Hi Kjetil,

I think the answer depends entirely on whether the call is being recorded at Company A, as it passes through to you. If it is recorded, then PCI DSS would say that Company A isn't compliant with the "don't store CVV information in any format" guideline. However, if the call is not recorded by Company A, my initial view would be that both Company A and you are (at least for the recording aspect) compliant.

(Clearly there are also other cost and customer services questions you need to address.)

CR

I agree with Cam Ross on that one. If the call stays with Company A while it passes through your system and it is being recorded, then Company A is not compliant.

It is much easier if you use a Cloud based delivery, where the call is removed from Company A and passed to you, then it does not matter whether the call is recorded in Company A.

Return of the call to the same agent in Company A is possible after the transaction and Company A can then re-start recording quite happily, and the agent has no way of knowing card details.

I assume that you do not store card holder data and that you mask any logging of DTMF or any .wav files that are played confirming card details to the caller.

Hello and thanks for your answers.

One of the ideas is to contact companies that already have established callcentres with other vendors, and offer them payment functionality without them having to move their entire callcentre solution from their current vendor.

If we host their entire callcentres, then there is no problem as we'er in control of the entire solution ourselves and have passed pci tests.

I see there is the recording aspect in the cases where the caller speaks with an agent first, and the agent then transfers the call to us.

But in other scenarios, I can see the caller just making a dtmf-choice (ie press 3 to pay your latest invoice with credit card) in the IVR menu at a solution which resides at vendor A, and then the call is transferred to us without being connected with an agent first. In such a scenario, I would think the "call situation" would be pci compliant even though vendor A is not pci compliant, as all the credit card functionality resides with my company which is pci compliant, or are there some aspects we're missing here you think?


BR,

Kjetil Johannesen

All,

At Specsavers we've implemented the Semafone solution which has removed all card data from the contact centre environment. It works by allowing customers to enter their card information on the telephone keypad whilst in conversation with the contact centre agent. The DTMF tones are also masked to the agent and on the recording so allows us to be completely PCI compliant.

We've also received a lot of positive feedback from customers commenting on how easy the technology was to use and how much safer it felt than giving their card details verbally over the phone or using an automated IVR solution which tend to have a high drop out rate.

If anyone would like to know more please contact me direct.

Kind Regards

Simon