With mobile phones now firmly attached to our hands and an average of 24 hours a week spent online, the UK has truly embraced a digital lifestyle. This can also be seen in the nation’s purchasing behaviour - a staggering 87% of shopping (excluding groceries) took place online in 2018. With this in mind, companies need to consider not only which products will sell best online, but of ways to deliver the best customer experiences possible to set them apart from the competition.

Customer service is now expected to be conveniently accessible through email, text, webchats, and telephone, including the way customers pay. By removing the need for them to log into third-party platforms, or download an app, omnichannel payment options can greatly improve the ease and speed of making payments. However, this comes with its own challenges – staying PCI DSS (Payment Card Industry Data Security Standard) compliant for payments via debit or credit cards, and GDPR (General Data Protection Regulations) compliant, as well as being customer-centric, can be at odds. Furthermore, what is good customer service without data being kept safe?

A safe customer journey
Research shows that 86% of people (91% of women and 81% of men) would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card data. This means that the costs of an attack itself are only the start; plummeting share prices and a reduction in customer numbers due to a loss of trust in the company are another part of a data breach fallout to consider. Last year, the Cyber Security Breaches Survey found that 43% of UK businesses were a victim of a cyber security breach, while Action Fraud reported that victims of cyber fraud lost £34.6 million between April and September 2018. Obviously, in the case of cybercrime, prevention is better than crossing your fingers and hoping it won’t happen to you. But are the methods used by companies to make payments safe customer-friendly, and how well do they work? We assess the different options below.

Pause & Resume
One solution used to protect sensitive card information exchanged over the phone is known as the “pause and resume” or “stop/start” method. The call recorder is paused just before the customer reads out their card number and resumes when they finish. But it is not the most reliable of methods; particularly when done manually, instead of automatically, the call centre agent can edit the call at will, leaving plenty of room for human error. And even when the call is automated there are no guarantees this is safe, as the customer could say their card number at the wrong time.
Pause and resume also means that the call recording is incomplete, which can have negative ramifications in certain circumstances. For example if a call recording was being used as a piece of evidence in legal proceedings around, say, the mis-selling of payment protection plans (PPI), this could render the evidence inadmissible.
And lastly, this method also leaves everything else in the business in PCI DSS scope, which means that over 400 checks and controls must be put in place across the contact centre and scrutinised regularly to ensure that security is as tight as it possibly can be.

Interactive Voice Response (IVR)
Transferring customers over to an automated/interactive system for payment might side-step the PCI DSS problem, but IVR drop-out rates are high. Dealing with a recorded voice that is taking you through the payment options, instead of a real person, can be hugely dissatisfying as any issues arising during the process cannot be dealt with directly and are likely to lead to the customer abandoning the process and a lost sale.

Payment page
Sending customers to another website, for example PayPal, for payment may help overcome the PCI DSS challenge, yet having worked so hard to get the customer sale, why send them away to pay at another checkout? This isn’t the best user experience and it might even require them to log in – yet another hurdle to navigate to make the payment. Often businesses also have no control over the page design of the third-party payment provider, which isn’t ideal in terms of brand identity and consistency; customers might feel they are handing over their money to another business, other than the one they are actually buying from.

The alternative
The methods above are mostly sound, but in terms of customer experience leave a lot to be desired. What merchants really need is to stay compliant, protect data and excel in customer service – you could call it the triple challenge! Fortunately, technology that enables businesses to seamlessly and safely take payments across all digital engagement channels does exist And companies don’t need to invest in closed payment ecosystems to deploy it - they can engage with customers across the channel of their choice, and easily monitor, manage and support all their transactions. If for example, a customer chooses to pay via text, a secure link can be sent to them and their sensitive payment data is encrypted and routed directly to the payment service provider (PSP), never entering the merchant business’s network infrastructure. The agent will also receive real-time updates during the entire process and can stay in constant communication with the customer at all times. Keeping data out of the business completely offers another major benefit – it helps companies reduce the risk of a data breach. The thinking behind it is quite simple – criminals can’t hack what you don’t hold. If a company does not process or store payment details, it becomes less of a target to those with nefarious motives.


By Mandy Pattenden, Marketing Communications Director at Semafone

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus