hosted vs physical phone systems

Hosted vs physical phone systems. What are the benefits of moving away from fixed phone lines to a hosted phone solution?

As technology continues to move to cloud-based software, so is that of business phone lines with less reliance on physical phone systems and more requirements for hosted telephony solutions. Hosted phone systems differ from the traditional fixed phone line as they are hosted on an external server and entirely managed offsite with no need for any bits of equipment or wires to be fitted at your office. Calls are transmitted via your business broadband service.

But what are the benefits of moving away from traditional fixed phone systems to a hosted telephony solution and how can it help with your PCI DSS compliance?

Flexibility

Hosted phone systems offer a whole new level of flexibility that cannot be achieved with a traditional fixed phone line. While physical phone systems offer a static approach to managing calls, hosted phone systems enable businesses to streamline, to ensure that customers reach the right person and can achieve the reason for their call. Extra lines can be quickly and easily added as and when required and calls can be forwarded to multiple or alternative locations during busy times. Call recording and archiving is straightforward and the system easily adapted as the business changes over time.

Reliability

Because hosted telephony doesn’t require any bulky bits of equipment onsite, it means that you’re less likely to be interrupted by technical problems which is great for business continuity. As the system is managed offsite, technical support is quickly on hand, removing the frustratingly familiar scenario of waiting for an engineer to arrive and parts to be replaced.

Descope your business from its PCI DSS obligations

Using hosted telephony solutions makes it easier to integrate an effective over-the-phone payment system and allows you to outsource your PCI DSS responsibilities to descope your business from its compliance obligations. You can create a totally bespoke, fully compliant payment system that suits the needs of your business and your customers. Callers can be passed seamlessly between agents and the system into which they input their card details without the need to interrupt the call and this information can then be fed directly into your database and CRM system behind the scenes.

Sounds too good to be true? Well we can tell you that it isn’t. And because hosted telephony uses your broadband service to transmit calls, your ongoing costs are much lower than that of a separate fixed line service.

About PCI Agent™

PCI Agent™ is our Level 1 hosted telephony solution providing a secure payment system that is totally bespoke for your business. With bonus features such as call recording and real-time statistics for all users, it can play a crucial role in improving customer service levels. Crucially, it allows callers to enter their own card details whilst staying on the call with a live agent without having to read out sensitive card details or be passed over to a third-party contact centre, in turn descoping your business fully from its PCI DSS obligations.

Find out more about PCI Agent™ here.

Hosted telephony solutions

Five ways to beat the competition!

How a hosted telephony solution can give you an advantage over your rivals

What differentiates you from your competitors? Every company needs a competitive edge to survive in an increasingly competitive marketplace. And with consumers more willing to shop around, it’s important to look at all the ways in which you can gain an advantage.

Excellent customer service is one way to distinguish yourselves and for your business part of this could be how you handle calls and take payments over the phone which is where a hosted telephony solution might just be the answer. Here are our five ways that a hosted telephony solution could give your business the edge it needs:

  1. Hosted telephony solutions provide a secure payment process that enables customers to input their card details into a system that is fully compliant with PCI DSS and other regulatory requirements. Credit card fraud and cyber crime are hot topics and customers are far more likely to use companies that they know will keep their data safe.
  1. The interaction between the call handler and the card payment software is seamless creating a smooth-not-clunky experience for the customer. The payment process is easy to use and callers don’t know that they’re being passed between a call handler and the secure payment system.
  1. Hosted telephony solutions are flexible and reliable. The call handling process can be easily adapted to suit your business’s requirements and calls can be transferred quickly and easily at busy times so customers are always able to get through to someone.
  1. As the system is hosted on external servers, there is no need for bulky bits of equipment onsite which means that the chance of technical issues arising is a lot lower. If there are any problems, there is dedicated technical support so they get sorted quickly and efficiently ensuring continuity for your operations.
  1. Introducing a hosted telephony system, bespoke for your business, doesn’t cost as much as you might think. Low cost to set up and cheaper ongoing overheads mean you get to keep your prices down, giving you that crucial price advantage over your competitors.

About PCI Agent™

PCI Agent™ is our Level 1 hosted telephony solution which allows callers to enter their own card details whilst staying on the call with a live agent without having to read out sensitive card details or be passed over to a third-party contact centre. PCI Agent™ descopes your business fully from its PCI DSS obligations while at the same time providing a secure payment solution bespoke for your business. And with bonus features such as call recording and real-time statistics for all users, it can play a crucial role in improving customer service levels.

Find out more about PCI Agent™ here.

What does PCI DSS compliance mean for start-ups?

What does PCI DSS compliance mean for a start-ups?

PCI DSS compliance regulations apply to any business that store payment card data and process card transactions be it over the phone or online. In modern enterprise, this encompasses a lot of businesses. But what does PCI DSS compliance mean for start-ups? And what can they do to ensure that they reach the appropriate compliance standards and avoid infringements or worse still, a data breach?

Why should start ups become PCI compliant?

Achieving PCI compliance is great for your reputation. As data security becomes a bigger issue around the world, reaching the appropriate standard of PCI compliance reassures your customers and suppliers that you take data protection seriously and gives you an edge over competitors to aid business growth and success.

What isn’t so great for your reputation is a data breach. SMEs are more frequently falling victim to cyber-attacks, seen as easier to target because of their less robust security systems. Damage to your brand is what you really don’t need when you’re trying to get a business off the ground, nor is the hefty fine you’d receive if you fell victim to an attack without secure systems in place.

Going through the process of becoming compliant will give you a good understanding of your business’s card payment processes so you have a better chance of being able to identify gaps and fix weaknesses as your business grows to make that dreaded data breach much less likely.

Merchant levels and what is required

The Payment Card Industry has devised ‘merchant levels’, determined by the volume of card transactions that a business processes, which set out the standard of security that is required as well as the method by which a business becomes PCI compliant.

As a start-up, it’s unlikely that at the beginning you will receive a high volume of transactions and as such, the self-assessment process is enough to achieve PCI DSS compliance. This involves completing a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance form provided by your acquiring bank. The PCI Security Standards Council has guidance for those businesses looking to go through self assessment – https://www.pcisecuritystandards.org/pci_security/completing_self_assessment.

While self-assessment can seem like a simple route to achieving compliance, it’s not always straight forward. Sometimes identifying the right self-assessment questionnaire for your business can be a challenge in its own right.

When you’re short of money and time

Launching a start-up company requires extensive resources and often means ploughing money and time into getting the business off the ground. Setting up payment card processing systems that comply with PCI DSS regulations from scratch can be time consuming and if it’s not your area of expertise then it’s likely to take even longer, at a time when your energy could be better spent elsewhere.  We know this is why businesses often put off addressing their PCI compliance. Especially for start-ups, it can often seem unimportant in relation to other areas of the business.

The solution is to look at outsourcing options either to a Qualified Security Assessor (QSA) to carry out the self-assessment questionnaire on your behalf or alternatively to a PCI compliance specialist to take on your card payment processes.

At PCI Telecom, we create bespoke card payment solutions for payments over the phone or online specific to your business. All of our solutions integrate seamlessly with other systems and databases and have PCI DSS Level 1 accreditation which means that you can descope your business from its PCI DSS compliance responsibilities, shifting them over to us instead. So you get a card payments process that works for you AND you achieve PCI compliance all in one hit, plus peace of mind so that you can focus your energy on developing your product and service.

Click here to find out more about our solutions.

What is an automated IVR and how will it remove your PCI DSS risk?

What is an automated IVR and how will it remove your PCI DSS risk?

If you’re a business owner looking to replace your call-answering system, then there’s a chance that you sometimes feel flummoxed by the options out there and daunted by finding the right system to suit your business operations.  An automated IVR solution will probably be something you’ve looked at, but what is it? And could it help your business remove it’s PCI DSS risk?

What is an automated IVR?

An automated IVR (interactive voice response) solution enables callers to navigate through a range of options using their telephone keypad or voice. We’re all familiar with ‘press 1 to go to this’ or ‘press 2 to do that’ – well, our AUTO IVR™ solution does that but with the added extra of being able to interact with the caller and carry out automated tasks without the need for a member of staff to speak to them. For example, callers can respond to a survey or a yes/no question, enter passwords and account information or make a credit card payment by inputting their card details, which is where PCI DSS compliance comes in.

So how does AUTO IVR™ remove your PCI DSS risk?

Firstly, because AUTO IVR™ does not require an agent to answer a call, it removes the risk of secure information falling into the wrong hands. According to statistics obtained from the Information Commissioner’s Office, 62% of data breaches reported were as a result of human error which included information being sent to the wrong person and the loss and theft of paperwork (‘Human error causes more data loss than malicious attacks’, ComputerWeekly.com, June 2016). Removing this risk greatly reduces the chances of your business suffering a data breach and falling foul of PCI DSS regulations. Needless to say, it also saves you money on staffing costs.

