Why BPOs need to wise-up on payment risks

Why BPOs need to wise-up on payment risks

Jeremy Curling

Jeremy Curling

Senior Business Development Manager|Kerv Experience

As a senior account manager, Jeremy excels in building and maintaining strong relationships with clients, understanding their unique business needs, and providing tailored CCaaS solutions to drive their success.

Published 04/07/23 under:

Have a question?

Get in touch

The digital economy is a double-edged sword: seeming innovation opportunities can be imperilled by security challenges. None more so than those presented by card payments. Some 65% of contact centres[1] now take them via the phone, IVR and, increasingly, AI-powered bots.

Yet, business process outsourcers (BPOs) can leave the backdoor wide open, risking data breaches, brand damage, data protection fines and card brand penalties. Often, they don’t realise that under law they’ve become part of their client’s supply chain – or understand how to fix it.

In this blog we discuss the latest best practices that ensure BPOs stay safe and meet their data security obligations.

Being clear on contractual flow
BPOs with clients in retail, travel, gaming, gambling, and other payment-dependent activities know payment fraud is on the rise. It’s never been easier to purchase a list of credit card numbers and addresses. And then use that data to illegally buy goods or services, on the phone or online.

What’s less understood are the additional obligations arising from the contractual flow. For example, when agents input that fraudulent order to a web page accessed via their desktop, not only does the BPO under the General Data Protection Regulation (GDPR) privacy and security laws become exposed to the risk of compensating that customer, they are also exposed to their client’s Payment Card Industry Data Security Standard (PCI DSS) compliance obligations.

The same is true if the agent uses a virtual terminal accessed via their desktop to input and transmit payment card data across their voice and data networks. To add further complexity, the BPO may contract out their contact centre technology provision or voice connectivity to third parties.

Figure 1. Payment contractual supply chain flow

At that point a contractual flow (see Figure 1) is created, bringing the entire supply chain in scope of PCI DSS regulations. There’s a misconception that this only impacts card issuers or merchants. Not true. The PCI DSS holds the merchant accountable to ensure that all companies that provide services that “control or could impact the security of cardholder data” are validated as being PCI DSS compliant. That includes BPOs, Unified Comms providers, CCaaS providers, IT hosting and other associated third parties, including resellers.

Missed opportunity
Payment fraud is bad news for everyone. Once a breach occurs the merchant may be subject to increased transaction charges as well as regulatory fines for data protection shortcomings and card scheme penalties. For every $1 of fraud from chargebacks, ecommerce businesses lose an extra $2.94[2] while the impact and financial loss to the victim can be devastating.

According to IBM, on average it takes eight months for UK based organisations to spot a breach and a lot of data can be lost in that time. Card scheme penalties and increased transaction charges add significant long term cost. Ransomware demands can run to millions and that’s without the data protection fines imposed by regulators, as well as potential class action lawsuits or other reputational costs.

Simplified by cloud-centric supply models
The good news is that these problems can now be easily avoided. The shift away from bricks and mortar call centres with rigid on-prem systems to agile Contact Centre as a Service (CCaaS) models has made it easier to protect against non-compliance.

Having a robust cloud architecture in place is the first step to securing credit, debit, and cash card transactions and protecting cardholders against fraud or other misuse of their personal information.

Look for a CCaaS solution that was specifically designed with the PCI DSS framework in mind. And check it has embedded tools for accepting, processing, storing, and transmitting payment card information. That’s the key to creating a cloud-centric supply model.

All parties want the same thing – the ability to process more payments, more often, more easily, at less cost. CCaaS models can do just that, while also transforming customer and agent experience.

Benefits at a glance
One of the world’s leading CCaaS platforms, Genesys Cloud CX, implemented by Kerv specialists, makes it easier for BPOs to:

  • Simplify security and compliance: from payment protection solutions and multifactor authentication through to proactive monitoring and alerts.
  • Inspire client confidence: they know you’ll protect their customers’ card data to the most stringent global standards and avoid serious non-compliance sanctions.
  • Empower agents: reduce customer frustrations with simple tools to process customer payments quickly and securely.
  • Streamline processes: advance digital-first ambitions through voice and chat bots, Microsoft Power apps and robotic process automation solutions.

When it comes to implementation, Kerv Experience engineers are highly skilled in optimising IT security defences and integrating Genesys with existing ecommerce and CRM platforms. And they are on-hand to assist with all Genesys customisations or add new features like payment progress indication.

Get in touch to speak with a Kerv PCI compliance specialist.

 

[1] Source: Contact Centre Panel presentation to PCI Security Standards Council, European Community Meeting Oct 2022.

[2] www.ravelin.com/insights/online-payment-fraud.

 

Related

You might also be interested in

From our world to yours

Kerv Digital Events: Nonprofit Marketing Journey & Customer Insights Live Demo

From our world to yours

The Role of AI in Government: Driving Operational Costs Down Whilst Improving...

From our world to yours

Sustainability, Social Impact and Technology Procurement in the Transport Sector  

From our world to yours

The Kerv and Genesys Partnership goes from Strength to Strength

From our world to yours

How BPOs can automate with care

From our world to yours

Focusing on employee engagement and performance matters

From our world to yours

Compliance Cloud: Overview & demonstrations

From our world to yours

Life at Kerv as a People Partner

From our world to yours

Unveiling The Latest Advancements: Microsoft Dynamics 365 – Release Wave 2

From our world to yours

4 Steps To Building A Compliance Solution

From our world to yours

Kerv is officially one of the UK’s Best Workplaces in Tech!

From our world to yours

Supporting Supporters: How Nonprofits Can Plan For The Future

From our world to yours

GoodShape Raises the Bar for Member Experience, Call Quality, & Compliance

From our world to yours

Qualitas: How small businesses coming together can aid GP practices

From our world to yours

Capacity vs Capability

From our world to yours

CV Library: How strong leadership focused on IT can be a vital...

From our world to yours

Microsoft Teams Telephony

From our world to yours

Voxivo4Teams Cloud Voice Solution

From our world to yours

Microsoft Teams Rooms

From our world to yours

What is Azure Arc?

From our world to yours

Delivering a platform to underpin Fotech’s rapid growth plans

From our world to yours

What is Shadow IT?

From our world to yours

The Low Code/No Code Canvas

From our world to yours

How Buckinghamshire NHS Trust sped up their service

From our world to yours

Capitalise on the Cloud Opportunity

Have a question?

Leave your details and a member of the team will be in touch to help.

"*" indicates required fields

By pressing send, you agree to our Terms and Conditions and Privacy Policy.
This field is for validation purposes and should be left unchanged.