card payment Black Friday

Are you ready for shopping season? How improving your card payment process can boost your business this Black Friday, Cyber Monday and in the lead up to Christmas.

The shopping season will very soon be upon us when shoppers go crazy for a bargain on Black Friday and hunt frantically for the perfect gifts for Christmas. How a business handles this increase in trade can take some planning, ensuring your systems are ready for the rise in demand to keep the business going and customers happy.  While the focus is often on marketing and tweaking the product offering, many forget to think about the purchasing process be it online or over the phone, leading to bad customer experiences and overloaded workforce.

There’s a simple way to avoid this. Investing in a card payment transaction system that works for your business will support you through the busy times and beyond. Here’s how:

Speed up the payment process

No customer wants to sit on hold. And no business should be happy about it either – a frustrated customer is less likely to spend money with you and much more likely to go to your competitor. Moving to a payment system that is faster and more efficient means you’ll be able to process more calls and transactions in less time – a win win all round.

Choosing to install a cloud-based solution, like those in our PCI Agent suite, offers flexibility and scalability to handle higher demand during busy periods by enabling you to add and remove users as required and ensuring you have the right amount of staff available to manage calls effectively. Add to that our Auto IFR solution enabling purchases and payments out of hours, without the need for a call handler, and you have yourself an all-round solution that delivers a positive purchasing experience for the customer, meaning they’ll be more inclined to return in future.

Integrate with back end systems

Investing in a system that works with other back end processes such as CRM database and stock monitoring means that you can deliver the best possible service to customers and while supporting other business functions. At PCI Telecom, our card transaction solutions support payments made over the phone as well as online and integrate seamlessly with other business functions. This includes monitoring and analysing traffic so that you can plan for the busy periods.

Protect customer payment card data

Many small businesses make the mistake of thinking that they are under the radar when it comes to cyber attack and too small to be of interest to hackers. Actually, small businesses are just as vulnerable to attack and perceived to be easier targets, especially at this time of year. Making sure you’re up to speed with the latest PCI compliance recommendations relevant to the size of your business is a must. Alternatively, descoping your business from its PCI DSS compliance obligations by outsourcing your card payment system to an external provider, such as us, means you’ll free up more time to focus on managing your core business of delivering products and services to your customer. Our PCI compliant card payment solutions feature end to end encryption so at no point is your client card data accessible to staff and transactions are carried out directly between our cloud-based system and the issuing bank avoiding the risk of data breach.

 

We know from working with clients that the one size fits all approach to creating card payment processing systems doesn’t always work for smaller businesses who feel the peaks and troughs of variances in sales more intensely than their larger counterparts. That’s why we have created a suite of solutions that can be adjusted to suit the needs of businesses of any shape and size. Our solutions are cloud-based, affordable, flexible and meet all the criteria for complying with PCI DSS guidelines. To find out more, visit our solutions page or to talk through your requirements, get in touch here.

card payment convenience

For today’s consumer, card payment convenience is key

Did you know that there are still three million businesses in the UK that don’t accept payment by credit card? A risky decision when the recent study also showed that one in six British shoppers now choose only to pay by card*. While making it easier for your customers to pay is an obvious way to secure sales and maintain your place in the market, it is clear that there are still many businesses for whom there is a barrier to allowing card payments in store.

Keeping a competitive edge isn’t just about IF you take payments by card, it also matters HOW. Today’s consumers are time poor; they want convenience and hassle-free transactions wherever possible, be it paying for items in person as well as over the phone and online. Guaranteeing an easy and pleasant buying experience is likely to ensure that customers return in future and refer you to their friends. Phone transactions in particular are considered to be the most profitable if achieved quickly and easily as customers have less time to ponder their purchase.

To many small businesses, the process of setting up a card payment process can seem daunting and complicated with many compliance hoops to jump through. As the recent data breach at British Airways shows, even the biggest of companies can fall victim to a cyber attack so it is unsurprising that many smaller businesses are overwhelmed by the prospect of taking customer card details and processing them securely.

In reality, the process of securing card payments doesn’t have to be complicated at all. Here at PCI Telecom we have created card payment processing solutions for payments made over the phone and online that are simple to set up, easy to use and affordable for SMEs. For small businesses, we know that an off-the-shelf card payment product from one of the larger suppliers won’t always do what you want it to do so we tailor each system we create to suit the exact needs of your business, whether it’s integration with existing back-end systems or being flexible with the number of users. Plus, because we’re a small business too, we can provide the personalised technical support as and when you require it.

If it’s the data protection and compliance obligations that you’re concerned by, rest assured that our solutions are all compliant with the latest PCI DSS guidelines, set out by the major credit card brands to ensure that card transactions are processed safely and securely. And because our solutions are all cloud-based, should there be any updates, we deal with them remotely.

More about our PCI DSS compliant card payment solutions:

PCI Agent ™, PCI Agent™ Outbound, PCI Agent™ TFR, PCI Agent™ Advance – whether you’re a one-man-band business, an SME of up to 100 employees or a larger organisation, we have a variety of solutions for card payments made over the phone.

 Auto IVR solutions enable fast, effective payments to be made automatically by callers any time of day without the need to speak to a person or wait in a queue.

Our ONLINE card payment solutions come with EV SSL and 3D-Secure processes as standard so you and your customers can rest easy that personal and payment data is protected throughout the transaction.

 PCI MOBILE™ chip & pin solution means you can take payments from customers in person while out and about and on the move. Fully secure with end-2-end Level 1 accreditation.

For more information about these or if you have any other queries, please do get in touch.

* https://www.telegraph.co.uk/business/2017/10/01/three-million-small-businesses-still-dont-accept-cards-despite/

Is human error putting your small business at risk?

Is human error putting your small business at risk?

According to the Information Commissioner’s Office (ICO), reported data security incidents rose significantly in the final quarter, Jan-Mar, of the 2017/18 financial year, up 17% from the previous quarter with the five most common causes put down to human error. While some of this increase could be related to greater consumer awareness of data protection in the lead up to the launch of GDPR legislation, it highlights the need for businesses to be aware of the risks associated with human error when it comes to protecting their customers’ data.

While we like to think that our staff are always alert and have the business’s best interests at heart, that might not always be the case. It only takes one careless mistake or a disgruntled employee to cause a significant amount of chaos and could cost you not only a vast amount of money to sort and pay the potential fines for breaking data protection laws but even worse, cause irreparable damage to your business brand.