Secondly, AUTO IVR™ plays a vital role in making sure that every step in your payment process is reliable and robust and in turn PCI DSS compliant. At PCI Telecom, we create bespoke solutions that work for your business, interfacing directly with your own databases and CRM systems, maintained either internally or using our secure hosted servers.  We believe AUTO IVR™ is the most adaptive, responsive and configurable solution on the market as it enables you to capture, integrate and process card payment information using a system that has Level 1 PCI DSS compliance accreditation, closing any potential cracks and weaknesses in the payment process and descoping your business from its PCI DSS responsibilities. For larger operations, we can link AUTO IVR™ with interactions and transactions being made through other means such as call centres (using PCI Agent), online and out in the field. This consolidates your payment systems and removes the risk of duplications, particularly useful if you’re dealing with items of limited stock and selling across multi-platforms.

Visit our Solutions page to find out more about AUTO IVR™ or any of our other services. Alternatively, please do get in touch here.

What happens if you fall foul of PCI DSS regulations?

What happens if you don’t comply with PCI DSS regulations?

‘It’ll never happen to us.’  Well, actually it might. More and more businesses are finding themselves the targets of hackers as cybercrime reaches record levels.

And it’s not just large corporates that need to be careful. Small and medium size organisations are just as likely to become victims of a cyber attack. According to Small Business Trends, 43 percent of cyber attacks target small businesses with only 14 percent of them rating their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. 60 percent of small companies go out of business within six months of an attack.

That’s the whole point of PCI DSS regulations – to provide businesses with a set of standards, relative to their size, to help them prevent a breach and protect their customers’ data.

So what can happen if you don’t comply with PCI DSS regulations? And what if your business does find itself a victim of a cyber attack?

You could be liable for non-compliance fines.

Before you’ve even encountered any form of data breach, you could be in receipt of a fine for not complying with PCI DSS regulations. While the standards aren’t a legal requirement, it is a contractual obligation between you, your acquiring bank and the payment providers.

Data may be at risk of being compromised.

There is a sequence of steps that takes place when a person makes a payment using their card over the phone or on the internet. Hackers target the weakest link in this process which, more often than not, is the merchant. If your business doesn’t operate PCI DSS compliant systems that cover the latest regulatory changes, then there is a high risk your customers’ sensitive details could end up in the wrong hands.

If you have a suspected breach, you’ll undergo a forensic investigation with a PCI Forensic Investigator…

…and the cost of this will sit entirely with you if there is sufficient evidence to show that your systems were responsible for the data breach and this could run into thousands of pounds.

You’ll receive a fine

In addition to the Forensic Investigation costs, if your payment processes are found to have been non-compliant then you’ll also be liable to pay a significant fine – up to £50,000 per infringement.

Your reputation will be damaged

Having to pay a whopping fine is one thing but managing to preserve your company’s brand reputation is quite another. The damage caused as a result of a data breach could be irreversible. The Deloitte Consumer Review, ‘Consumer data under attack: the growing threat of cyber crime’ 2015, states:

‘Consumers are very clear in their message to businesses and third-party organisations: the number one issue that would make consumers reconsider using an organisation is if that organisation lost their data or failed to keep it safe’

At PCI Telecom we have PCI DSS Level 1 accredited solutions which means that our fully compliant card payment processes are recognised as being secure to the highest standard.  We create bespoke, cloud-based, card processing systems for payments over the phone and online and we work closely with you to make sure that the system fully integrates with your existing set up. Find out more about our solutions here or get in touch.

How much does PCI DSS compliance cost? Probably not as much as you think.

How much does PCI DSS compliance cost? Probably not as much as you think.

We know from the businesses that we speak to that cost is a major consideration when it comes to addressing their PCI DSS compliance. Many perceive that becoming PCI DSS compliant means forking out on expensive software such as firewalls and encryption systems or bringing in extra staff. In reality the costs of PCI DSS compliance don’t have to be as much as you think.

Do you meet the criteria for PCI DSS self-assessment?

Small merchants and service providers can choose to complete a PCI DSS self-assessment questionnaire (SAQ). There are eight different SAQs to choose from, depending on the nature of your business and how payments are made. You might fall under the criteria for more than one of these eight so it is important to make sure that all aspects of your card payment systems are covered.  You can check this with your acquiring bank or payment card brand.

The Self-Assessment Questionnaires are for you to complete without the need to hire an external consultant or to produce and submit a report. In fact, it doesn’t cost you anything to fill in an SAQ so provided you have all your card payment protection systems in place and working efficiently, you could become PCI DSS compliant for just the cost of your time it takes to fill in the paperwork.

More information about completing self-assessment is available here.

What if we can’t self-assess?

