Beware third party payment processing services for your contact centre…

Contact centres need to pay close attention to the guidance from the PCI Security Council as MOTO (mail order telephone order) transactions become a target for fraud.  Choosing a payment processing solution carefully is more important than ever as merchants are ultimately liable for any breach of their account.
A common solution is to outsource the payment processing function to a compliant third party, to remove card holder data from the contact centre environment altogether, either by intercepting calls outside of the network or transferring calls at the point of payment. Job done? It can be – however, there are some gotchas that may in fact bring your organisation into scope of PCI DSS compliance and therefore in the firing line if the worst happens….

Here are some checks that will help you make the right choices and protect your organisation from the devastating consequences of being responsible for the loss of your customers’ payment information:

  1. Review your call flow and identify the mechanism by which calls are routed via your third party supplier. If this is within your infrastructure or under your control, it is within scope of the PCI DSS and must be secured accordingly to achieve compliance. This may be your phone system, a desktop application or some third party equipment installed on your premises. If anything or anyone, within your organisation, can effect the call flow in any way then it is your responsibility if that facility becomes compromised and your business is in scope of PCI DSS and must therefore meet the standard to avoid liability.
  2. Review your contracts to ensure that your supplier is accepting responsibility for the security of card holder data, and that you are aware of your responsibilities for system components within your infrastructure or under your control.
  3. Regulary check that the solution is working as expected by reviewing call recordings, call flows and business processes. Especially important when onboarding new campaigns, moving premises or deploying new software – bake this into your processes!
  4. Finally, ensure that your backup and disaster recovery processes are fully compliant in the event that your supplier becomes unavailable.

For more information, click here.


Tom Davies
Technical Director, Ultracomms

Tom currently heads up Research and Development at Ultracomms and has a seat on the Contact Centres Council for the Direct Marketing Association in the UK. With a background in Electronic and Software Engineering, Tom co-founded Ultracomms in 2004, building the first cloud contact centre service offering in Europe. In 2007, Tom led the team that developed the Ultracomms PaySure product portfolio in response to the emerging PCI standards, and has since worked with Ultracomms’ customers and QSA partners to secure their contact centre payment processes. Tom helped Ultracomms achieve their own PCI DSS Level 1 Service Provider status for delivering contact centre services from the cloud in 2016. To contact Tom, email tom.davies@ultracomms.com

Back to all news

5 reasons why employee engagement is no game.

5 reasons why employee engagement is no game.

If you read a lot of industry news and commentary, you’ll notice that gamification is often promoted for its employee engagement benefits, particularly in a...

Read article

The most memorable days usually end with the dirtiest clothes!

The most memorable days usually end with the dirtiest clothes!

On Sunday 22nd September, the Ultracomms team set off to Tough Mudder to take part in a 5k course including obstacles, heights and a LOT...

Read article

Making the grass greener is easier than you think…

Making the grass greener is easier than you think…

Customers don’t always behave how companies expect. As customers ourselves, we’re all too busy juggling jobs, family commitments, bills and appointments and we sometimes forget...

Read article

Take advantage of Ultracomms solutions

Let's chat