The Secret to Maintaining Payment Compliance with a Remote Workforce
One of the most significant and long-lasting impacts of the pandemic has been the shift to remote working, with many companies realising they can operate more efficiently when employees stay at home. Capita are committed to enabling this to work by introducing flexible/hybrid working.
With appropriate technology and controls, it can and will work effectively, but will require monitoring and adjustments as it will not be right for all employees. This dramatic change in the working lives of many people is set to remain – research shows that 26% of the UK workforce will continue to work remotely in some capacity. Frankly, my own view is that it will be considerably higher than this too. Yet, while many business practices can translate fairly seamlessly from the office to the home environment, allowing remote workers to take payments over the phone presents a real security risk if common security frameworks of the PCI DSS (Payment Card Industry Data Security Standard) are not followed. As well as putting employees into an unacceptable position, this puts companies at risk in terms of governance, cost, revenue and brand integrity.
Organisations need to consider long-term solutions to maintain their PCI compliance and provide a safe environment for their remote employees, without compromising customer engagement. Businesses that fall foul of their PCI obligations leave their remote employees and customers exposed to potential data breaches. The fact that 2020 saw 36 billion records exposed between Q1 and Q3 only adds weight to the need for these measures. Research shows that a data breach has an immediate impact on customers and their willingness to spend – 58% of UK respondents said they would either close their account or seek advice before making further transactions. A data breach at a company of which they were not a customer would lead to 75% of potential customers choosing not to buy at all, or at least not for a while – quite a stark figure.
While there has been a massive shift to digital payment methods driven by the pandemic – with Accenture forecasting that 420 billion transactions will move from cash to cards and digital by 2023 – there are also many people who still prefer to use their phone to pay by card, as well as smaller retailers or service providers which do not have an online payment system and can only take card payments in person or by phone. Employees taking payments over the phone in an office or call centre environment should be protected by the corporate governance of the organisation. However, employees who are expected to handle personal card data while working from home present many challenges.
The PCI Security Standards Council states: “For the home/remote worker supported as an extension of the entity’s network, make sure that their environment (e.g. network and other technology) is secure in accordance with the PCI DSS requirements. Any implementation should be agreed to with your acquirer or payment card brand.”
The underlying, unspoken issue here is obvious – no-one is watching a homeworker. In a worst-case scenario, the employee is rogue and steals the card data for illicit use. While the vast majority of people would not risk their job committing an easily traceable crime, there are those that do. It only takes one dishonest employee to cause a security breach and the entire organisation is compromised. There is also, far more commonly, simple human error – writing down card details and leaving the paper lying around or thrown in the bin or recycling for theft by outsiders. The above examples can take place irrespective of company security procedures such as allowing employees to only use approved hardware, secure phone lines, regularly updated firewalls and robust authentication – all required for PCI compliance. But these procedures do not divorce the employee from having access to the customers’ card data.
The simplest way to protect employees from suspicion, mistakes or temptation is to remove access to the sensitive customer data entirely – to take them out of the cardholder data environment (CDE) altogether. The CDE is defined as the people, procedures and systems that process, transmit and store customer card data and/or authentication data. However, it’s important to do this without disconnecting the customer, so contact centre staff can remain on-hand if needed. There are many solutions that address the PCI DSS, however the key challenge is maintaining compliance without impacting customer engagement. Some solutions, such as pausing the call recording, don’t address the former and many don’t address the latter, leading to a poor customer experience where the secure card capture disconnects the customer from the organisation. This can easily result in customer dissatisfaction and potentially non-payment.
One of the most recognised solutions for a CDE-free process while remaining PCI-compliant is the suppressing or ‘masking’ software known as ‘dual-tone multi-frequency’ – or DTMF. This enables the caller to enter card details via their telephone keypad. The suppressing software removes the DTMF tones, or with masking, replaces the tones with either random or flat tones. This prevents voice imitation, and in the relatively unlikely event of a hacker gaining access to the phone line in the first place, the signals cannot be decoded even if illegally recorded. Using DTMF means that the employee never sees or hears any card data and is therefore completely removed from the
opportunity to commit a security breach, unintentionally or otherwise. The data is transmitted directly to the PSP for authorisation so it does not enter the merchant environment at all, massively reducing the scope of PCI DSS. The environment remains compliant and secure for both the employee and the customer, and the customer receives a seamless and efficient payment experience.
However, DTMF masking can be costly and complex to implement, so it’s important to consider other options that combine compliance with a frictionless customer journey. These include digital payment requests by card and digital payment requests by open banking, which allows regulated third parties to initiate payment from one account to another. Digital payment requests allow call centre agents to send customers a link via text or email while they remain on the phone, that lets them choose how they would like to pay. If paying by card is selected, the customer will input their own card details into a secure form – much like an e-commerce transaction – meaning the agent never has access to this information. Similarly, paying by open banking allows customers to instantly authenticate a payment directly with their bank, without any card details having to change hands.
Employee safety is the responsibility of the employer. While traditionally that has been ‘health and safety’ as in the physical environment, the establishment of homeworking across many industries means that the safety of remote employees needs to be taken very seriously in terms of both online and telephone interactions. Any organisation that is not actively addressing the issues of PCI compliance, both in and out of the office, risks expensive fines and significant reputational damage. However, businesses need to tread a careful line between compliance and customer engagement to stay on top of their game.
by Stephen Ferry, Managing Director, Pay360 by Capita.