So what steps can businesses take to protect themselves from human error leading to a data breach? We know that businesses find PCI DSS compliance a headache and it can be particularly challenging for small businesses, limited by budget and resources. However, believe it or not, it isn’t just about ticking boxes. Going through the process of becoming PCI DSS compliant and maintaining that compliance will help to protect your business too by ensuring that you employ robust systems and that reliable processes and procedures are in place to deal with a breach should one occur. These include:

  • Creating and implementing a clear policy with regard to the handling of customer data that is adhered to by everyone from board level through to customer-facing staff. This should be communicated during the induction period and in a staff handbook with regular updates when necessary.
  • Relevant and consistent training carried out regularly for new and existing staff so that all are aware of their responsibilities when it comes to protecting customer data, what they should look out for and how to deal with suspicious activity.
  • An organisation-wide knowledge and understanding of data protection and PCI DSS compliance and the possible consequences if rules are broken and a breach of data occurs.

While loss of customers’ personal information is a problem, a breach of their card payment details is serious. You can remove a significant level of risk by implementing a secure card payment processing system to avoid potential mishaps with customer card details. Here at PCI Telecom, we create card payment processing solutions that are PCI DSS compliant with Level 1 accreditation. That means, as a small business, you can get a card processing solution with PCI compliance at a level equivalent to that required by your larger corporate counterparts. For payments made over the phone using our PCI Agent solution, card details are kept hidden from the call handler, encrypting them on entry by the customer via their phone keypad even though they remain on the line at all times – no need to be transferred to an external service and entirely secure. The system is cloud-based so there’s no requirement for equipment being installed on-site, keeping initial capital outlay very low. This, along with low set up costs and ongoing transaction charges makes our card processing system the perfect solution for small and medium sized business budgets.

Visit our Solutions page to find out more or get in touch today.

To read the latest statistics on reported data security incidents visit the ICO website.

Cost effective PCI DSS solutions for small businesses

The hidden costs of running a small business. Don’t let card payment processing be one of them

There’s always more to setting up a small business than you think. Whether it’s unexpected legal fees, higher-than-you-thought tax obligations or data security and compliance costs that you didn’t know existed, at a time when you’re trying to get a business off the ground and cash flow is low and irregular, you could do without the surprises.

So what can you do to avoid these hidden costs? Well, for starters, finding services that are targeted at small businesses will help and this includes card payment processing and PCI DSS compliance provision.

We know from what our clients have told us, that finding a supplier of card processing solutions that suit a small business can be challenging. Many of the larger providers are interested only in dealing with larger companies with 100+ operators or with a contact centre. They offer very little in the way of a bespoke system, supplying only off-the-shelf products at corporate prices with often high licensing and transaction costs.

What is the alternative?

Here at PCI Telecom, we have created a card processing system that is low in price and can be adapted to suit the needs of your business, whatever its size and type. Our PCI Agent TFR solution is a revolutionary product for SME’s with up to 100 operators with benefits including a really simple set-up and the ability to keep your existing phone numbers.  It is cloud-based so no need for the installation of intrusive equipment on-site and callers are able to input their card details into a safe, secure and PCI compliant environment without the need to be cut off or transferred into a different system.

And unlike our competitors, it won’t cost you the earth and you’ll know all the charges right up front so no nasty unwanted surprises hiding round the corner. Here’s a breakdown of the costs involved:

  • A one-off set up price – we’ll create a card payment processing system that does EXACTLY what YOU want it to including integrating with other areas of your business, such as stock monitoring and accounts. And it’s easily adaptable whenever you need to make changes.
  • Monthly rental cost – a pre-agreed ongoing cost for us to host the system on our cloud. Again, this can be flexible and amended to an annual cost if it suits you better.
  • Operator licenses – this can be as many or as few as you wish and can be adapted as your business increases in size.
  • The price per transaction – again, there is no minimum or maximum number of transactions. You just pay a small charge each time the system processes a payment.

And that’s it. All completely up front and adaptable to suit your needs and much more reasonably priced than similar products on the market that don’t offer the same flexibility.

Sounds interesting? Why not give us a call today to find out more. We’ll be able to give you an immediate quote based on what you tell us.

We’ll be showcasing our PCI Agent TFR system, along with all our other PCI DSS solutions, at next year’s Call & Contact Centre Expo, 27 – 28 March 2019 at Excel London. Find out more and book tickets here.

Over-the-phone card payments SMEs

PCI Telecom launches new over-the-phone card payment solution especially for SMEs

Being put on hold or being passed between different departments are some of the biggest bugbears for 21st century consumers. But for businesses, especially SMEs, managing incoming calls and taking card payments over the phone creates all sorts of challenges and risks. ‘Card not present’ (or CNP) payments involve a much higher chance of fraud compared to in-store transactions so getting the right system in place is crucial when it comes to maintaining data security and PCI DSS compliance while at the same time keeping the customer happy.

Which is why we’re so excited to launch our brand new, revolutionary PCI Agent TFR solution. Gone are the days of expensive and arduous over-the-phone card transactions. Created especially for SMEs, PCI Agent TFR paves the way for businesses to introduce a PCI DSS compliant, live operator, card payment solution that works for both the company and the customer without costing the earth.

How does it work?

Designed for businesses with up to 100 operators with individual DDIs (Direct Dial In numbers), the PCI Agent TFR solution enables customers to input their card details via their telephone keypad into a secure system while remaining on the line to the live operator, with no need to interrupt the call or be transferred to a third party contact centre. The process is quick and easy and entirely secure.

Watch our short video on how the system works from the operator’s perspective here.

What are the benefits for SMEs?

Entirely hosted off site

The system is hosted by us so doesn’t require any intrusive bits of equipment to be installed on site. This makes it easy to maintain and tweak as and when required and there’s no need to arrange for engineers to visit when you want to make changes.

Cost effective

We know that for small businesses, keeping costs to a minimum is important. No expensive bits of equipment mean set up charges remain low. There are no additional call charges or costs for modifications such as call recording and we also maintain low monthly agent license and ‘secure mode’ transaction charges.

PCI DSS compliant to Level 1 standard

The card payment process is totally secure and adheres to PCI DSS compliance regulations at a Level 1 standard. The operator hears no DTMF tones when card details are being inputted and card numbers don’t appear on the screen, keeping the data entirely hidden and encrypted on a cloud based server.

Smooth interaction with the customer

Customers stay in control, inputting their own card details so there’s no need for them to read sensitive information out loud, reducing the risk of their details being syphoned. Data security means a lot to today’s customer so enabling them to pay in a safe and secure environment can give you that competitive edge over your competitors.

Flexible to fit in with the needs of your business

We’re a small business too so we understand that sometimes an ‘off-the-shelf’ solution doesn’t always tick all the boxes. We can create a card payment solution that fits in with all your business’s needs while at the same time still maintaining that PCI DSS Level 1 accredited standard. You get to keep your existing telephone numbers and the system can be tweaked to add new features – such as call recording – at any time.

