IVR Payment Automation and PCI Compliance

The obligations that PCI DSS compliance places on organisations taking card payments are very clear: it is a breach of PCI DSS for any organisation to retain sensitive authentication data, in any format, whether encrypted or not. Sensitive authentication data includes the full magnetic stripe data, card validation codes and PIN numbers.

For organisations that record calls, much of the focus for discussion of PCI has been on methods to ensure that your recorder no longer captures authentication data. Liquid Voice recorders address this particular problem with Automated Pause & Resume and Mute/Un-Mute techniques which ensure that authentication data is not captured.

But there are other approaches that can be considered.
IVR-based payment automation, for example, has the potential to be a valuable part of your PCI DSS strategy.

IVR allows your customer to interact with you in a full self-service model or as part of a process that combines self-service with agent-assistance. While the full self-service model has obvious advantages in productivity and cost, many businesses prefer to involve the agent in the payment process.

To ensure PCI DSS compliance in this agent-assisted payment process, the IVR solution allows the customer to use the keypad on their phone to type in their card details. The agent can stay on the line with the customer but the card details are not displayed on the agent screen and, if calls are being recorded, the card details are not spoken so no sensitive card details are recorded.

This effectively moves the agent “out of scope” of the payment process so, properly managed, this approach can form a valuable element of your PCI DSS Compliance strategy.
Recorders that support Automated Pause & Resume or Mute/un-Mute functionality and, where appropriate, the use of IVR for automated payments, will allow you to compliantly take card payments and at the same time continue to enjoy the Agent Quality and Customer Experience benefits that recording provides.