Inference Solutions and the Value-Add Opportunity for Carriers to Provide PCI Compliance to Business Customers

20 Mar 2017

The call to the service provider goes something like this…

“Hi, I manage customer relations for HousewaresRUs, and wanted to know if you can help me with PCI compliance.”

“Sure, I can do that. I’ll start with two quick questions. Are you taking credit card purchases from customers over the phone? Secondly, are you PCI compliant now, or just looking into it?”

“Yes, for phone-based purchases. For being compliant, umm, no, we’re not. What do I have to do here?”

“Well, let me first ask how quickly you’re looking to do this?”

“Right away, like NOW.”

What’s the problem?

This sense of urgency means one of two things, and probably both. The business has either had a security breach involving credit card fraud, or they have just been hit with non-compliance penalties. While it’s not known how often these things actually happen, what we do know is that businesses don’t want to talk about it, and the associated costs are usually buried where nobody will find them.

Both scenarios could just as well be happening together, as the lack of compliance would make the company vulnerable to fraud, which in turn raises red flags with their bank, after which they’ll be exposed for not being PCI compliant. This refers to the requirement for merchants to comply with the DSS – Data Security Standard – developed specifically for PCI – the Payment Card Industry – to keep personal payment data secure and reduce the risk of credit card fraud for consumers.

Regardless of which above scenario applies, this problem is costing them money – in terms of both penalties and lost sales – and if it drags on, their reputation will suffer as customers will go elsewhere when making credit card purchases over the phone. Hence the urgency for a solution ASAP.

I’m sure you can envision other variations that reflect the threats and challenges facing retailers who take credit card payments over the phone. PCI compliance, which involves a comprehensive set of 12 control requirements – such as having a secure network and measures for protecting cardholder data - is essential for retailers who take credit card payments over the phone in order to ensure security for their customers. Unfortunately, attaining PCI compliance can be challenging for many businesses, who often opt to sidestep the requirements and hope for the best, much like driving without insurance.

Compounding this is the fact that many retailers have not kept up with changing technologies – especially the cloud, and often don't properly understand their options when it comes to PCI compliance. This provides an opportunity for service providers who can address these challenges by providing the right tools for their customers, resulting in additional sales and revenues. By working with providers like Inference Solutions, which provides a turnkey solution that goes beyond just PCI compliance, service providers can offer new services and functionality to their large and small customers.

Why is PCI compliance a growing issue and concern?

The root of the problem lies in the massive growth in retailing over the Internet and over the phone, especially around data security. As credit card payments continue to increase the likelihood of fraud does as well. Credit card companies need to recoup those losses and requiring retailers and other organizations to maintain minimum security standard or risk fines is the preferred way to do that.

In credit card data security, the two obvious weak points are the storage of credit card data itself and the human interface that works with that stored data. Contact centers spend millions of dollars each year ensure their staff are appropriately trained and that access controls are in place to meet PCI requirements.

The problem is particularly pronounced in distributed environments, whether across a network of contact centers or retail sites. Take for example a retail chain with thousands of outlets that allows callers to pay over the phone, how do you standardize access controls and training across that network? The lack of centralization makes it very difficult, if not impossible, for IT and HR staff to monitor problems on a store-level basis, and it’s a costly way to manage the network.

The easiest option is for businesses to stop the practice of using the phone as a channel for credit card purchases, but that leaves a lot of lost sales on the table. A better response is to recognize that these challenges can be addressed with today’s cloud-based technologies, and vendors like Inference Solutions have figured this out.

How to address PCI compliance here?

There are several approaches and factors to consider in order to address the issue of PCI compliance. One option is for the business itself to become PCI compliant. The process of meeting all the requirements is demanding, and most businesses simply cannot justify the cost and effort to become compliant as well as support it on a 24/7/365 basis.

Furthermore, as evidenced by the above conversation, when problems related to PCI compliance come unexpectedly, they need to be addressed immediately. The business won’t have the luxury of time to go through the certification process, especially if they rely on revenues from these types of credit card orders.

The more distributed the store sites and/or contact centers, the more important it becomes to provide a consistent experience for customers at all times – not just during regular business hours. This is even more important for larger businesses where economies of scale matter, along with the need to ensure security across all sites, phone systems, and IVR platforms. For these and other reasons, a cloud-based, on-net solution is the way forward.

Whether businesses choose to play by the rules or not, PCI compliance is required when credit card payments are handled. If businesses want to continue using the phone for purchase transactions, and if becoming compliant in-house isn’t viable, the next best thing is to use a third-party hosted solution from a service provider. This represents a great use case for SaaS, and in a distributed environment, service providers are ideal partners. Not only do they have the network reach to provide a centralized platform to support all sites, but they have the scale for continuous uptime, and are generally viewed as the trusted partner, which matters for such an important revenue driver.

From a business perspective, offering a cloud-based payment platform that is PCI compliant represents a new value-added service that service providers can sell to retailers and contact center operations. With this platform being PCI compliant, the customer’s problem is solved right away by partnering with the service provider. The only change is that credit card payments will now be handled at the carrier’s end – via Inference Solutions in a PCI compliant environment - instead of at the non-compliant store level. Given the risk and costs associated with not being compliant, the trade-off for shifting payment processing offsite represents a strong value proposition.

Inference Studio

Inference Solutions offers a range of offerings for service providers, notably Inference Studio, their hosted PCI compliant IVR platform for handling credit card payments over the phone. It’s worth noting that Inference Studio provides more than just insurance against non-compliance penalties and a quick fix to allow businesses to keep using telephony for credit card payments. They also enable businesses to maintain using this payment model as they migrate telephony from TDM to VoIP. To support evolving technology beyond VoIP, Inference Solutions offers enhanced capabilities such as speech recognition and voice biometrics, which will become part of nextgen IVR platforms.

Furthermore, Inference complements what service providers can offer as a trusted network provider. The company is certified for Level 1 PCI compliance, the highest designation across all four PCI Levels, which means they can support the largest scale customers. Being cloud-based, the solution can be configured and deployed quickly, with upgrades and future enhancements being added rapidly.

In terms of economics, this model with Inference and a service provider offers a distinct advantage. Since call volumes can vary widely from site to site, there’s a lot of cost uncertainty when retailers manage these payments in a decentralized fashion. With this model, all the traffic is aggregated over a common network – the existing carrier's network – and with call volumes being pooled, the result is a lower per-session cost than if each site was managing its own call volume.

Conclusion

These days, retailers cannot afford to turn business away, and it’s simply bad business to stop taking payments over the phone. While online purchasing keeps gaining ground, the phone remains a vital channel for sales. PCI compliance is both complex to understand and costly to attain, but with cloud-based solutions like Inference Studio, these should no longer be viewed as reasons to sidestep the issues. Many businesses continue to do so, but at some point, they will be exposed, and the risks are more than just financial. The path forward won’t be apparent to them until the dots are connected between a vendor like Inference Solutions and their service provider, and hopefully this article provides a good starting point.

This paper is sponsored by Inference Solutions.