For many businesses, self-assessment isn’t an option, either because they’re not eligible or they don’t have the processes in place to reach the required standard to become PCI DSS compliant. For larger businesses and those that process a high volume of card transactions the road to PCI DSS compliance is more complex and requires training of staff or hiring of external service providers. PCI DSS compliance is becoming less about a one-off or annual assessment and more about the ongoing implementation of measures to secure transactions so it is unsurprising that many businesses choose to outsource their card payment systems and, in turn, their PCI DSS compliance to external companies.

At PCI Telecom, we provide card processing systems for payments over the phone and online. Our solutions are entirely cloud-based which means that there is no need to invest in any extra bits of equipment or staff to manage it. Plus, we have PCI DSS Level 1 accreditation so our clients don’t have to worry about using internal resources to go through complex PCI DSS assessment procedures.

As a small business, our overheads are low so we are able to offer very affordable monthly license fees and we make sure that there is no charge for declined or refunded payments. It also means that we can work closely with you to make sure that we create a secure card processing system that’s exactly right for your business and always be on hand to help if you need us. Find out more about our solutions here.

And remember, the cost of implementing PCI DSS compliant measures will never be as much as the fine that you could be handed if your business were to suffer a data breach – up to £50,000 per infringement plus the costs of an invasive forensic investigation and not to mention inestimable damage to your brand. It’s worth looking in to, believe us.

PCITelecom: time to sort your PCI DSS compliance

Stop putting it off! Make 2017 the year you achieve PCI DSS compliance.

Ok, so we know it’s unlikely that you considered including PCI DSS compliance in your list of New Year resolutions this year. It’s probably not on your radar as much as it is ours and besides, it can appear even less appealing than eating healthy and avoiding chocolate, right?

But perhaps you should have a rethink. Cyber attacks are on the rise. In 2016, it is estimated that UK businesses were targeted 230,000 times each on average* with even more predicted for 2017. So why not make this the year that you get to grips with your card payment security and your PCI DSS compliance?

If you’re like the businesses we meet, then one of the following is probably putting you off:

1.You’re not sure if PCI DSS compliance applies to you

A common myth is that PCI DSS regulations are only for big companies and e-commerce businesses dealing with lots of card transactions. In actual fact any business that offers to take card payments needs to comply with PCI DSS even if they only process a handful each year.

2.You think the PCI DSS regulations are too difficult to implement

We know from our experience that the road to PCI DSS compliance, particularly for smaller businesses, is daunting. For starters, there are the 12 requirements you have to have in place (listed here) in order to comply with PCI regulations. Then you have to work out which merchant level and compliance validation requirements apply to your business and if you’re eligible for self-assessment then you’ll need to decide which self-assessment questionnaire (SAQ) you should complete. All of which can be tricky.

For larger businesses that process more transactions, the systems that need to be implemented can be complex and there is often the issue of who will take ownership of the project and oversee procedures as they develop.

There are organisations out there that can offer you the support and expertise you need to make your goal of being PCI DSS compliant in 2017 much easier to achieve. The PCI Security Standards Council provides in-depth information and advice in their document library here . As they say ‘The standard works for some of the world’s largest corporations. And it can work for you’. In addition to this, there is guidance on the process of becoming PCI DSS compliant here on the Visa Europe website.

3.You think that PCI DSS compliance will cost too much

We all know that nothing comes for free. Depending on the procedures that need to be implemented and the changes that need to be made, there may be costs associated with making sure that your business is complying with PCI DSS, be it investing in new software or staff training, through to expanding your staff resource to oversee the project. That said, these costs will be nothing in comparison to the hefty fine you’ll receive should your data be breached in addition to the damage to your business’s brand which may be irreversible.

Don’t despair!

There are companies, like us, that can help. We provide phone and online card payment platforms to de-scope you from your PCI DSS responsibilities so that you don’t have to worry about them. We are Level 1 compliant and can create solutions that fit seamlessly with your existing system. You can find out more about us and what we do here.

* http://smallbusiness.co.uk/smes-targeted-cyber-criminals-2536150/

PCI Telecom reasons to descope you business from PCI DSS

Three reasons why it makes sense to descope your business from PCI DSS

The management of your PCI DSS compliance can be daunting, especially if you don’t understand the regulations and how to implement them. Read on to discover three HUGE benefits to descoping your business and outsourcing PCI DSS compliance to a third party.

1. It removes the responsibility of nearly all PCI DSS requirements from your business onto someone else.

The level of PCI DSS requirements that you should meet will depend on the volume of card transactions your business processes each year but the regulations and their requirements are evolving all the time. For some small and medium size businesses this creates a huge challenge to stay on top of. The easiest way to do so is to pass the responsibility over to a third party provider or solution, making the responsibility of PCI DSS compliance a much smaller consideration, and in turn making it easier for you to re-focus on what really matters to your business and your customers.

2. Reduces the overheads associated with managing PCI DSS compliance

‘Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security.’ (PCI Security Standards Council, LLC, 2006-2016)

To be compliant, your business must demonstrate an ongoing level of security awareness. In other words, it isn’t a one-off task but a project that needs constant attention. Sounds like a job in itself, doesn’t it? Taking on a new member of staff to manage PCI DSS compliance can increase your overheads significantly and we know that finding an employee with spare time and/or an understanding of the PCI DSS often isn’t easy. Outsourcing the responsibility to a third party provider takes away the stress and doesn’t cost as much as you might think.

3. Your customers’ data is protected, along with your brand

Failing to comply with PCI DSS can result in a hefty fine but even worse, it can cause irreversible damage to your business’s reputation and brand. Your customers trust you to protect their payment details but once this trust has been damaged, it can be hard to get back. Here at PCI Telecom, our hosted telephone and online card processing platform has an accredited Level One certification for PCI DSS which means we comply with all the PCI DSS requirements at the highest standard. Customer payment details remain encrypted so neither us nor your staff ever see the card details being inputted.

About PCI Telecom

PCI Telecom provides an outsourced, fully accredited (Level 1) phone and online card processing platform to descope your business from its PCI DSS responsibilities leaving you to focus on delivering your product to your customer. Our PCI AGENT solution is hosted in the cloud, is easy to set up and fully integrates with your system so the customer experience is completely seamless. Plus, our 3D-secure online payment solution reduces the possibility of fraudulent card use by authenticating the cardholder at the actual time of the transaction and creates a liability shift from your business to the acquiring bank.

We pride ourselves on our knowledge and high quality customer service. If you have any queries about descoping your business of PCI DSS and outsourcing your card payment systems, please do get in touch.

PCI Telecom how to protect your online business

Five tips for protecting your business from cyber attack this Black Friday and Cyber Monday

We’re heading towards that time of year again when shoppers go crazy for a bargain. What security measures should your business have in place to protect customers’ payment details from those cyber attack criminals lurking out there?

Black Friday started in the US back in the 1930s before making its way across the Atlantic in recent years and is regarded as the beginning of the Christmas shopping season. Traditionally it takes place on the Friday after Thanksgiving and with the introduction of Cyber Monday, shoppers are treated to a long weekend of seriously discounted goodies.

In 2015, retailers in the UK saw sales of £3.3bn over the Black Friday/Cyber Monday weekend and this year looks set to be even bigger. But it’s not just shoppers and businesses getting excited. Black Friday and Cyber Monday offer cyber attack criminals a chance to cash in too, targeting consumers and businesses with the aim of getting their hands-on valuable credit and debit card details.

So what can businesses do to protect customers and themselves from cyber attacks? Here are PCI Telecom’s top tips:

Tip 1
Educate your employees. Ensure internal policies are in place for data protection, card handling and sensitive data and make sure that all staff know about them.

Tip 2
Back up your data. Make use of a secure replication server to ensure that all your data is protected in an environment external to your business.

Tip 3
Be careful of email and website downloads and warn employees of the risk too. Ensure you have sufficient firewalls in place to reduce the risk of harmful files making their way onto your system.

Tip 4
Make sure that your ecommerce website is secure. Look in to purchasing an EV SSL (Extended Validation SSL certificate) which encrypts and protects information that is being transferred online to prevent information being intercepted by hackers. It also demonstrates to the customer that you take the issue of protecting their data seriously.

Tip 5
Be sure that your business complies with PCI DSS regulations…which is where we come in…

What is PCI DSS and who does it apply to?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements relating to the security involved in the processing, storing or transmitting debit or credit card information. The standard and the management of it, by the Payment Card Industry Security Standards Council (PCI SSC), were created by the major payment card providers – Visa, MasterCard, American Express, Discover and JCB. PCI DSS compliance applies to ANY business taking credit and debit card payments over the phone or online – large or small. While PCI DSS isn’t a legal requirement, failure to comply can result in a substantial fine and more seriously, cause irreversible damage to your brand.

About PCI Telecom

PCI Telecom provides an outsourced, fully accredited (Level 1) phone and online card processing platform to descope your business from its PCI DSS responsibilities leaving you to focus on delivering your product to your customer. Our 3D-secure online payment solution reduces the possibility of fraudulent card use by authenticating the cardholder at the actual time of the transaction and creates a liability shift from your business to the acquiring bank. Our PCI Agent solution means that credit and debit card details can be taken over the phone securely while maintaining good customer experience. Find out more here.

Is it safe to give out your CVV security code?

If you regularly shop online, you will be familiar with your security code, or CVV (card verification value), a 3-4 digit code on the back of your card (or front with American Express), which is intended to provide added security when making purchases as the cardholder should be the only person who knows what it is.

So, is it safe to give it out?

In general, yes. Although the banks encourage retailers to ask for the code as part of the authorisation process in cardholder not present transactions, the details can still be stolen by an operator or employee of a company you are making payment to. This could especially be problematic when making payments over the phone, as this gives the operator the chance to access your data. The following tips can help you avoid issues with card fraud:

  • Only use reputable websites when buying products online
  • Keep a close eye on your bank statements to check that all transactions are authorised
  • Never give out the security code in person
  • Avoid making payments over the phone unless you called them directly and they have PCI compliant software in order to collect your card details securely

If you are a retailer or a business that processes payments on a regular basis and want to ensure your customers feel secure as well as safeguarding your own safety and compliance, then you can contact us on 0330 022 0660 or by visiting our contact page.

Card breach at Hilton Hotels chain should be treated as a wake-up call to the industry

Hilton Hotels have admitted that they are investigating claims hackers have compromised their point of sale systems at their flagship Hilton locations, as well as Embassy Suites, Doubletree, Hampton Inn and Waldorf Astoria Hotels & Resorts.

A number of financial institutions were warned of a breach in August by Visa, which was known to have happened between the 21st April and 27th July, however sources at five separate banks have now determined that the common point-of-sale used on all breached cards were at various restaurants, coffee bars and gift shops within Hilton properties.

The hotel industry was criticised back in March when security firm Cylance discovered that vulnerabilities within Wi-Fi routers used at hundreds of hotels around the world allowed hackers to distribute malware to guests and access the hotel’s reservation systems.

The chain admitted that “unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace”.

The use of PCI DSS compliance regulations should be preventing breaches such as this from happening. Don’t let your company get into the same position as the Hilton Hotels chain! Contact us today to find out about our descoping solutions.

Five top tips to prevent your card being hacked

Whilst almost half of Europeans worry about the safety of their data, and 59% experiencing data protection issues in the past, there are steps you can take to protect yourself from card fraud. Read below for our five top tips to protect yourself from credit or debit card hacks.

#1: Text message notifications for suspicious transactions

Enabling SMS notifications for unusual transactions means you will be notified the minute any suspicious activity takes place from your account, and gives you a better chance to contact the bank and prevent more damage from happening. These can be enabled in the settings on your online banking platform and can prevent you finding out if you have been hacked the hard way (for instance your card declining in a shop). If in doubt, have a Google and see if this is a service your bank offers.

#2: Don’t fall for phishing scams

Phishing emails from scammers pretending to be your bank (see below example) entice you to ‘login’ to a fake bank page, which then records all of your data. Don’t become a victim of these scams – if you are ever in doubt about whether an email is legitimate, always contact the company directly and ask.

Blog 14 image 1

#3: Make sure companies you make payments with are PCI DSS compliant

When making a payment over the telephone, make sure you are offered the chance to enter in your card details yourself and don’t give an operative the chance to write them down! You can check out our brochure here which explains what PCI DSS compliance is.

#4: Be careful with your choice of retailer when shopping online

Make sure to read customer reviews. If there are many reviews criticising the order process, then go with another retailer. Make sure the website is secure by looking for lock images in your browser’s status bar.

#5: Use your card provider’s online authentication service

One example (also used in our solution – check it out here) is 3D Secure, which is an additional layer of security by adding a password & secret phrase which can then be entered by the consumer when making an online payment – if the user does not know the password, then the transaction cannot continue. This service is also known as ‘Verified by Visa’ and ‘MasterCard Secure Code’.

As a small business, why should I comply with PCI DSS?

You may have heard of PCI compliance and you may be thinking, why do I have to comply?

For smaller businesses, PCI compliance may seem daunting, confusing and not something you know much about. This blog aims to give you the benefits of being compliant in comparison to non-compliance and the potential result of being non-compliant.

If you think of taking a single credit card transaction like someone handing you the keys to their safe and asking you to carefully take out just the amount you are owed, you will realise the importance of security surrounding your customers’ personal details. As a business, you must demonstrate that you care about your customer’s personal information. PCI DSS compliance shows that you are committed to the protection of this information, increasing trust amongst your customers, and encouraging repeat visits.

