• How to descope PCI DSS compliance whilst improving your customer experience

  • 03 Sep 2018 | Chris Barley

    • How to descope PCI DSS compliance whilst improving your customer experience
    •  

      A successful sales team needs to be good at turning customers into revenue.

      Straightforward enough if the customer walks through your door, makes a purchase and checks out at your till. But it’s more difficult when your prospective customer is sitting at home watching TV, or out shopping, or rushing to catch a train.

      So how do you make it hassle free and enjoyable for your remote customers to buy, wherever they are? As well as simultaneously descoping your PCI DSS compliance requirements?

       Remote payments aren’t designed for our mobile lifestyle

      “Card not present” (CNP) purchase scenarios, as remote sales are termed, have traditionally involved directing customers either to a third party ecommerce or payment site, or taking card details over the phone.

      But these ways are rapidly becoming outdated in our mobile first world.

      Customers looking to pay using an ecommerce or payment site need to be proactive – they have to login, navigate to the correct page and fill in their purchase and card details. And on a mobile site, this may not be easy.

      If the customer has a question, there’s usually no easy way to seamlessly communicate with your sales agent – the customer needs to resort to a separate communications channel such as email or phone, losing conversation context.

      And if we assume that more and more customers want to connect on their mobiles – well, email is not a very mobile or conversation friendly channel. Specific purchases are difficult to navigate to for historical reference, and it’s hard to track associated comments, such as product questions.

      This all adds friction to the sales process and risks the customer just giving up and walking away.

      In order to be more responsive, many businesses resort to the telephone. Here your agent can take payment details from the customer in real time. However this requires some effort from the customer to retrieve and dictate card details, and time spent by your agent manually keying card information into the virtual terminal of the payment processor.

      Apart from making payment seem like an afterthought, this method is labour intensive and exposes your business to the customer’s sensitive card data, with significant implications for data security. Enter PCI DSS.

       

      PCI DSS compliance requirements

      PCI DSS (Payment Card Industry Data Security Standard) describes the different levels of compliance that businesses are required to meet for handling card payments. This depends on various factors, including the number of transactions the business (or merchant) handles, the method in which credit card data is inputted, the extent of card data storage, and the design of the business’s IT network.

      Your business’s responsibilities here are extensive, both in reaching the necessary standards, and then maintaining them.

      The PCI challenge is highlighted by industry data – in one recent survey only 55.4% of surveyed businesses passed PCI compliance (Source: Verizon “The State of PCI DSS Compliance”).

      The considerable infrastructure and operational requirements that must be met for PCI compliance could explain this worryingly low figure. In addition, defining exactly which of the many different levels of self-certification applies to your business can be overwhelming. This results in many businesses, consciously or unconsciously, not complying.

      PCI non compliance risks major fines, and more significantly businesses are responsible for covering any resulting costs of fraud. As recent examples in the press illustrate, data breaches can be ruinously expensive, especially considering recent GDPR data regulations which apply hefty fines for security “lapses”.

       

      Securing your network

      To protect against this, IT networking including segmentation and firewall protection must be in place to prevent hackers accessing card information on your data network. 2FA (factor authentication) and physical access security and processes must also be installed. Regular penetration tests and vulnerability scans are the norm.

      Faced with all these requirements for data and IT security, many businesses resort to expensive outside help to interpret PCI regulations, and implement the necessary solutions.

      And when all this is in place, staff will still require constant training. And network security will still need to be regularly tested.

      All in all, it’s a substantial cost and risk for any business just to get paid by a “not present” customer!

      There must be a simpler way…

       

      Pushing security to the mobile phone

      As with many things in life, the smartphone is showing us the way.

      With a mobile phone, security can now start on the actual device, making it the ideal tool for handling mobile payments.

      Card details are tied to the phone, and biometrics authenticate the phone to the customer, resulting in a high level of authorization for the transaction. This is presently done through Touch ID but increasingly we will see facial recognition for “selfie” authorization.

      This level of authorization provides reassurance for both customer and business that the person authorizing the mobile payment is actually who they say they are.

      In addition, mobile wallet providers (such as Apple Pay and Google Pay)  tokenize card details to help keep card data secure, further adding to card security, and reducing the requirement for expensive IT networks.

       Reaching out via a message

      Email, phone, and good ol’post – all are traditional methods used to let customers know they have a bill to pay. But a mobile message can be much more effective. Its convenient, ubiquitous, instant, direct and personal – qualities that make it ideal as a payments channel.

      Messaging represents a new way for requesting and receiving payments from your customers. Here’s how it works: a text conversation is initiated with a customer regarding a proposed sale, or to collect payment for a previous sale. The customer could be on the phone with the agent, or the agent may initiate a separate message conversation.

      A payment link is sent as part of the conversation, providing secure access via a unique URL to a customer specific payment page, branded with your company name and logo to give a professional image.

      By clicking on the “Pay Now” button, the customer’s mobile browser automatically populates previously entered card details or provides the option of Apple Pay or Google Pay if your customer has these mobile wallets installed.

      (Its predicted that by 2020 in the US, at least half the population will have a mobile wallet).

      To confirm payment, the customer just uses Touch ID and the transaction is complete – secure check out in a few seconds!

       

      Increase security and reduce cost

      Using mobile payment offers a number of advantages for your business over payment sites and over-the-phone card payments.

      Payment authorization via smartphone Touch ID is a more secure way to authenticate the user, reducing card fraud.

      Also, as card data is sent directly to the card processor, no card details are stored by your business. With processing and storage of card data eliminated, your business can benefit by descoping your PCI DSS compliance requirements, as well as reducing security risks and downgrading your IT network specifications.

      Changing your sales process from taking card details over the phone to simply initiating a text conversation with the customer streamlines operations and saves time, substantially reducing collection cost.

      A joined up customer experience

      Your customers can now avoid the hassle of getting their card out, making a call to sales and dictating their card details over the phone (or logging into a payment site) – proactive effort that may result in the customer not bothering to make the purchase at all.

      Now all a customer has to do is open a text link, and pay with a “one click” thumbprint, reducing payment friction, helping increase spontaneous sales and increasing the attractiveness of buying from your business.

      Connecting with your customers via message also provides a new and direct channel for you to communicate with your customers for a variety of other uses.

      For instance, during the sales process you can provide support via text as an integral part of the conversation, enhancing the customer experience.

      When the payment is made the customer receives a text receipt that forms part of their conversation with you, adding personalization to the purchase. And your sales agent simultaneously receives a payment notification, and can create notes to save alongside relevant texts and call logs.

      Creating a conversation makes the sales process more natural and progressive, and as all context around the purchase is saved in one place, it’s easy for any team member to pick up where you left off for future customer support or sales.

      In this way, a conversation can be used to provide a seamless journey, from discovery, to sale, to payment, to support.

      So make more conversation! It’s good for your customer experience, and can also help you descope your PCI compliance requirements.