This new solution sits amongst our other three PCI Agent solutions, designed to cover the needs of all types of business – PCI Agent, PCI Agent Outbound and PCI Agent Advance. Find out more about these along with our other PCI DSS card payment solutions here.

IVR Payments

IVR Payments: are the benefits passing you by?

If you haven’t considered installing an IVR payments system before then now might be the time.

As a business owner or manager, you’ll often be faced with the challenging task of sourcing ways to increase productivity and cut costs while maintaining the same high standard of service for your customers. If you haven’t done so already, then introducing an IVR Payments system could be an easy way to achieve all of those things in one go.

IVR (or Interactive Voice Response) is a technology that enables interaction between humans and computers using voice prompts and/or DTMF tones input via a telephone keypad. For businesses it enables customers to communicate as well as purchase goods and services over the telephone without the need to speak to a live agent. Here at PCI Telecom, we think the list of benefits of installing an IVR payment system is almost endless but here are our highlights:

IVR Payments save your business time…

Our IVR Payment solution, AUTO IVR, is entirely customisable which means that our clients can use a variety of building blocks to create a system that works exactly how they want it to. One of the biggest benefits of IVR Payments is the capacity to integrate with your existing database systems, removing the need to spend hours inputting sales and customer data separately.

And because the system is entirely configured to suit the requirements of your business, you can create bespoke integrations with other business functions, for example online ticket allocation software liaising with box office sales.

…in turn saving you money

Introducing an efficient automated system means you don’t need to pay as many staff hours to do the same job, be it answering enquiries or inputting sales data to generate reports. So you get to invest your profits into improving and developing other areas of the business and promoting your products and services.

It makes it easier for your customers to engage with you

Consumers today lead busy lives. They’re often time-poor and eager to find ways to simplify hectic schedules. Making your business as engaging and accessible as possible is therefore a must. With IVR Payments, customers can communicate with your business using one standard telephone number and purchase products out of hours or be diverted to an automated service during busy periods so they can always achieve their purpose for getting in touch. They’ll be less likely to go to alternative suppliers giving you that increasingly important competitive edge.

And it’s not just about always being available. Integrating IVR Payments with behind-the-scenes CRM systems means that you can create a bespoke service to existing customers, with menus tailored to their needs based on previous purchases or using stored data to complete orders without the need for them to re-enter information each time.

IVR Payments strengthen your PCI DSS compliance

Because there is no human element involved in the interaction with the customer when using IVR Payments, you remove many of the risks and stresses associated with ensuring that members of staff are upholding compliance requirements. PCI Telecom’s AUTO IVR Payment solution is entirely compliant with PCI DSS guidelines, accredited to a Level 1 standard. Our hosted, cloud-based AUTO IVR captures, processes and stores payment information with full encryption meaning that no human error will lead to a breach.

So what are you waiting for? What could be better than a system that makes your business more efficient AND saves you money at the same time?

For more detail on how the AUTO IVR Payment system works including ideas on the different ways that it can be used, view our IVR Payments with AUTO IVR brochure here or get in touch for more information.

PCI DSS back to basics

Is going back to basics the best way to tackle PCI DSS and GDPR?

With PCI DSS 3.2 now in place plus the forthcoming introduction of GDPR legislation next month, businesses are finding their focus is being forced to shift ever more towards the security of customer data.  For many businesses, the road to compliance can appear daunting and costly. So what is the best way to tackle these changes in data security expectations? Is adding to what you’ve already got enough or are you better off going back to basics and starting from scratch?

What are the PCI DSS requirements for my business?

Any business that accepts card payments, be it in person, over the phone or online, is required to meet PCI DSS guidelines at a level that is relevant to their business, based on the volume of card payments that are processed annually.  The relevant level and, for those for whom self -assessment applies, the correct Self- Assessment Questionnaire (SAQ), should be the starting point for you to address what is required for your PCI DSS compliance and help you to define the changes that need to be made to your card payment system and processes.

How robust is your existing system?

If you’re failing to meet the criteria for compliance then stripping your system and heading back to basics could be the most effective means of addressing the issue of protecting your customer data and card payments from a data breach. If you’re currently missing the mark when it comes to PCI compliance then chances are you’re probably not meeting required general data protection procedures either. Luckily going through the process of becoming PCI compliant will take you closer to achieving GDPR obligations too.

It’s a good idea to regularly undertake vulnerability scans and penetration testing of your computers, systems and networks to highlight weaknesses that hackers could potentially exploit. If your system has been kept up to date then introducing increased security measures such as multifactor authentication (a new requirement for PCI DSS v3.2) and end-to-end encryption shouldn’t be an issue.

See PCI DSS compliance and GDPR as an opportunity rather than a burden

The introduction of new regulations gives businesses the chance to re-evaluate existing systems and procedures not just to comply with revised guidelines but to look at the payment process as a whole. How do you currently accept payments and what data do you store, process and transmit? Is there a different approach that could be more efficient AND provide a better experience for your customers?

There is no doubt that data security guidelines are here to stay and will develop further in future so bringing your system in line with this new legislation now will make it easier for you to adapt. And as new requirements stipulate that you show evidence of continuous compliance then you need to find a permanent solution, rather than one that simply gets you through PCI DSS assessment. Whatever your approach, to sit back and do nothing is most definitely a no-no. Quite rightly, it is expected that your business takes the issue of protecting customer data seriously, making it a daily priority and not a checklist to achieve compliance.

At PCI Telecom, we create bespoke card processing systems for over-the-phone and online payments that are accredited to a PCI DSS Level 1 standard. Our systems can be installed from scratch or designed to interface with your existing database and accounting functions. Find out more about our Solutions here.

planning PCI DSS

Time to stop cramming, time to start planning: could better organisation help you tackle your PCI DSS compliance?

The new PCI DSS version 3.2 arrived in February, changing the way that compliance is assessed with one crucial new addition –  businesses are now required to provide evidence of continuous compliance all year round.

We know from experience that many businesses have in the past taken a denial and panic approach to PCI DSS, leaving compliance to the very last minute and implementing temporary fixes purely for the sake of annual assessment. But these days are over. With this change to PCI DSS assessment and the introduction of GDPR in May, businesses are being forced to prioritise the security of their customer data and put greater emphasis on the need for policies and procedures on an ongoing basis. So is better planning and organisation the key to tackling your PCI DSS compliance? We think so and here is how.

Get to know the specific PCI DSS requirements for your business

The required standards for PCI DSS vary depending on your business’s volume of transactions and how it handles data. Getting to know what is required for the compliance level that is appropriate to your business will enable you to develop and implement a system for how to capture the right information accordingly and stop you from wasting time implementing measures that aren’t relevant.

