June 24th, 2014 by Elma Jane

Compliance with a single set of regulations is often taxing enough, without other regulations causing a conflict, but this is exactly the situation that the insurance industry finds itself in with its contact centres.

PCI-DSS compliance insists that sensitive information in particular credit card numbers, must be protected and cannot be stored. However, the Financial Conduct Authority (FCA), the UK regulator for the financial services industry, demands that insurers keep sufficient detail of their transactions.

In insurance contact centres, FCA recommendations are met by recording calls. So in order to comply with PCI-DSS regulations, some contact centres simply pause recordings while the card information is read out, and resume recording once the payment process is complete. There’s a very big problem with this method,  it undermines the very reason calls are recorded. The call recording is there to provide an unequivocal record of the circumstances under which the policy is granted. A gap in this record creates doubt. What was said during this time? If a customer is claiming a policy is mis-sold or they were misinformed in some way, a complete record to refute this claim no longer exists. Because of situations such as this, the insurance industry has an inherent dependence on contact centres and person-to-person interaction when selling policies, though in the process has to somehow comply with both regulations. But how? One way is to get the sensitive card information directly and securely to the bank’s payment gateway without storing it. Online, this is done quite easily, insurers can embed a secure payment page into a website and the customer can enter information securely that way. By phone a similar method can be used. A caller can input information directly on their telephone keypad and the tones are only transmitted to the credit card payment gateway not the contact centre. This solves the paradox of the conflicting regulations.

Insurance contact centres need to walk a very fine line, ensuring that they comply with all of the relevant regulations from multiple regulators – even those that, at first glance, contradict each other.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , ,