PCI DSS descoping solutions

PCI Telecom is a well established, ambitious UK technology specialist focusing on telephony and e-commerce PCI DSS solutions across all markets. We are focused on delivering real descoping solutions to merchants who feel restrained by the requirements of PCI DSS.

Hosted telephony and card processing platform

Our hosted telephony and card processing platform has an accredited Level 1 certification for PCI DSS compliance with security at the core of everything we do. We have expert knowledge in the field of telecommunications, card processing, PCI DSS and back office services with over 75 years of combined experience within our Senior Team alone.

We deliver solutions for SMEs and Public Sector organisations right through to Large Corporates and we pride ourselves on our knowledge and high levels of customer service. We’re here to make the responsibility of PCI DSS compliance a much smaller consideration, making it easier to re-focus on what really matters to your business and your customers.

What our customers have said

Over the years Regal Credit has developed our relationship with PCI Telecom to incorporate a wide range of communication services. Our inbound IVR with integrated payment processing (#AUTOIVR), outbound SMS gateway to alert our customers to late payments or general account enquiries, reviewing card processing charges helping us to reduce our overheads & integrated web payments with real-time reporting and a dedicated server with EV SSL on the domain (#ONLINE). One of the key reasons we have trusted them with our communications and PCI DSS solutions is their desire to assist us in any way they can. Day or night, we know we can always contact someone with specialist knowledge and excellent customer service

Nigel RutzlerRegal Credit is a specialist consumer debt agency based in Surrey. Setup in 1983 they have a large client base including the banking and utilities sectors. Nigel Rutzler is a Director at the company with responsibilities including communications and PCI DSS compliance.

Transport for London (TfL) has been hugely impressed with the innovative way in which PCI Telecom delivers its solutions. They are market leaders in technology solutions de-scoping the requirements of their clients.

PCI Telecom has always responded positively with a ‘can do’ attitude and in a timely fashion to TfL’s changing demands. Our expectations have been fully met and surpassed on many occasions over the several years we have been working together.

John Conway FCMI MILTTransport for London (TfL) is a local government body responsible for most aspects of the transport system in Greater London. Its role is to implement the transport strategy and to manage transport services across London. One key solution currently being used by TfL is our (PCI AGENT) solution. John Conway is the Enforcement Manager responsible for the Enforcement & On-Street Operations Directorate.

PCI Telecom has provided Stellar with IVR solutions (#AUTOIVR) that have added significantly to the portfolio of services we offer our customers while still minimising capital outlay and securing PCI DSS compliance (where necessary). The quality and responsiveness of both the application and service given, has allowed us to implement solutions in hours not days, this provides us with significant competitive advantage.

I would thoroughly recommend these services to any enterprise looking to de-scope their PCI DSS requirements.

John McGillStellar are the largest group of contact centres in Scotland. They currently use bespoke IVR platforms for a number of their clients brought into their portfolio. John McGill is the infrastructure manager specialising in communications and contact centre applications.

Frequently Asked Questions

What is PCI DSS and who does it apply to?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements relating to the security and storage environment of any company processing, storing or transmitting debit or credit card information. The standard and the management of it, by the Payment Card Industry Security Standards Council (PCI SSC), were created by the major payment card providers – Visa, MasterCard, American Express, Discover and JCB. No matter how large or small your business, PCI DSS compliance must be applied by any organisation paying money into their merchant account directly using credit or debit card information from a customer or third party. 

What happens if we don’t comply with PCI DSS?

Failure to meet the standard leaves you with potential fines of up to £50,000 per infringement. Your business could be identified as having suffered a breach of card and customer data or be reported to PCI DSS, by any number of stakeholders, leading to an evasive forensic investigation into your compliance. You will be liable for the full cost of a forensic investigation (often running into thousands of pounds) should you be found to have fallen short of PCI DSS or had an actual data breach. As well as the damage this causes to your reputation, the financial costs are significant, with many non-compliant merchants going into liquidation. Worse still, if the investigation finds a serious breach, your business could be barred from the card acceptance programme altogether.

What are vulnerability scans and do we need them?

If you hold card information post authorisation then your business requires a quarterly scan by a PCI SCC Approved Scanning Vendor. These vulnerability scans are also known as penetration tests. Failure to comply or update systems that have failed a scan/test can result in a forensic investigation. A vulnerability scan is an automated tool that checks your merchant systems for vulnerabilities or weaknesses. These non-intrusive scans are designed to highlight the potential for hackers to intercept or target your organisations systems.