Do you qualify for self-assessment? If so, take a look at the relevant self-assessment questionnaire (SAQ) – there are nine varieties so you’ll need to research which one applies to you – and work out what you need to complete it so that you can introduce systems now, well in advance of the deadline. You can find out more about self-assessment on the PCI Security Standards Council website.

Allot sufficient time and budget for PCI DSS

PCI DSS compliance can be time consuming especially when you’re starting from scratch to get procedures off the ground. But that isn’t a reason to put it off. For businesses to achieve compliance, they need to get into the habit of allocating adequate time to spend on making sure that they are adhering to the guidelines consistently and not just for the purpose of assessment.

Create a schedule of regular PCI DSS check ups to ensure that procedures are being adhered to and stick to it. For example this could include frequent spot checks for clean desks, system firewall updates and checking that new employees are being informed of your data protection policies so they know what to do if they spot system failures or suspicious activity.

Don’t waste time worrying about the fall-out of not being PCI DSS compliant. Channel those efforts into more effective planning for achieving compliance and make sure you have finances available to invest in introducing new systems to help you with the process. In the long run, you’ll have more time to focus on your core business, delivering a great service to your customers.

There are ways that you can make it easier. At PCI Telecom, we deliver bespoke card payment solutions that have PCI DSS Level 1 accreditation for payments made over the phone and online. Outsourcing your card payment processing offsite to us de-scopes your business from its PCI compliance obligations so it’s us that do the planning and regular checks and not you. Contact us for more information.

PCI DSS responsibility

Who has responsibility for your business’s PCI DSS compliance?

The new EU General Data Protection Regulation (GDPR) sets out that every company should have a designated individual overseeing data protection – not in terms of deciding what data to store, but ensuring that procedures and policies are in place and knowing what to do should a breach occur. And the same goes for PCI DSS.

But that doesn’t mean that ensuring a company’s compliance is down to one person or department alone. In every organisation, there is always the temptation to ‘pass the buck’ on something that isn’t necessarily the specialisation of the team but actually, in order for the procedures to be effective, everyone in the business needs to contribute. Here are just a few examples of the roles that different teams will play.

IT

So often, the obvious choice is to place all responsibility for PCI DSS onto the team that runs and manages the IT network. They play an important role in putting firewalls in place that are robust and up to date as well as ensuring that customer data is being processed in a secure environment and that no cracks appear in the integration between the various systems and databases. The hackers are consistently developing new clever ways to infiltrate systems so IT teams have to evolve with new technologies to keep a data breach at bay. But to do this they need the support of…

Business owners/ senior management

It’s often tempting for business owners and directors to bury their heads in the sand and have an ‘it’ll never happen to us’ attitude when it comes to data protection and cyber security. A dangerous approach to have when data breaches are consistently on the rise, affecting businesses of all shapes and sizes, and the repercussions of not being compliant can destroy the future of the organisation.

Sensible senior management teams, business owners and management boards are very much aware of the risks associated with not being PCI DSS compliant. Ready to invest adequate funds for up to date secure systems and software, they see cyber security as a necessity and an opportunity to improve their relationship with the customer.

A top-down approach is crucial – a survey by ClearSwift in 2015 showed that, worryingly, 22% of employees think they have no responsibilities relating to data security. Management has to oversee the establishment of corporate policies to ensure that knowledge of the risks and responsibilities stretches throughout the organisation. To do this, they need to enlist the commitment of…

Human resources

The HR team is responsible for organising induction and training programmes to maintain the skills of the workforce to a standard required for the business and this should include topics relating to data protection and cyber security. In addition to training, ensuring the staff handbooks are up to date with information relating to the company’s data protection commitments is essential, as is providing clear guidance on what to do if they notice suspicious activity within the database and payment systems.

Call handlers/agents

Technology will only ever be as good as the people that use it. While companies can throw themselves into preventing a security breach, they are reliant on the commitment and efficiency of their staff to prevent weaknesses in the payment process, to look out for the signs of a breach and to know what to do if and when it happens.

 

At PCI Telecom, we create secure card payment systems that work for your business, be it for payments over the phone or online. Our card payment solutions feature end-to-end encryption and have PCI DSS Level 1 accreditation. Find out more about passing on your PCI DSS compliance responsibilities to us AND getting a card payment system built bespoke for your business by giving us a call today.

PCI DSS

Will 2018 be the year you decide to take PCI DSS compliance seriously?

We all know that cyber attacks and data hacks are on the rise. Once again, experts are predicting that 2018 will be another record year for the number of cyber security attacks and data breaches affecting businesses of all shapes and sizes. Yet, despite the warnings, a startling number of businesses still don’t have adequate protection to fend off the hackers nor appropriate procedures in place to deal with an attack should it occur.

PCI DSS was established in 2004 by the major payment card brands as a means of encouraging businesses to tackle the issue by introducing a set of clear security standards to comply with when processing card payments and apply to all businesses, regardless of their size, who accept payments over the phone and online.

With the deadline to comply with the new version, PCI DSS 3.2, fast approaching (in February!), will 2018 be the year that your business finally gets to grips with PCI DSS compliance? Here are our three big reasons why we think it absolutely should be:

There’s the small matter of GDPR…

The new European Union General Data Protection Regulation (GDPR) legislation comes into effect on 25th May 2018 meaning that there is greater pressure on water-tight data storage and more severe repercussions should a data breach occur as a result of having less-then-adequate procedures in place.  Many businesses are scrambling to understand and meet the ever-increasing compliance requirements but, very handily, becoming PCI DSS compliant will help move you closer to achieving GDPR compliance too.

Hackers are getting cleverer

The techniques that hackers use to access data is evolving all the time as they create increasingly clever ways to infiltrate systems. The challenge for businesses is to be one step ahead and they can help this by ensuring that their processes are compliant with the latest security standards. As the chance of facing an attack becomes more probable, being compliant means you’ll have the right procedures in place to deal with a cyber attack.

The penalties for non-compliance are getting more severe

While some businesses postpone addressing their PCI DSS compliance, they won’t be able to avoid the inevitable consequences should their payment systems get hacked. Depending on how slack the system is when it is hacked, the resulting fine can range from hundreds to thousands of pounds and this is increasing. Plus there’s the possibility of a ban on accepting card payments and even more harmful, damage to your brand reputation. In today’s market, customers have high expectations of businesses doing everything they can to protect their data. The loss of trust amongst your customer base could mean disaster for business.

So what can you do about it?

Staying ahead of the game and on top of compliance is a big challenge for many businesses particularly those that are smaller and don’t have the internal resources to hand. Finding staff with up to date skills and expertise to create and protect a secure payment system is difficult, as is the process of regular PCI DSS self-assessment.

