Grafton Potter was featured on US web publisher CRMXchange – click here to read the full feature.

Contact Center Compliance Solutions

PCI Pal is a true cloud provider offering leveraging the AWS environment to provide globally accessible secure payment solutions for contact centers and businesses taking Cardholder Not Present (CNP) payments. Their solutions are Level One PCI DSS certified enabling them to handle numerical payment data for the world’s largest organizations. Their objective is to provide a solution which descopes the contact center from PCI DSS scope and protect their clients’ businesses without compromising how contact center operations are run. Since their entire product portfolio is served from the AWS cloud, integrations with existing telephony, payment and desktop environments are simple with no impact on other services. Their solution will be even more in the spotlight with the upcoming global implementation of GDPR (General Data Protection Regulation) on May 25th. While it imposes strict new privacy restrictions governing the collection and use of personal data in EU nations, it will impact all companies who do business with customers who are EU citizens– more than 500 million people. Grafton Potter Vice President of Sales – North America at PCI Pal provided added background.

In what ways will the upcoming GDPR requirements differ from existing PCI DSS compliance standards and how can companies ensure that they are adhering to both?

The main difference between GDPR and PCI DSS is that GDPR will be enshrined in law in the EU. In addition to protecting citizens privacy, the most significant incentive to comply with GDPR is the severity of the potential penalties that can be incurred with GDPR and the global reach of the law for companies who do business with EU citizens. Both PCI DSS and GDPR aim to ensure organizations secure a consumer’s personal data but PCI DSS focuses on payment card and cardholder data, while GDPR focuses on all EU personal data including cardholder data.

Another key difference is that GDPR provides guidance on what needs protecting but does not provide a detailed action plan. Conversely, PCI DSS is more mature and details clearly what needs to be achieved while providing a clear path with steps and requirements for securing cardholder data.

PCI DSS should act as a tool to achieve GDPR compliance. If you are compliant with PCI DSS, you are meeting most baseline security control standards of GDPR.

How does your Agent Assist technology enable customers to make secure payments on the phone without the possibility of agent interception?

Our core solution, Agent Assist, utilizes our AWS cloud infrastructure to mask DTMF (Dual Tone Multi Frequency, aka touch tones) to provide companies with a solution to receive payments by phone and descope the network environments from PCI DSS.

At the time a payment needs to be made, the customer will key in their credit card number, expiration date, and CVV on their phone keypad instead of having to speak the credit card (or Social Security number or other sensitive information) to the agent. PCI Pal then routes the information to our PCI DSS Level 1 Certified Platform and thus descopes the customer’s environment from PCI DSS because no sensitive data is stored in the network environment. We integrate with the call flow and at the point of payment, so the agent doesn’t hear or see the card data. All the agent sees are asterisks on the screen and only hears monotone beeps to confirm that the payment information is being entered.

We then integrate with the merchant’s payment gateway and allow the agent to receive the payment gateway’s credit card token and approval for the payment all while the customer and the agent continue to speak throughout the entire process.

Can you tell us about the configuration options available to ensure that payment solutions do not interfere with a company’s operational requirements?

PCI Pal’s Agent Assist solution can be deployed in a number of ways. We work with each company and partner to understand the scope of the project and which deployment method works best for them. We have simple and proven telephony and API integrations so there is no impact on the business operations. In fact, our projects typically result in a 20-30 second reduction in ACHT (Average Call Handling Time) which provides savings and operational efficiencies to our customers and a value add for our business partners.

What are the advantages of allowing people to utilize SMS and webchat to make secure payments?

Through our experience across the contact center space, we know that customers increasingly expect to be able to interact with brands via multiple channels. SMS and web chat are key components of omnichannel communication and require secure mechanisms to enable customers to make PCI compliant payments. SMS and Webchat provide a link to call into the PCI Pal Payment IVR to enable a customer to make a payment.

SMS and web chat are convenient ways to communicate with customers and take payments, which is especially appealing to companies who wish to take orders during busy sales periods or for transactions where customers might prefer not to speak to an agent – like debt recovery or collection environments.