Why BPOs need to wise-up on payment risks

The digital economy is a double-edged sword: seeming innovation opportunities can be imperilled by security challenges. None more so than those presented by card payments. Some 65% of contact centres[1] now take them via the phone, IVR and, increasingly, AI-powered bots.

Yet, business process outsourcers (BPOs) can leave the backdoor wide open, risking data breaches, brand damage, data protection fines and card brand penalties. Often, they don’t realise that under law they’ve become part of their client’s supply chain – or understand how to fix it.

In this blog we discuss the latest best practices that ensure BPOs stay safe and meet their data security obligations.

Being clear on contractual flow
BPOs with clients in retail, travel, gaming, gambling, and other payment-dependent activities know payment fraud is on the rise. It’s never been easier to purchase a list of credit card numbers and addresses. And then use that data to illegally buy goods or services, on the phone or online.

What’s less understood are the additional obligations arising from the contractual flow. For example, when agents input that fraudulent order to a web page accessed via their desktop, not only does the BPO under the General Data Protection Regulation (GDPR) privacy and security laws become exposed to the risk of compensating that customer, they are also exposed to their client’s Payment Card Industry Data Security Standard (PCI DSS) compliance obligations.

The same is true if the agent uses a virtual terminal accessed via their desktop to input and transmit payment card data across their voice and data networks. To add further complexity, the BPO may contract out their contact centre technology provision or voice connectivity to third parties.

Figure 1. Payment contractual supply chain flow

At that point a contractual flow (see Figure 1) is created, bringing the entire supply chain in scope of PCI DSS regulations. There’s a misconception that this only impacts card issuers or merchants. Not true. The PCI DSS holds the merchant accountable to ensure that all companies that provide services that “control or could impact the security of cardholder data” are validated as being PCI DSS compliant. That includes BPOs, Unified Comms providers, CCaaS providers, IT hosting and other associated third parties, including resellers.

Missed opportunity
Payment fraud is bad news for everyone. Once a breach occurs the merchant may be subject to increased transaction charges as well as regulatory fines for data protection shortcomings and card scheme penalties. For every $1 of fraud from chargebacks, ecommerce businesses lose an extra $2.94[2] while the impact and financial loss to the victim can be devastating.

According to IBM, on average it takes eight months for UK based organisations to spot a breach and a lot of data can be lost in that time. Card scheme penalties and increased transaction charges add significant long term cost. Ransomware demands can run to millions and that’s without the data protection fines imposed by regulators, as well as potential class action lawsuits or other reputational costs.

Simplified by cloud-centric supply models
The good news is that these problems can now be easily avoided. The shift away from bricks and mortar call centres with rigid on-prem systems to agile Contact Centre as a Service (CCaaS) models has made it easier to protect against non-compliance.

Having a robust cloud architecture in place is the first step to securing credit, debit, and cash card transactions and protecting cardholders against fraud or other misuse of their personal information.

Look for a CCaaS solution that was specifically designed with the PCI DSS framework in mind. And check it has embedded tools for accepting, processing, storing, and transmitting payment card information. That’s the key to creating a cloud-centric supply model.

All parties want the same thing – the ability to process more payments, more often, more easily, at less cost. CCaaS models can do just that, while also transforming customer and agent experience.

Benefits at a glance
One of the world’s leading CCaaS platforms, Genesys Cloud CX, implemented by Kerv specialists, makes it easier for BPOs to:

• Simplify security and compliance: from payment protection solutions and multifactor authentication through to proactive monitoring and alerts.
• Inspire client confidence: they know you’ll protect their customers’ card data to the most stringent global standards and avoid serious non-compliance sanctions.
• Empower agents: reduce customer frustrations with simple tools to process customer payments quickly and securely.
• Streamline processes: advance digital-first ambitions through voice and chat bots, Microsoft Power apps and robotic process automation solutions.

When it comes to implementation, Kerv Experience engineers are highly skilled in optimising IT security defences and integrating Genesys with existing ecommerce and CRM platforms. And they are on-hand to assist with all Genesys customisations or add new features like payment progress indication.

Get in touch to speak with a Kerv PCI compliance specialist.

[1] Source: Contact Centre Panel presentation to PCI Security Standards Council, European Community Meeting Oct 2022.

[2] www.ravelin.com/insights/online-payment-fraud.