But that’s where we come in. PCI Telecom creates card payment systems that are bespoke to your business, that are entirely compliant in the very latest PCI DSS regulations with Level 1 accreditation. We take the responsibility of being PCI DSS compliant away from your business so that you have more time to focus on other core areas. For more information about how we can help you, visit our Solutions page.

PCI DSS black friday

What is your best defence in the fight against cyber crime this Black Friday and Cyber Monday?

For many businesses, the Black Friday / Cyber Monday weekend is a very lucrative time of year, scooping incredible profits, winning market share and gaining new customers. But it can also cause the biggest headache, facing the fight against cyber security hacks and data breaches.

Busy businesses and increased sale volumes lead to stretched teams and often loosening of procedures which creates the perfect environment for cybercriminals to showcase their capabilities and, in the worst case scenario, can result in lost revenue, lost customers, lost data and brand damage.

Many businesses think their sites are too small to attract attention but sadly this is not the case. Hackers are more often than not targeting smaller organisations, perceiving them to be less prepared. So how should you be arming your business to protect it from a cyber attack?

Informed employees

Your staff are the greatest asset you have in the fight against cybercrime. The best defence against an attack is the ability to recognise it early to minimise the impact so employees at every level should be well-informed and educated on what to look out for.

There should be an organisation-wide approach to tackling the cyber security threat, rather than the responsibility of one department, with investment in expertise and training worth every penny to ensure that all understand the potential risks and the impact that a data breach could have on the business.

Employing temporary staff during the busy period? It is vital that they are up to speed with procedures too or that extra supervision is in place. Would they recognise a potential threat and do they know who to report it to?

A robust IT and phone system

While your staff are your greatest asset, it is crucial that they have most effective tools at their fingertips. A card payment system that enables customers to enter their information either online or over the phone, encrypting and protecting the data as it transfers through the payment process so that it can’t be intercepted by hackers, will guarantee the most efficient and secure processing of sales.

Back up your data and make use of a secure replication server to safeguard your data in an environment external to your business. Double check that the latest software updates have been installed and that security certificates and sufficient firewalls are in place and up to date.

Comprehensive policies and procedures

So what do you do if something suspicious appears? The earlier a potential threat is recognised, the sooner the right measures can be undertaken to minimise risk and stem the impact to avoid further damage. Make sure that you have complete procedures in place and that the right people know about them.

Applying appropriate PCI DSS compliance procedures for your business will not only help protect your card payment processing system from hackers but going through the implementation process will also make sure you have the right procedures at the ready should you fall victim to a cyber attack.

At PCI Telecom, we create bespoke card processing systems for payments over the phone or online that are PCI DSS Level 1 accredited. We take the responsibility of PCI DSS compliance and stress of payment data protection and encryption off your shoulders so that you can focus on the day to day management of your core business. Get in touch to find out more about how we can help.

PCI Telecom_customer_feedback

Two years in. What do our customers say about us?

From the very beginning, we knew that there was a gap in the market to offer small and medium sized businesses a solution to their card payment processing needs that would at the same time address their PCI DSS compliance obligations. Having just celebrated our second birthday, we thought we’d take the time to look back over what we’ve achieved so far.

We’ve been lucky enough to have worked with a variety of businesses since we started, from retailers and e-commerce sites to rail operators and visitor attractions. Below are two examples of client projects that we are proud to have developed and implemented.

Museum of London

The Museum of London chose us as their preferred supplier to address concerns relating to their PCI DSS compliance, specifically with over-the-phone payments being made to a live operator. After meeting to discuss their requirements, we created and installed a hosted PCI DSS Level 1 accredited DTMF suppression solution (our PCI Agent™) that enables callers to input their card details securely via their telephone keypad without the need to temporarily cut off the agent. The system included a new dedicated Box Office sales line and full interaction with telephone systems on both inbound & outbound calls.

In addition, we introduced a unique email receipt functionality for the museum along with an inbound IVR solution that distributes calls to Box Office agents and other departments. Call reporting and card logs were integrated into the agents’ on-screen portal within PCI Agent™ allowing for quick transfer, searches and refunds to take place during a call. This new system means that not only have they addressed their PCI DSS compliance concerns, their callers reach the right department quickly and efficiently, improving the customer experience as well as staff productivity.

Adam Monnery, Head of ICT at The Museum of London said: ‘The PCI Telecom team were proactive from the moment we contacted them. Unlike many other PCI DSS suppliers, who focus solely on large corporates, PCI Telecom were happy to meet with us and discuss our needs. They were keen to work with us to develop a bespoke solution which allows us to process payments securely, efficiently and meeting our PCI DSS commitments. Their after-sales service is also second to none as they are easy to get hold of and proactive in solving problems in a timely manner.’

Merseyrail

Train operator, Merseyrail, responsible for carrying 36 million passengers every year around Liverpool and its environs, were looking to introduce easier payment options for passengers that had received penalty notices. They needed a solution that could be installed at ticket offices, that was easy for staff to use and that could integrate with processes already in place.

Having listened to their requirements, we introduced a bespoke hosted IVR solution encompassing all their existing telephone systems. Merseyrail passengers can now call a single number to speak to customer services, the prosecutions department and passenger assistance as well as automatically pay the balance of their penalty fare notice, car parking fine or out of court settlement. All calls to operators are recorded for monitoring and training purposes (including outbound calls) and all payments can be processed in a fully PCI DSS compliant manner with Level 1 accreditation. We also introduced a web payment facility with the highest level of security for passengers. Both payment channels integrate directly with the associated Merseyrail databases to provide real-time reports on outstanding penalty notices and car parking fines.

Steve Sheils, Head of Revenue Protection at Merseyrail said: ‘We have been using the PCI Telecom solution for almost 12 months and have been extremely happy with the results. Our web payments are now fully secure and our telephone system routes calls to the appropriate person/department and manages calls out of hours with an auto-responder; something we never had before.

We have seen an improved customer experience especially during periods of train service disruption. The automatic payment line and web payment site automatically links to our systems affording the customer a seamless process for making payments. Dropped calls have significantly decreased and the reporting capability is second to none. The team at PCI Telecom understand our business and respond expeditiously to any issues.’

Could we do the same for your business?

The world of PCI DSS compliance can be confusing and sometimes intimidating. While the larger providers offer off-the-shelf solutions primarily to suit big companies, at PCI Telecom our approach has always been to simplify the process and deliver bespoke over-the-phone and online card payment processing solutions that meet the specific needs of every business we work with and ensure that PCI DSS compliance is achieved.

