey the customer chooses to take, the experience is consistent and unified.

For example, if a customer is talking to an agent via webchat and decide that they want to make a purchase a multichannel solution would mean that the customer could be asked to make the purchase by calling into the contact centre to speak to someone else. For an omnichannel solution, the webchat agent would be able to have the customer make a payment via webchat or they could transfer the customer directly to another agent or IVR to enable them to make the purchase, providing a seamless and unified experience.

What is a digital payment?

A digital payment is described as any payment using digital instruments. Essentially this covers any payment that doesn’t use cash, some examples are:

  • Credit card payments
  • Bank transfers (e.g. direct debits, standing orders)
  • Digital wallets (e.g. Apple Pay, PayPal)
  • Alternative digital currencies (Bitcoin)

Over the past decade there’s been a revolution in the way in which consumers choose to pay for goods and services, with most Western and Asian countries now favouring to pay digitally rather than using cash. This trend is set to continue in future so it’s important that organisations offer these choices to their customers, and that they are secure.

Can PCI Pal integrate with my existing webchat provider?

In short, yes. When a customer needs to make a payment the agent simply generates a secure URL as a text string which is sent to them through their webchat communication channel, meaning PCI Pal Digital can integrate into any existing webchat provider.

How does Digital Invoice work?

Digital Invoice allows organisations to create and send a secure URL via SMS or email. This option allows for anytime payments.  A time limit can be added to these secure URLs – effectively creating a Digital Invoice, meaning secure payments are available for both real time and anytime digital channels.

Will the Agent see or hear any sensitive data during an Agent Assisted digital payment?

No, the secure payment page masks all sensitive payment data from the agent view. As there is no break in communication the agent is able to track the customer’s progress throughout the payment process and offer support in real time should they need it.

What is an IVR payment?

Interactive Voice Response (IVR) payments are a way that customers can make payments by interacting with an automated system. Rather than speaking to an agent to make a payment, customers follow a series of automatic prompts which they respond to using their telephone keypad to make payments. IVR payments can be made either using a dedicated phone number which customers call directly, or for agent led calls customers are transferred to another line where the payment is made.

What are the benefits of using PCI Pal IVR for payments?

The key benefits of using PCI Pal IVR for payments are:

  • 24/7 availability
  • Multilingual availability
  • Fully automated and self-serving
  • Highly resilient
  • Integrates with existing CRM, IVR and payment gateways

Can agents use PCI Pal if they are working from home?

Maintaining PCI compliance can be challenging; however, our cloud-based platform means that agents can log in from home and continue to take payments safely and securely. All our solutions ensure no credit card details are spoken, heard or seen. Contact centre agents can continue to take payments wherever they are working from.

What is the advice from the PCI Security Standards Council (PCI SSC)regarding remote working?

In 2018 the PCI SSC released guidance on Protecting Telephone Based Payment Card Data (our eBook goes into more detail on this.) It acknowledges that homeworking can pose challenges in relation to maintaining PCI compliance.  The regulations advise evaluating the increased risks and implement controls to mitigate these, including rigorous training in security awareness.

What is Rapid Remote?

Rapid remote is a PCI compliant business continuity payment service enabling businesses to continue to take secure payments by phone whilst working remotely.

How does Rapid Remote work?

Rapid Remote is based on our Agent Assist product but has a tightly targeted set of options and features that enable it to be rapidly deployed. Our solutions use DTMF masking technology to secure payments. Customers input their card information using their telephone keypad when prompted by the remote worker, and the information is automatically transmitted to the Payment Service Provider (PSP) for authorisation.

What are the key benefits of Rapid Remote?

Rapid remote comes with several benefits, including:

  • Speed of deployment – live within 48 hours in many
  • Flexibility – Rapid Remote is an ideal solution for homebased contact centre agents who are using non-centralised telephony such as mobile phones and landlines, and Voice over IP platforms, such as Microsoft Teams or skype for Business.
  • Secure – no cardholder data is exposed to the homeworking agent or enters the company’s environment, meaning the scope of PCI DSS is vastly reduced.

Do I have to make changes to our existing network to be eligible for Rapid Remote?

Being entirely cloud-based, Rapid Remote offers maximum flexibility around your existing network without compromising on payment security. For specific queries, get in touch with us and we will work with you to get your remote contact centre operations running as quickly as possible.

Can I have speech and DTMF, or do I have to pick one?

