Is Your IVR Solution PCI Compliant? Top 5 Ways to Secure Virtual IVR Solutions
Make sure your IVR solution is PCI compliant with these five recommendations.
While it may be hard to believe in the current digital age, many business transactions still take place over the phone. These transactions include those like customer service, order placements, sales, bill payments, and much more.
Many of these transactions involve the callers providing their information over the phone. With data breaches and third-party sellers being a known issue, people can be wary about giving out their information over the phone.
A study performed by Google found that 61 percent of mobile users call a business when they are at the purchase phase of the buying cycle. Other studies also show that the number one reason phone calls are made to banking and financial services is for billing questions. It’s the second most common reason for calls made to internet service providers. Even about a fourth of calls made to healthcare providers is for billing-related questions.
This just goes to show how often it may be necessary for someone to disclose very sensitive information, such as credit card numbers.
Virtual IVR phone systems are fairly common for people to come across when they are calling a business’ general or customer service line. With these systems, it’s essential to be compliant with laws and regulations that are meant to protect people’s sensitive information. If businesses are not being careful and ensuring they are in compliance then there can be negative consequences not only for the person whose information can be compromised but the business as well.
IVR overview
Interactive Voice Response, also known as IVR, is an automated phone system that can interact with people to deliver customer service over the phone, without the need to talk to a live person. This voice response system is able to provide callers with information and services or even transfer them to a live person through a process of pre-recorded voice messages and a menu of options for them to select. A virtual IVR solution utilizes an internet connection in order to make and receive calls, whereas a traditional IVR system uses a landline.
When a person connects with an IVR solution they are immediately prompted by the pre-recorded voice (or even digitally generated voice) to select one of the numbered menu options with the keypad on their phone or voice input. They are then routed to that option, where they can get the correct help or service they need.
IVR phone systems can be very beneficial for companies for several reasons. They are available 24/7, meaning people can call at any time of the day or from a different time zone and staff do not have to be kept on past business hours. This also leads to lower operating costs, as fewer staff are needed and they do not have to cover longer hours. The staff who are there also have freed up time to focus on more complicated issues.
IVR payments allow for automated phone payments so that live agents do not have to manually record and process payments. IVR payments can be used in several instances, such as paying bills over the phone. While this keeps information more secure, IVR payment processing solutions are not necessarily secure on their own. So you will need to ensure your system is PCI DSS compliant.
What does it mean to be PCI compliant?
PCI compliance is specifically for any company that accepts credit/debit card payments. PCI DSS stands for Payment Card Industry Data Security Standard and is a security standard that is administered and managed by the Payment Card Industry Security Standards Council to help prevent credit card theft/fraud. The PCI SSC was formed by the five major credit card companies, Visa, Mastercard, American Express, Discover, and JCB.
PCI compliance applies to all companies, regardless of size or function, as long as they accept, store or transmit any credit card information. There are four levels that organizations are categorized as, depending on the amount of Visa transactions conducted over a 12-month period. These four levels determine how an organization reports and satisfies the PCI DSS requirements.
Failure to meet compliance can result in hefty fines and possible lawsuits from anyone who may have their information compromised.
Top 5 ways to ensure a secure virtual IVR solution
If you are looking into making the transition to a virtual IVR solution or already have one in place then here are the top five ways that you can have a PCI compliant IVR solution.
Make sure your software protects data
When you are shopping around for virtual IVR solutions you need to make sure you find one that is going to protect the cardholder’s data. This means looking at how the software handles sensitive data and the way it stores and encrypts/decrypts data. It is essential that your IVR system has strong encryptions and security protocols in order to transfer credit card information. Protecting data is what PCI compliance is all about so this is a key aspect of being and staying compliant.
If you are using a cloud-based IVR solution or virtual IVR then you also need to routinely check that your network is secure. Open/public networks, if that’s what you use, are not known for being secure and can easily be hacked. Install and maintain a firewall to help keep your IVR system vulnerable to hackers.
Stay up-to-date on changes
Since the first version of the PCI DSS was first released in 2004, there have been many other versions over the years (version 3.2.1 is the current one and was released in 2018). Technology has rapidly changed and progressed over the years and therefore compliance rules need to adapt along with the technology.
You have a responsibility to keep up with any changes being made in the PCI DSS and look into whether your IVR solution is updated by your provider to continue following compliance rules. Hold your IVR system provider accountable. If you are getting an IVR system for the first time then definitely ask questions, such as how often the software is updated and who you need to contact if there is an issue.
Look at descoped IVR solutions
While some businesses have it set up to where a customer calls and is immediately connected with an IVR system, others will have customers speak to a live agent first. When speaking with an agent a customer may be transferred to an IVR system in order to collect payment information, or any other information needed.
If a customer is talking with a live agent and gets transferred to an IVR system then one way a business can ensure compliance is to have a descoped IVR solution. Anything that is considered to be “in scope,” has access to the customer’s payment information and therefore falls under PCI compliance. A descoped IVR solution will collect payment information and process it, not allowing any sensitive information to be sent to the organization.
If you are interested in a descoped IVR solution then be sure that it will not give anyone in your contact center, or other departments, access to sensitive information before you implement it, so that you maintain compliance.
Regularly check for vulnerabilities
IVR systems can be vulnerable to attacks from both the outside and within. That is why it is vital to perform regular checks for any weakness in your system and use anti-virus software on computers that have access to the network. Having a vulnerability management program is actually one of the requirements for PCI compliance.
PCI compliance certification
If you have an IVR solution provider then you can ask for their PCI compliance certification. The PCI Security Standards Council offers program training and qualification for organizations and individuals to help them correctly and successfully implement PCI standards. The council will also qualify payment software so that organizations can provide approved solutions for collecting payment data. So, you can see if they have gone through this program.
You can also do the program to learn the ins and outs of PCI standards and see if your contact center and IVR are within compliance.
Why is IVR important?
An IVR system is important because so many companies use them today and they are often the first point of contact for people calling to get in touch with a business. This is a vital moment where people can form strong opinions about the type of business they are interacting with. If an IVR has a pleasant voice and tone and is easy to use then the person calling is more likely to view the company favorably.
Where is IVR used?
IVR systems are very prevalent in all sorts of companies, across an array of services. It is common to come across an IVR system for services such as mobile purchases, prescription refills, activating credit/debit cards, doctor’s offices, movie theater showtimes, hearing hours of operation, and much more.