Whether you’re looking to replace an entire payment system or if there is just a small gap in your card processing or PCI DSS compliance that needs plugging, we’d be happy to help. Visit our Solutions page to find out more about what we offer or alternatively, get in touch here.  We are looking forward to seeing what the next two years bring our way.

Cyber Security Month 2017

Review your card payment processes in Cyber Security Month 2017

October sees the 5th anniversary of European Cyber Security Month (ECSM), the EU’s awareness campaign that takes place each year across Europe. The aim is to “raise awareness of cyber security threats, promote cyber security among citizens and organisations; and provide resources to protect themselves online, through education and sharing of good practices.” (www.cybersecuritymonth.eu)

Week 1 (2-6 Oct) is focussed on Cyber Security in Workplace, raising awareness amongst companies, employees, IT professionals & senior management about the current cyber security threat and offering training for prevention. So, as part of this, here are some reminders of things you can do to protect your business from a cyber attack:

  1. Adapt new technologies.

    It’s impossible to keep up with every new piece of technology that gets released onto the market but evaluating your database and payment systems on a regular basis, implementing software updates and keeping abreast of new developments is crucial to protecting your business and your customers. While it won’t necessarily prevent breaches from occurring, it will make it much harder for criminal hackers and create a deterrent for future attacks.

  2. Educate your employees.

    The most up to date technology can’t help you unless your employees understand their roles and responsibilities in safeguarding sensitive data and protecting the company’s resources. Proper training will help employees to detect and deter different attacks. They are your most valuable defence in the fight against different threats so be sure to make the most of them.

  3. Implement network segmentation

    Segmenting your IT network, including your database and card payment process into different ‘zones’, each with varying security requirements, thwarts hackers from accessing complete customer data and limits the damage that they can cause.

  4. Have a plan in place.

    If the worst case scenario happens and you do fall victim to hackers, breaches in payment data have the potential for significant financial impact so it’s essential to be prepared to react quickly and have a plan in place to notify affected customers and authorities as soon as possible so that they can take appropriate actions and limit further damage.

  5. Follow PCI DSS and other best practices.

    Companies that handle card payments are required to comply with standards, such as PCI-DSS, which provide policies and procedures intended to optimise the security of credit and debit card transactions and protect customers against misuse of their personal information. Regularly checking your compliance with these standards will help to ensure that your systems are in the best possible condition to fend attempts at data hacking.

Why not use this Cyber Security Month as a catalyst for examining your card payment processing system and see if you can make improvements in protecting your customer data? At PCI Telecom, we create bespoke card payment processing systems that integrate seamlessly with your networks and databases. We have an accredited Level One certification for PCI DSS compliance with security at the core of everything we do. To find out more about us and how we can help your business, visit our Solutions page.

GDPR and PCIDSS compliance

Worried about GDPR? If you’re PCI DSS compliant then you needn’t be…

Next year sees the introduction of the EU’s new data legislation, General Data Protection Regulation or GDPR. It applies to any organisation storing or processing personal data both using automated systems or manual filing and replaces the Data Protection Act that has been in place since 1998.

But what does the introduction of this new legislation mean for UK businesses? And how will GDPR work alongside PCI DSS?

What is GDPR and what does it mean for my business?

The GDPR legislation applies to ‘personal data’ and ‘sensitive data’ which includes everything from basic contact details through to detailed genetic information. Companies in the EU that store or process this data will have to do so transparently and with a specific purpose and also with consent from the data owner. Not adhering to the rules could land you with a hefty fine of up to €20 million or 4% of your global annual turnover, whichever is greater. Ouch.

What about Brexit?

The UK government has confirmed that the UK will still be adopting the new GDPR legislation despite the result of the 2016 EU referendum to leave the EU. GDPR will be in place as planned from May 2018.

So, what is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements relating to the security and storage environment of any company processing, storing or transmitting debit or credit card information. The standard and the management of it, by the Payment Card Industry Security Standards Council (PCI SSC), were created by the major payment card providers – Visa, MasterCard, American Express, Discover and JCB. No matter how large or small your business, PCI DSS compliance must be applied by any organisation paying money into their merchant account directly using credit or debit card information from a customer or third party.

So how will GDPR and PCI DSS work together?

Jeremy King, International Director at the Payment Card Industry Security Standards Council (PCI SSC), said:

“People come to me and say, ‘How do I achieve GDPR compliance?….Start with PCI DSS.”

Both GDPR and PCI DSS aim to ensure that businesses secure the processing and storage of customer data. PCI DSS focusses specifically on the processing of customer card payments whereas GDPR is about protecting customer information in a broader sense. However, while GDPR provides extensive guidelines about the kind of information that needs to be secured, PCI DSS gives more detailed controls and methodology for securing data. So by taking the steps to becoming PCI DSS compliant, you take a huge leap towards reaching the data protection standards of GDPR.

At PCI Telecom, we create and manage credit card processing systems for over the phone and online payments that are bespoke for your business. Outsourcing your card payment processing to us means you take advantage of our PCI DSS Level 1 accreditation without the hassle of developing your own extensive internal processes.

Further information about GDPR can be found on the Information Commissioner’s Office website.  For more information about our PCI DSS Level 1 accredited card payment systems, visit our Solutions page.

hosted vs physical phone systems

Hosted vs physical phone systems. What are the benefits of moving away from fixed phone lines to a hosted phone solution?

As technology continues to move to cloud-based software, so is that of business phone lines with less reliance on physical phone systems and more requirements for hosted telephony solutions. Hosted phone systems differ from the traditional fixed phone line as they are hosted on an external server and entirely managed offsite with no need for any bits of equipment or wires to be fitted at your office. Calls are transmitted via your business broadband service.

But what are the benefits of moving away from traditional fixed phone systems to a hosted telephony solution and how can it help with your PCI DSS compliance?

Flexibility

Hosted phone systems offer a whole new level of flexibility that cannot be achieved with a traditional fixed phone line. While physical phone systems offer a static approach to managing calls, hosted phone systems enable businesses to streamline, to ensure that customers reach the right person and can achieve the reason for their call. Extra lines can be quickly and easily added as and when required and calls can be forwarded to multiple or alternative locations during busy times. Call recording and archiving is straightforward and the system easily adapted as the business changes over time.

Reliability

Because hosted telephony doesn’t require any bulky bits of equipment onsite, it means that you’re less likely to be interrupted by technical problems which is great for business continuity. As the system is managed offsite, technical support is quickly on hand, removing the frustratingly familiar scenario of waiting for an engineer to arrive and parts to be replaced.

Descope your business from its PCI DSS obligations

Using hosted telephony solutions makes it easier to integrate an effective over-the-phone payment system and allows you to outsource your PCI DSS responsibilities to descope your business from its compliance obligations. You can create a totally bespoke, fully compliant payment system that suits the needs of your business and your customers. Callers can be passed seamlessly between agents and the system into which they input their card details without the need to interrupt the call and this information can then be fed directly into your database and CRM system behind the scenes.

Sounds too good to be true? Well we can tell you that it isn’t. And because hosted telephony uses your broadband service to transmit calls, your ongoing costs are much lower than that of a separate fixed line service.

About PCI Agent™

PCI Agent™ is our Level 1 hosted telephony solution providing a secure payment system that is totally bespoke for your business. With bonus features such as call recording and real-time statistics for all users, it can play a crucial role in improving customer service levels. Crucially, it allows callers to enter their own card details whilst staying on the call with a live agent without having to read out sensitive card details or be passed over to a third-party contact centre, in turn descoping your business fully from its PCI DSS obligations.

Find out more about PCI Agent™ here.

Hosted telephony solutions

Five ways to beat the competition!

How a hosted telephony solution can give you an advantage over your rivals

What differentiates you from your competitors? Every company needs a competitive edge to survive in an increasingly competitive marketplace. And with consumers more willing to shop around, it’s important to look at all the ways in which you can gain an advantage.

Excellent customer service is one way to distinguish yourselves and for your business part of this could be how you handle calls and take payments over the phone which is where a hosted telephony solution might just be the answer. Here are our five ways that a hosted telephony solution could give your business the edge it needs:

  1. Hosted telephony solutions provide a secure payment process that enables customers to input their card details into a system that is fully compliant with PCI DSS and other regulatory requirements. Credit card fraud and cyber crime are hot topics and customers are far more likely to use companies that they know will keep their data safe.
  1. The interaction between the call handler and the card payment software is seamless creating a smooth-not-clunky experience for the customer. The payment process is easy to use and callers don’t know that they’re being passed between a call handler and the secure payment system.
  1. Hosted telephony solutions are flexible and reliable. The call handling process can be easily adapted to suit your business’s requirements and calls can be transferred quickly and easily at busy times so customers are always able to get through to someone.
  1. As the system is hosted on external servers, there is no need for bulky bits of equipment onsite which means that the chance of technical issues arising is a lot lower. If there are any problems, there is dedicated technical support so they get sorted quickly and efficiently ensuring continuity for your operations.
  1. Introducing a hosted telephony system, bespoke for your business, doesn’t cost as much as you might think. Low cost to set up and cheaper ongoing overheads mean you get to keep your prices down, giving you that crucial price advantage over your competitors.

About PCI Agent™

PCI Agent™ is our Level 1 hosted telephony solution which allows callers to enter their own card details whilst staying on the call with a live agent without having to read out sensitive card details or be passed over to a third-party contact centre. PCI Agent™ descopes your business fully from its PCI DSS obligations while at the same time providing a secure payment solution bespoke for your business. And with bonus features such as call recording and real-time statistics for all users, it can play a crucial role in improving customer service levels.

Find out more about PCI Agent™ here.

What does PCI DSS compliance mean for start-ups?

What does PCI DSS compliance mean for a start-ups?

PCI DSS compliance regulations apply to any business that store payment card data and process card transactions be it over the phone or online. In modern enterprise, this encompasses a lot of businesses. But what does PCI DSS compliance mean for start-ups? And what can they do to ensure that they reach the appropriate compliance standards and avoid infringements or worse still, a data breach?

Why should start ups become PCI compliant?

Achieving PCI compliance is great for your reputation. As data security becomes a bigger issue around the world, reaching the appropriate standard of PCI compliance reassures your customers and suppliers that you take data protection seriously and gives you an edge over competitors to aid business growth and success.

What isn’t so great for your reputation is a data breach. SMEs are more frequently falling victim to cyber-attacks, seen as easier to target because of their less robust security systems. Damage to your brand is what you really don’t need when you’re trying to get a business off the ground, nor is the hefty fine you’d receive if you fell victim to an attack without secure systems in place.

Going through the process of becoming compliant will give you a good understanding of your business’s card payment processes so you have a better chance of being able to identify gaps and fix weaknesses as your business grows to make that dreaded data breach much less likely.

Merchant levels and what is required

The Payment Card Industry has devised ‘merchant levels’, determined by the volume of card transactions that a business processes, which set out the standard of security that is required as well as the method by which a business becomes PCI compliant.

As a start-up, it’s unlikely that at the beginning you will receive a high volume of transactions and as such, the self-assessment process is enough to achieve PCI DSS compliance. This involves completing a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance form provided by your acquiring bank. The PCI Security Standards Council has guidance for those businesses looking to go through self assessment – https://www.pcisecuritystandards.org/pci_security/completing_self_assessment.

While self-assessment can seem like a simple route to achieving compliance, it’s not always straight forward. Sometimes identifying the right self-assessment questionnaire for your business can be a challenge in its own right.

When you’re short of money and time

Launching a start-up company requires extensive resources and often means ploughing money and time into getting the business off the ground. Setting up payment card processing systems that comply with PCI DSS regulations from scratch can be time consuming and if it’s not your area of expertise then it’s likely to take even longer, at a time when your energy could be better spent elsewhere.  We know this is why businesses often put off addressing their PCI compliance. Especially for start-ups, it can often seem unimportant in relation to other areas of the business.

The solution is to look at outsourcing options either to a Qualified Security Assessor (QSA) to carry out the self-assessment questionnaire on your behalf or alternatively to a PCI compliance specialist to take on your card payment processes.

At PCI Telecom, we create bespoke card payment solutions for payments over the phone or online specific to your business. All of our solutions integrate seamlessly with other systems and databases and have PCI DSS Level 1 accreditation which means that you can descope your business from its PCI DSS compliance responsibilities, shifting them over to us instead. So you get a card payments process that works for you AND you achieve PCI compliance all in one hit, plus peace of mind so that you can focus your energy on developing your product and service.

Click here to find out more about our solutions.

What is an automated IVR and how will it remove your PCI DSS risk?

What is an automated IVR and how will it remove your PCI DSS risk?

If you’re a business owner looking to replace your call-answering system, then there’s a chance that you sometimes feel flummoxed by the options out there and daunted by finding the right system to suit your business operations.  An automated IVR solution will probably be something you’ve looked at, but what is it? And could it help your business remove it’s PCI DSS risk?

What is an automated IVR?

An automated IVR (interactive voice response) solution enables callers to navigate through a range of options using their telephone keypad or voice. We’re all familiar with ‘press 1 to go to this’ or ‘press 2 to do that’ – well, our AUTO IVR™ solution does that but with the added extra of being able to interact with the caller and carry out automated tasks without the need for a member of staff to speak to them. For example, callers can respond to a survey or a yes/no question, enter passwords and account information or make a credit card payment by inputting their card details, which is where PCI DSS compliance comes in.

