In today’s society, data protection is increasingly a concern for many consumers. Data breaches appear in the news all too frequently. The 2015 Verizon Data Breach Investigations Report, which looked at more than 2,100 data breaches, found that more than 700 million records were exposed for the year 2014 alone. Businesses are now prioritising the safety of customer data, with a particular focus on payment information.

The government plans for smart meters to be rolled out as standard across the UK by the end of 2020. This will amount to nearly 53 million smart meters fitted in more than 30 million premises across England, Scotland and Wales. Although there is no legal obligation on individual consumers to have one, the government has emphasised the wide range of benefits smart meters will bring. This includes giving customers near real time information on energy use expressed in pounds and pence, which will allow easier management of energy consumption.
With smart meter rollout now underway, many energy suppliers are gearing up their contact centre operations to cope with consumer queries, installation bookings and account management questions. But as the scheme gathers momentum, industry pundits predict the number of consumers calling in to top up their Pay-As-You-Go (PAYG) smart meters or pay their bills is set to rise significantly.
Energy companies will need to review their contact centre operations to ensure they diligently handle telephone card payments and protect their customer’s financial data in line with the Payment Card Industry Data Security Standards (PCI DSS) stringent requirements.

What is PCI DSS?

Developed by the major card companies to protect the safety of cardholder data and prevent fraud, failure to comply with the PCI DSS will result in significant financial penalties and can result in the revocation of a merchant’s card processing ability.
Covering every aspect of payment collection, processing and storage, the PCI DSS security framework relates to all technical and operational systems connected to cardholder data. In the contact centre this means phone systems, the telephony network, desktop and agent systems – and the physical security of the contact centre environment.
This covers the agent community and any equipment they could potentially use to access and communicate card details, such as writing materials, mobile phones, the Internet or social media platforms. For obvious reasons, no card data can ever be written down or recorded.
From handling bank details and credit card info to taking customer account passwords, energy suppliers need to take all appropriate steps to protect their customers’ sensitive and personal information.

Becoming compliant

For those organisations that do not have the necessary internal security infrastructure investments in place, dealing with PCI DSS compliance can be a complex and costly process. But any failure to address PCI DSS obligations and protect customers against identity theft means exposing the firm to significant on-going risk.
Despite the fact that many energy customers utilise web portals to manage their accounts or handle billing, a significant proportion go on to use services like live web chat or their phones to speak with a customer service rep. During the call, they may need to share information like passwords or account PINs or read out their credit or debit card PAN (primary account number) and three-digit Card Security Code to make a one-off payment.
A significant number of consumers, however, still prefer to speak to a real person or lack the means to make a secure online payment. With over 500,000 domestic smart meters already installed in homes, it is time electricity providers got smart about contact centre payment security.
The good news is that there is a way of ensuring sensitive payment or personal data never enters the contact centre environment in the first place. If it is never there, it can’t be breached or stolen – and the contact centre is taken out of scope for PCI DSS.

How secure phone payments work

Today’s hosted DTMF secure phone payment processing platforms prevent card data from entering the contact centre environment and offer an effortless way of minimising cost and complexity of ensuring PCI compliance. There is no need to install any hardware onsite and the intuitive user interface is both customer friendly and easy for agents to use.
When a customer makes a phone payment, rather than divulge their card details directly to a contact centre agent, they are routed to an external secure payment platform. The customer then enters their payment detail via the telephone keypad to complete the transaction. The contact centre agent sees asterisks appear in the user interface as the transaction takes place and is on hand throughout the call to talk customers through the process – but they cannot see or hear the sensitive card data. All phone tones are masked, so if calls need to be recorded, the payment card details are eliminated.
For utility companies that are reliant on phone payments, securing this channel should be a top priority. Initiating PCI DSS compliance for the contact centre will also ensure organisations are well on the way to ensuring these environments are built to comply with the requirements of other data privacy legislation like the EU General Data Protection Regulation (GDPR).
The Government’s new Data Protection Bill, designed to update the existing 1998 Data Protection Act, incorporates GDPR privacy rules and will allow the ICO to fine companies up to four per cent of global annual turnover or €20 million – whichever is greater.
With the number of PAYG customers needing to call up contact centres to top up their meters expected to increase, energy companies will need to ensure that compliance is a key consideration. In the current data breach climate, customers need to feel confident that businesses are protecting their data and payment card information.