Even though there may be a cost/benefit ratio and the cost to comply outweighs the benefit to you or your customers, this can change instantly. You may think that as a small business, you would not be a viable hacking target. In fact, the recent threat report carried out by Symantec found that three in five cyber-attacks last year targeted small to medium sized businesses. It is often easier and quicker for a hacker to attack many small businesses, rather than one large business.

If this happens, the card issuing companies can fine your bank thousands of pounds. The bank, in turn, would pass these charges down to you. Your business would also be liable to pay for a full forensic investigation to find out how the cyber-attack happened, and how many customers’ details were stolen. Those customers, who now run the risk of having fraudulent charges being taken in their name, would then have to obtain a new card and would most probably take their business elsewhere.

As a small enterprise, you may rely on relationships with other businesses and also reputation, which could also be affected. You also may not have the necessary funds or expertise to recover from a data breach, especially if a large fine is involved. By becoming PCI compliant, you can benefit from peace of mind knowing that your customers’ data is secure, and better customer relationships through stronger perceived trust.

If you would like to ask us any questions about PCI compliance, please email us at [email protected] or give us a call on 0330 022 0660.

EU Data Protection Directive in the process of being updated – what does this mean for your business?

Over the last 20 years, technology has dramatically changed, particularly within the e-commerce sector. Proposals for new data protection legislation by the European Commission began in 2012, and the process should be completed by the end of 2015 ready to come into effect in 2017.

So, what has been changed so far?

The current legislation is a directive – meaning that certain guidelines are laid out however each individual state is free to decide how they include these in their own national law; however the new legislation is a regulation, a binding legal force throughout every state and will come into force on a set date.

The new regulations also contain major changes to the way in which companies should implement data security policies, stating that they should “implement technical and organisational measures to ensure a level of security appropriate to the risks” and that personal data should be encrypted, rendering it unintelligible to third parties in the event of a data breach. This raises issues when taking payments via the telephone as many organisations feel the need to record all calls for auditing and training purposes, as personal details like card numbers may be kept in these recordings.

Whilst the PCI Security Standards Council already monitors this, new EU legislation will further enforce this into UK law, and with expected introduction set for 2017, this is something which all businesses should be looking into carefully to check they are compliant.

Our ‘PCI Agent’ solution allows for your customers to benefit from a secure and unique transactional environment where they remain on the call, entering their own information, without being passed over to a separate payment IVR and (if required) recording the calls in a fully PCI DSS compliant environment. You can read more about it here.

To make an enquiry, or for more advice on compliance, please contact us today. Our experienced team are always on hand to help, whatever your question may be.

2015 Information security breaches survey from PwC highlights the importance of protecting your business from data breaches

This years’ survey undertaken by PwC has revealed that 90% of large organisations and 74% of small businesses have suffered a security breach; an increase compared with figures of 81% and 60% in 2014 respectively. The average cost of a security breach to a large organisation has almost tripled, costing between £1.46m – £3.14m on average, in comparison to £600k – £1.15m a year ago.

Alarmingly, three quarters of large organisations suffered a staff-related security breach in the last year, compared with 58% a year ago, highlighting that staff cannot always be relied upon for the protection of important data. When questioned further about this, half of all organisations admitted that these breaches were caused by human error.

One way in which staff-related security breaches can be reduced is to protect them from accessing company data in the first place. Our PCI compliant solutions allow for your employees to take payments from customers without the employees viewing or storing any of the card information. For more information on how this can help, call us on 0330 022 0660 or download our brochure here.

You can also download the full figures from PwC here.

A third of employees would sell your company data for the right price

A recent study undertaken by security company Clearswift has revealed that 35 percent of employees in the UK, Germany, US and Australia were open to selling company data including company patents, financial records and customer credit card details for bribes of upto £50,000 risking both their jobs and criminal convictions.

Alarmingly, 25 percent of the polled employees would consider selling company data for £5,000 and 18 percent for an offer of £1,000. 61 percent of employees stated that they had access to customer data, a dangerously high figure when 22 percent believe that they do not feel security of this data is their responsibility at all.

Even within the information security industry, 62 percent of professionals think employees do not care enough about security to change their behaviours. “While people are generally taking security more seriously there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them” said Heath Davies, Chief Executive Officer at Clearswift. “It is not good business to live in fear of your employees, especially since most can be trusted,” said Davies. “Getting the balance right has always been hard. But truly understanding where the problems come from, combined with advances in technology which can adapt to respond differently to different threats, really changes the game here.”

There are steps you can take to stop your employees accessing private data. One way is to use an effective PCI DSS solution to shield your employees from viewing your consumers’ card details. To download our brochure click here or contact us today here.

Here is the full infographic with the survey results, courtesy of Clearswift:

Blog 10 infographic

PCI Compliance ‘merchant levels’ – where do you fit?

You may have heard of the four PCI compliance merchant levels and may be slightly confused as to which level your business fits into.

It really is quite simple, however, and the merchant levels are defined by Visa and are based on transaction volume over a 12 month period as per below:

Merchant LevelDescription
1Any merchant processing over 6 million Visa transactions per year. Visa also has sole discretion to determine which businesses should meet Level 1 requirement (in order to minimise risk to the Visa system).
2Any merchant processing between 1 million – 6 million Visa transactions per year.
3Any merchant processing between 20,000 – 1 million Visa e-commerce transactions per year.
4Any merchant processing less than 20,000 Visa e-commerce transactions per year. All other merchants processing up to 1 million Visa transactions per year.

Visa also advise that any merchant that has suffered a hack which has resulted in account data leaks can be escalated to a higher validation level at any time.

Whichever level your business may fall into, PCI Telecom can consult on the correct steps to take to ensure you are compliant.

Call us and discuss your requirements on 0330 022 0660 today or drop us an email to [email protected] to find out more.

You can also download our brochure here.

Carphone Warehouse hackers may have gained access to 2.4m customers’ data

Millions of Carphone Warehouse customers’ personal data may have been accessed by cyber attackers, and the data accessed is thought to have included names, addresses, dates of birth and bank details, with around 90,000 encrypted credit card numbers also stolen.

Security experts are urging customers affected by the breach to change passwords as soon as possible. Shares in Dixons Carphone, the parent company of Carphone Warehouse, fell 1.7% when the breach was announced, whilst a spokesman from the Information Commissioners Office (ICO) stated: “We have been made aware of an incident at Carphone Warehouse and are making enquiries”.

This spells out bad news for Dixons Carphone, formed by a merger of Dixons Retail and Carphone Warehouse a year ago. The ICO are known for giving large data fines to organisations affected by data breaches; fining Sony £250,000 after the PlayStation Network was hacked in 2013 and handing a £175,000 fine this February to holiday insurance company Staysure.co.uk after failed IT security systems allowed hackers to access company records.

As discussed previously in our ‘How a data breach can affect your business’ blog (available here) data breaches can put your business in a dangerous and volatile position. To find out how our solutions can help, download our brochure here or give us a call on 0330 022 0660.

Don’t let your company be at risk to credit card data breaches – contact us today to discuss a solution which can be suited to your needs.

Payment Industry Acronyms

There are many abbreviations in use within the payments industry and sometimes it can feel like it has its own language.

Here are five commonly used acronyms and their meanings explained:

  • PCI DSS – this stands for Payment Card Industry Data Security Standard which is a set of security requirements for ALL businesses that handle payment cards.
  • IVR – this stands for Interactive Voice Response and is a technology which allows a computer to interact with humans through the use of voice and DTMF tones input via a keypad
  • PCI SSC – the Payment Card Industry Security Standards Council who were created by the major payment card providers – Visa, MasterCard, American Express, Discover and JCB.
  • P2PE – this stands for point-to-point encryption which ensures sensitive cardholder data is protected from first entry, while in transit, and all the way through to the payment processor.
  • TLS (Transport Layer Security) & SSL (Secure Sockets Layer) were both protocols designed to provide secure communications over a computer network, however these have now been phased out with the introduction of PCI DSS 3.1

 

DTMF suppression explained

Traditionally the only way organisations have maintained PCI compliance is to keep call archives data-free. In the past, techniques such as switching off call recording altogether or pausing and resuming recording have been used. Whilst these can be considered PCI compliant, it is still allowing your employees access to the card details and it also raises an issue when you require a full untouched call recording.

DTMF (Dual Tone Multi Frequency) is a signalling system based on a set of standard tones which are created by pressing keys on the telephone keypad. This method of key entering is used with our ‘PCI Agent’ solution. Customers are advised to enter their card details into the keypad, in turn creating DTMF tones which are used to automatically detect the card data, and suppress it before it hits the recording system.

So what are the benefits?

  • The agent is in continual contact with a caller
  • No need for pausing and resuming recording
  • Full calls can be safely and easily recorded with no risk of non-compliance
  • Agents are presented with asterisks and cannot see the numbers which are being entered

Using DTMF suppression solutions in the past also used to be laborious, as an in-house solution was often required. With our solution, everything is cloud-based and there is no requirement to install any on-site systems. To find out more please drop us an email at [email protected], or call us on 0330 022 0660.