11 December 2016

44975

Retired Member

2,018Posts 6,641,350Views 2,336Comments

PCI-DSS vs FCA regulation - a paradox?

23 June 2014  |  3181 views  |  1

Humans have always loved a paradox, from the simple piece of paper with ‘the other side is true’ and ‘the other side is false’ on either side; to quantum physics theory meaning that Schrödinger's cat is both alive and dead until the box is opened. Information that is simultaneously true and conflicting appeals to our puzzle-solving nature. Contact centres providing insurance now have their very own paradox to ‘enjoy’ –FCA regulations and PCI compliance.

Compliance with a single set of regulations is often taxing enough, without other regulations causing a conflict. But this is exactly the situation that the insurance industry finds itself in with its contact centres.

PCI-DSS compliance insists that sensitive information, in particular credit card numbers, must be protected and cannot be stored. However, the Financial Conduct Authority (FCA), the UK regulator for the financial services industry, demands that insurers keep sufficient detail of their transactions.

In insurance contact centres, FCA recommendations are met by recording calls. So in order to comply with PCI-DSS regulations, some contact centres simply pause recordings while the while card information is read out, and resume recording once the payment process is complete.

There’s a very big problem with this method, however – it undermines the very reason calls are recorded. The call recording is there to provide an unequivocal record of the circumstances under which the policy is granted. A gap in this record creates doubt. What was said during this time? If a customer is claiming a policy is mis-sold or they were misinformed in some way, a complete record to refute this claim no longer exists.

Because of situations such as this, the insurance industry has an inherent dependence on contact centres and person-to-person interaction when selling policies, though in the process has to somehow comply with both regulations. But how?

One way is to get the sensitive card information directly and securely to the bank’s payment gateway without storing it. Online, this is done quite easily – insurers can embed a secure payment page into a website, and the customer can enter information securely that way. By phone a similar method can be used. A caller can input information directly on their telephone keypad and the tones are only transmitted to the credit card payment gateway – not the contact centre. This solves the paradox of the conflicting regulations.

Insurance contact centres need to walk a very fine line, ensuring that they comply with all of the relevant regulations from multiple regulators - even those that, at first glance, contradict each other.

TagsRisk & regulationInnovation

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 25 June, 2014, 13:43

For the past 4-5 years, my auto insurer in India (BajajAllianz) has been letting customers pay for policy purchase / renewals with credit card entered via telephone keypad using the Interactive Voice Response system you've described. Over 6 years ago, my council in UK (Tower Hamlets) used a more advanced Interactive Voice Recognition system to let me pay my council tax by speaking out my credit card details over the phone.   

From what I know, PCI-DSS does not forbid storage of payment card details by merchant - just that the merchant would need to be compliant with PCI-DSS if it chose to do so. Many merchants store payment details and (hopefully!) have PCI-DSS certification. Merchants who don't store payment card details - and deploy workarounds like Hosted Payment Page on their websites or an IVR technology on their telephone channel - avoid the process presumably to save PCI-DSS certification costs.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Retired

An industry matured: highlights from Mobey Day 2016

18 October 2016  |  958 views  |  0 comments | recomends Recommends 0 TagsRetail bankingInnovation

Reorganising for the Age of Collaboration

27 September 2016  |  2546 views  |  0 comments | recomends Recommends 0

Fintech innovation in the B2B space has only just begun

12 September 2016  |  13680 views  |  1 comments | recomends Recommends 0 TagsPaymentsInnovation

Protecting Data with DLP

23 August 2016  |  5360 views  |  0 comments | recomends Recommends 0 TagsSecurityBrexit

How to end what ails online commerce

22 August 2016  |  4793 views  |  1 comments | recomends Recommends 0 TagsPaymentsTransaction banking

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who's commenting on Retired's posts

Alex Aleksandrovski
Ketharaman Swaminathan
João Bohner
Steven Hatton
Graham Seel
Nikhil Thadani
Gerard Hergenroeder
Konstantin Rabin
Dharmesh Mistry
Matt Schofield
Anna Robert
Ian Davis