Quite simply, you can have both. When speech collection is enabled, DTMF collection is also enabled.  The cardholder should never use DTMF and speak the same information at the same time however, otherwise duplicate information will be collected.

What happens if my customer has a problem?

In this situation the cardholder is still able to use help words to exit from the collection of the confidential information and return to normal conversation with the agent who can offer assistance.

Can the agent hear anything when taking the payment?

The agent will not be able to see or hear any of the credit card details as they are spoken or entered via the telephone keypad.

How does PCI Pal integrate with my payment provider?

The simple answer is… with ease! Fortunately, the majority of payment providers have modern APIs that we’re able to integrate with our secure cloud services. Additionally, payment providers are usually PCI compliant, so we have no issue integrating our secure cloud with their services. Payments made via PCI Pal are processed by the provider at the same speed (or quicker) than you would find using their virtual terminals directly. But we don’t get too involved; we just do our job of securing your customers’ data and all your other systems can behave as normal.

Which other companies do we work with?

Due to the sensitive nature of our business and because we like to minimise the public exposure of our clients, we don’t talk about many of the companies we’re working with on our website. However, we have an extensive client base spanning all the major sectors; most of which are medium to large organisations, but we also work with some smaller businesses. Our fully scalable delivery and commercial model means there are no barriers to using our technology. We’d be happy to speak to you about the services we’ve delivered for our clients, so please give us a call or watch our video case studies to find out more.

How will PCI Pal integrate with my phone system?

When it comes to telephony, carrier and CRM systems, PCI Pal is completely agnostic. Some of our deployment models do not require any kind of integration with your telephony provider. Others may require some integration, but we’ve already integrated with all manner of platforms – from global cloud contact centre providers to leading telephony vendors like Avaya, Cisco and Interactive Intelligence – so integration is never an issue.

What is the California Consumer Privacy Act (CCPA)?

The CCPA is responsible for creating new consumer rights regarding the access, deletion of, and sharing of personal information that is collected by businesses. The regulation allows any California consumer access to all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. Additionally, the California law allows consumers to sue the company if privacy guidelines are violated in any way.

When does the CCPA go into effect?

The act was passed in California in 2018 and went into effect on January 1st of 2020. Companies have 30 days to comply with the law once notified of a violation. The enforcement of penalties for noncompliant companies will begin on July 1st, 2020.

Who does the CCPA concern?

The act applies to companies that do business with individuals (customers, vendors, suppliers) that are protected by the CCPA – regardless of where the company itself is located. In addition, the business must also meet one of the following three criteria in order to fall within the scope of the CCPA:

1.) Have $25 million or more in annual revenue
2.) Buys/receives/sells/shares the personal information of 50,000 or more Californian residents over the course of 1 year
3.) Earns 50% or more of its annual revenue selling Californian resident’s personal data.

What data does the CCPA cover?

The CCPA protects any data that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked (directly or indirectly) to a particular Californian consumer or household. Examples include personal name, email address, home address, social security number, driver’s license number, passport number, records of purchase, geolocation data, professional information, education history, internet browsing history, etc.

How to prepare for the CCPA?

It is in their best interest that companies make available to consumers two or more designated methods for submitting requests regarding disclosing data – including, at a minimum, a toll-free telephone number. Businesses should provide a clear and conspicuous link on their internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information. Companies are also advised to leverage third party tools for assistance with data discovery and data protection in order to ensure that consumer data is managed effectively.

What’s the difference between Personal Data and Personally Identifiable Information (PII)?

Essentially, both personal data and personally identifiable information (or PII) are the same insofar that it covers information relating to an identifiable individual, however:

  • PII is a term most commonly used in the US and Canada and covers any information which can distinguish or trace an individual’s identity e.g. name, social security number, Credit Card data etc.
  • Personal data is most commonly used as a term in Europe in relation to the General Data Protection Regulation (GDPR) and is much broader in what it encompasses, for example an IP address can be considered personal data.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and data privacy in the European Union (EU) and the European Economic Area (EEA.) Since coming into effect on 25th May 2018 its primary aim is to give greater control to individuals over their personal data through increasing their rights, to simplify the responsibilities of international businesses by giving them a more unified regulation to follow and to hold them accountable should they be found in breach of it.

Who does the GDPR concern?

The GDPR applies to any company, of any size that collects, processes and stores the personal data of any EU citizen regardless of where the data is stored and processed. It also sets out regulation for how individuals are notified that their data is being collected and that companies must have expressed permission from individuals to do so (i.e. soft opt in rather than assuming consent is given.) It also sets out strict guidelines of how a company should report and respond to a data breach.

What are the potential penalties if the GDPR is breached?

Fines for breaching the GDPR can go up to €20m (£17m) or 4% of a companies’ global turnover in the most serious of cases.

Are the GDPR and PCI DSS linked?

Very much so. Although PCI DSS focuses exclusively on payment card and cardholder data, under the GDPR this is considered personal data. To that end, a breach of credit card data would be a breach of PCI DSS and the GDPR.

What is PIPEDA?

The Personal Information Protection and Electronics Act (PIPEDA) is a Canadian law which has been in effect since 2000. It allows individuals the right to know their data is being collected, used and if it’s being disclosed, to allow organisations to collect this information in a way which upholds the right of the individual (e.g. by obtaining consent) and also allows individuals to raise complaints if they feel their data is being used illegally. It sets out legal parameters for when an organisation should report a breach of personal data. It also must be reviewed every five years to consider any new technologies and other areas which may not be covered.

Who does PIPEDA concern?

PIPEDA applies to any private sector organisations and federally regulated organisations which collect, disclose or use personal information of any Canadian citizen in the course of their commercial activity. There are several exceptions to where PIPEDA applies however, for example reasons of national security, international affairs and criminal investigations.

What are the potential penalties if PIPEDA is breached?

Compliance with PIPEDA is overseen and enforced by the Office of the Privacy Commissioner of Canada (OPC.) Should they receive notification of a breach or a complaint is raised, the commissioner will investigate. Although the OPC doesn’t have the right to fine a company, they can refer them to federal court hearings, which can fine them up to CAD $100,000 for each violation. Not only this, individuals whose personal data have been compromised can also sue for compensation.

How is data protected in Australia?

Originally the Privacy Act 1988 was introduced to promote and protect the privacy of individuals. It applies to private sector entities with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies. Some smaller businesses are also subject to it (e.g. credit agencies.)

Are there any other data protection laws in Australia?

Australia has taken a granular approach to data protection with a mix of federal, state and territory laws, such as:

  • Information Privacy Act 2014 (Australian Capital Territory)
  • Information Act 2002 (Northern Territory)
  • Privacy and Personal Information Protection Act 1998 (New South Wales)
  • Information Privacy Act 2009 (Queensland)
  • Personal Information Protection Act 2004 (Tasmania)
  • Privacy and Data Protection Act 2014 (Victoria)

Which are concerned with organisations not covered by the Privacy Act such as smaller businesses. There are also regulatory bodies which have their own sets of standards when it comes to protection, i.e. in health and financial sector there are data protection regulations to adhere to.

What happens in Australia if data is breached?

This all depends on what regulation(s) are applicable to the organisation concerned, the type of breach and who has been affected. In 2018, an amendment to the Privacy Act established the Notifiable Data Breaches scheme (NDB.) Any organisation that the Privacy Act covers must notify those who’s data is breached and the Office of the Australian Information Commission OAIC.  Penalties of up to AUD$63,000 for bodies corporate and AUD$12,600 for individuals for failure to cooperate with efforts to resolve minor breaches, and larger organisations could face penalties up to $10 million or three times the value of any benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover – whichever is the greater, for the most severe breaches.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to secure Personally Identifiable Information (PII) held by healthcare and healthcare insurance industries. Its aim is to prevent fraud and theft of PII, and address limitations on healthcare insurance. HIPAA is broken down into five titles

What are the five titles of HIPAA?

  1. Healthcare access, portability and renewability – regulates the availability and breadth of group health plans and certain individual health insurance policies.
  2. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform – establishes policies and procedures for maintaining the privacy and the security of PII, outlines numerous offences relating to health care, and establishes civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the healthcare system.
  3. Tax-related health provisions governing medical savings accounts – standardises the amount that may be saved per person in a pre-tax medical savings account.
  4. Application and enforcement of group health insurance requirements – specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements.
  5. Revenue offset governing tax deductions for employers – is related to company-owned life insurance for employers providing company-owned life insurance premiums, prohibits the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.

Are HIPAA and PCI DSS related?

As HIPAA is concerned with PII, it sits on the same branch as PCI compliance as credit card data is PII. If a healthcare organisation was to suffer a data breach of credit card data, then both HIPAA and PCI DSS would apply. Because of this it is important that healthcare organisations are aware of the requirements of both and, where possible, ensure controls are in place to prevent the loss of such data. Speak to our team for further details on the crossovers between HIPAA and PCI DSS.