So how does AUTO IVR™ remove your PCI DSS risk?

Firstly, because AUTO IVR™ does not require an agent to answer a call, it removes the risk of secure information falling into the wrong hands. According to statistics obtained from the Information Commissioner’s Office, 62% of data breaches reported were as a result of human error which included information being sent to the wrong person and the loss and theft of paperwork (‘Human error causes more data loss than malicious attacks’, ComputerWeekly.com, June 2016). Removing this risk greatly reduces the chances of your business suffering a data breach and falling foul of PCI DSS regulations. Needless to say, it also saves you money on staffing costs.

Secondly, AUTO IVR™ plays a vital role in making sure that every step in your payment process is reliable and robust and in turn PCI DSS compliant. At PCI Telecom, we create bespoke solutions that work for your business, interfacing directly with your own databases and CRM systems, maintained either internally or using our secure hosted servers.  We believe AUTO IVR™ is the most adaptive, responsive and configurable solution on the market as it enables you to capture, integrate and process card payment information using a system that has Level 1 PCI DSS compliance accreditation, closing any potential cracks and weaknesses in the payment process and descoping your business from its PCI DSS responsibilities. For larger operations, we can link AUTO IVR™ with interactions and transactions being made through other means such as call centres (using PCI Agent), online and out in the field. This consolidates your payment systems and removes the risk of duplications, particularly useful if you’re dealing with items of limited stock and selling across multi-platforms.

Visit our Solutions page to find out more about AUTO IVR™ or any of our other services. Alternatively, please do get in touch here.

What happens if you fall foul of PCI DSS regulations?

What happens if you don’t comply with PCI DSS regulations?

‘It’ll never happen to us.’  Well, actually it might. More and more businesses are finding themselves the targets of hackers as cybercrime reaches record levels.

And it’s not just large corporates that need to be careful. Small and medium size organisations are just as likely to become victims of a cyber attack. According to Small Business Trends, 43 percent of cyber attacks target small businesses with only 14 percent of them rating their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. 60 percent of small companies go out of business within six months of an attack.

That’s the whole point of PCI DSS regulations – to provide businesses with a set of standards, relative to their size, to help them prevent a breach and protect their customers’ data.

So what can happen if you don’t comply with PCI DSS regulations? And what if your business does find itself a victim of a cyber attack?

You could be liable for non-compliance fines.

Before you’ve even encountered any form of data breach, you could be in receipt of a fine for not complying with PCI DSS regulations. While the standards aren’t a legal requirement, it is a contractual obligation between you, your acquiring bank and the payment providers.

Data may be at risk of being compromised.

There is a sequence of steps that takes place when a person makes a payment using their card over the phone or on the internet. Hackers target the weakest link in this process which, more often than not, is the merchant. If your business doesn’t operate PCI DSS compliant systems that cover the latest regulatory changes, then there is a high risk your customers’ sensitive details could end up in the wrong hands.

If you have a suspected breach, you’ll undergo a forensic investigation with a PCI Forensic Investigator…

…and the cost of this will sit entirely with you if there is sufficient evidence to show that your systems were responsible for the data breach and this could run into thousands of pounds.

You’ll receive a fine

In addition to the Forensic Investigation costs, if your payment processes are found to have been non-compliant then you’ll also be liable to pay a significant fine – up to £50,000 per infringement.

Your reputation will be damaged

Having to pay a whopping fine is one thing but managing to preserve your company’s brand reputation is quite another. The damage caused as a result of a data breach could be irreversible. The Deloitte Consumer Review, ‘Consumer data under attack: the growing threat of cyber crime’ 2015, states:

‘Consumers are very clear in their message to businesses and third-party organisations: the number one issue that would make consumers reconsider using an organisation is if that organisation lost their data or failed to keep it safe’

At PCI Telecom we have PCI DSS Level 1 accredited solutions which means that our fully compliant card payment processes are recognised as being secure to the highest standard.  We create bespoke, cloud-based, card processing systems for payments over the phone and online and we work closely with you to make sure that the system fully integrates with your existing set up. Find out more about our solutions here or get in touch.

How much does PCI DSS compliance cost? Probably not as much as you think.

How much does PCI DSS compliance cost? Probably not as much as you think.

We know from the businesses that we speak to that cost is a major consideration when it comes to addressing their PCI DSS compliance. Many perceive that becoming PCI DSS compliant means forking out on expensive software such as firewalls and encryption systems or bringing in extra staff. In reality the costs of PCI DSS compliance don’t have to be as much as you think.

Do you meet the criteria for PCI DSS self-assessment?

Small merchants and service providers can choose to complete a PCI DSS self-assessment questionnaire (SAQ). There are eight different SAQs to choose from, depending on the nature of your business and how payments are made. You might fall under the criteria for more than one of these eight so it is important to make sure that all aspects of your card payment systems are covered.  You can check this with your acquiring bank or payment card brand.

The Self-Assessment Questionnaires are for you to complete without the need to hire an external consultant or to produce and submit a report. In fact, it doesn’t cost you anything to fill in an SAQ so provided you have all your card payment protection systems in place and working efficiently, you could become PCI DSS compliant for just the cost of your time it takes to fill in the paperwork.

More information about completing self-assessment is available here.

What if we can’t self-assess?

For many businesses, self-assessment isn’t an option, either because they’re not eligible or they don’t have the processes in place to reach the required standard to become PCI DSS compliant. For larger businesses and those that process a high volume of card transactions the road to PCI DSS compliance is more complex and requires training of staff or hiring of external service providers. PCI DSS compliance is becoming less about a one-off or annual assessment and more about the ongoing implementation of measures to secure transactions so it is unsurprising that many businesses choose to outsource their card payment systems and, in turn, their PCI DSS compliance to external companies.

At PCI Telecom, we provide card processing systems for payments over the phone and online. Our solutions are entirely cloud-based which means that there is no need to invest in any extra bits of equipment or staff to manage it. Plus, we have PCI DSS Level 1 accreditation so our clients don’t have to worry about using internal resources to go through complex PCI DSS assessment procedures.

As a small business, our overheads are low so we are able to offer very affordable monthly license fees and we make sure that there is no charge for declined or refunded payments. It also means that we can work closely with you to make sure that we create a secure card processing system that’s exactly right for your business and always be on hand to help if you need us. Find out more about our solutions here.

And remember, the cost of implementing PCI DSS compliant measures will never be as much as the fine that you could be handed if your business were to suffer a data breach – up to £50,000 per infringement plus the costs of an invasive forensic investigation and not to mention inestimable damage to your brand. It’s worth looking in to, believe us.