What is PCI DSS descoping?

To be compliant, your businesses must demonstrate an ongoing level of security awareness showing they understand that losing or siphoning card information is more highly regarded than that of a non-compliant organisation. Descoping provides a way of reducing the number of requirements that are relevant for your businesses PCI DSS processes. The easiest way to achieve this is to pass the responsibility over to a third party provider or solution. This often dramatically reduces overheads assigned to PCI DSS whilst also increasing the level of PCI compliance your business can operate at (for example using a Level One compliant solution).

What is 3D-Secure?

Also known as ‘Verified by Visa’ and ‘MasterCard Secure Code’, the 3D-Secure XML-based protocol authentication is an additional layer of security surrounding online payments on VISA, VISA DEBIT, MASTERCARD, MASTERCARD DEBIT, INTERNATIONAL MAESTRO, UK MAESTRO and VISA ELECTRON. Our 3D-Secure technology is designed to reduce the possibility of fraudulent card use by authenticating the cardholder at the actual time of the transaction. This creates a liability shift from your business (acting as the merchant) to the acquiring bank.

What is an IVR?

Interactive Voice Response services (or IVRs) are hosted solutions designed to manage the interaction between humans and computers over voice and DTMF channels. An IVR allows calls to be routed to specific target destinations, retain and store data, calculate and respond to inputted data and provide information to callers without relying on a human at the other end of the call. They are highly efficient in the automated processing of card payments, appointments, real-time information and emergency information as they are often fully integrated directly with databases or computers.

Why is a hosted solution less intrusive?

Many PCI DSS products or solutions require an element of hardware adjustment on-site. This can often involve detailed updates to your PBX, servers, cabling, handsets and more. It can take many hours to complete and when updates or changes are required in the future, another on-site visit is required with some or all of the original interferences re-affected. There are often significant CAPEX costs and OPEX maintenance contracts with poor Service Level Agreements (SLAs) due to the requirement always being to have a person on-site. Depreciation is also a major factor when installing hardware with an obvious end-of-life juncture after a given period. Implementing a hosted solution gives flexibility, provides ongoing improvements in technology, has very little CAPEX, does not require hardware changes on-site, does not require PBX changes and provides very efficient SLAs due to the solution(s) being accessible in a cloud environment at any time.

How are call recordings stored?

If the recording of calls is a requirement for your business, there are obvious potential breaches of PCI DSS should they not be processed and stored correctly. Our PCI DSS recording service is integrated with both the ‘PCI AGENT’ and ‘AUTO IVR’. Data relating to inputted card information (on our AUTO IVR solution) is never stored in any call or data logs and held securely until the point of processing. Recorded calls on any PCI AGENT service are digitally stored in a single file (unlike some services where call recordings are chopped into sections and have to be pieced back together by the end user) with all DTMF tones removed whilst a caller is entering their card details. Call recordings, call logs and card processing logs are all accessible within a single online account with real-time billing information as standard. Calls are available online for an agreed period of time before being downloaded and stored securely in 2 separate locations for a minimum of seven years.

What is a Standard IVR service?

To receive calls into your business when using the PCI AGENT solution, a standard IVR is provided to route inbound calls. It’s a little extra bonus we’ve added to assist businesses with their call routing. You can even use your existing numbers on our platform. This service includes;

  • Time/Day/Date Plan (this allows us to change the way calls are dealt with during office hours or out of hours)
  • Working Hours – Welcome Message and/or Welcome Menu (maximum 3 options)
  • Option 1 (or standard routing if no menu used) with Call Queue, Music, Informative Messages & Skill-Based Routing
  • Voicemail for Missed Calls
  • Option 2 (if required) with replicated features in Option 1
  • Voicemail for Missed Calls
  • Option 3 (if required) with replicated features in Option 1
  • Voicemail for Missed Calls
  • Out of Hours – Voicemail/Call-Back service
  • Email facility should Call-Back service be used rather than standard Voicemail Box

You don’t have to use these options or even have a Time/Day/Date plan, but the option is available to all customers using our PCI AGENT solution.

What is a ‘card not present’ transaction?

A card not present transaction is a payment made where the cardholder does not or cannot physically present the card for a merchant’s visual examination at the time the request is given and potentially processed. These usually apply to mail-order transactions performed by mail, fax, telephone or the internet (online).