What does the 2018 amendment to the ‘Protecting Telephone-Based Payment Card Data’ mean?

The latest guidelines objective is to address and add clarity to what has changed since it’s first release in 2011 and provide guidance based on these changes. For example, VoIP and telecoms providers have often been classified as not being within the scope of PCI DSS. The latest guidance clarifies that they are both in scope. There has also been a shift of focus on what is in scope by way of the process of payments over the phone. The previous version concentrated almost solely on securing call recordings, whereas the latest version acknowledges that phone (MOTO) payments are at greater risk of criminal exploitation when spoken out loud. Additionally, there is now guidance how compensating controls are affected by this change and how the use of technologies such as DTMF suppression affects the scope of PCI DSS.

What does the new guidance say about pause and resume and DTMF Suppression?

In the context of the old guidance, the focus on secure call recording and storage lead many to believe that pause and resume was a sufficient control in achieving and maintaining PCI compliance, however this is no longer the case. The latest version clearly states that where pause and resume does take call recording and storage systems out of scope, it leaves the agent, the desktop environment and any other systems in the environment in scope and is therefore a compensating control. By comparison, the new guidance explains how DTMF technology not only takes recordings and storage out of scope, it details how suppressing the tones and masking the information on the agent’s desktops completely descopes the contact centre from PCI DSS by ensuring no credit card data enters the environment in the first place.

What is the ‘The Common Vulnerability Scoring System?’

The Common Vulnerability Scoring System (CVSS) is a vendor agnostic, open industry standard for assessing the severity of computer system security vulnerabilities. Devised from research by the National Infrastructure Advisory Council (NIAC.) CVSSv1 was released in 2005 with the goal of being designed to “provide open and universally standard severity ratings of software vulnerabilities.” Essentially, it’s a scoring system for computer system security vulnerabilities from 0 – 10, with ten being the most severe.

What are the benefits of CVSS?

CVSS solves the problem of having multiple and incompatible vulnerability scoring systems. It enables organisations to have a clear understanding of the threats and risks present within their computer network.

How is CVSS linked to PCI DSS?

Requirement 6.1 of the PCI DSS is to ‘Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking,’ so CVSS fits into this perfectly. The notes attached to this in the PCI DSS use CVSS as an example of how to achieve compliance with this standard.

What’s the difference between an entity, a merchant and a service provider?


In PCI DSS terms, an entity is any business or organisation which is undergoing a PCI DSS review. This is an encompassing term and includes businesses that accepts card payments (merchants) and businesses that are directly involved in the processing, storage, or transmission of cardholder data on behalf of another business (service provider.)

What is a Self-Assessment Questionnaire (SAQ)?

A Self-Assessment Questionnaire (SAQ) is used by entities to document self-assessment results from their annual PCI DSS assessment. Depending on how entities take credit card payments will determine which SAQ will need to be completed. In some cases, self-certification of an SAQ isn’t enough and an Attestation of Compliance (AOC) will have to be completed alongside it.

What is an Attestation of Compliance (AOC)?

The Attestation of Compliance (AOC) is a form for merchants and service providers to prove (attest) to the results of their PCI DSS assessment. It is completed by the entities Qualified Security Assessor (QSA) along with the appropriate Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) and sent on to the entities’ merchant bank. They then send it to the appropriate card brand (e.g. Visa, Mastercard etc.) In short, any entity which accepts, processes, stores or transmits cardholder data directly or on behalf of another entity must have an AOC as it proves PCI compliance.

What is a Report on Compliance (ROC)?

A Report on Compliance (ROC) documents the result of an entity’s PCI DSS assessment. These are only required if an entity is a Level 1 Merchant (has more than 6 million annual transactions with Visa and/or Mastercard.) Unlike SAQs (Self-Assessment Questionnaires), they must be completed by a third-party Qualified Security Assessor (QSA) after a PCI DSS audit.

What is the difference between PCI Certification and PCI Compliance?

The key difference here is how PCI compliance is verified. PCI certification is proof of compliance as it relates to the verification process by the QSA (Qualified Security Assessor).  PCI compliance involves the development and daily maintenance of cardholder data protection policies and procedures, so essentially is a claim rather than proof, but it should be taken just as seriously.

Is speaking credit card data in scope of PCI DSS?

Yes, certain elements of the credit card information are regarded as confidential no matter in what format they are transmitted.

How can we help you? Get in touch to discuss our solutions and your specific requirements.