What is "IVR payment" that securely handles credit card information for phone orders (mail order and reservation)?

Are you worried about the operation of asking for credit card numbers for phone orders and reservations?Telephone correspondence is an important means of receiving orders, but mishandling card information can lead to risks such as information leakage.

In this article, we will explain how "IVR payment" works, its benefits, its differences from other methods, and the selection points as a way to organize the necessary security measures and perform safe payment.

What are the challenges of Credit card payment in phone ordering?

Telephone orders and telephone reservations are still used to deal with customers who are unfamiliar with web operations, urgent orders, and situations where verbal confirmation is required.

In particular, there are cases where the following business types leave a telephone reception.

• Mail order company (health food, cosmetics, subscription products)

• Food and beverage chains (home delivery pizza, bento boxes, catering)

• Accommodation and leisure facilities (hotels, inns, golf courses, rental cars)

• Call Center Operators

• BtoB Order Center (Parts and Materials Order)

On the other hand, the problem with the operation of people listening to card information is that it is easy to become the starting point of information leakage and fraud because the number of people and procedures handling the information increases.

Listening to card numbers over the phone has a high risk of information leakage

The method of having the card number read aloud over the phone is an operation in which the operator directly touches the card number, expiration date, name and other information. To prevent mishearing, the more you repeat and confirm, the more important information will be exposed in the conversation.

In addition, there is a possibility of leakage of hearing to others, peeping on the input screen, and mistakes during transcription, so the risk of human information leakage is more likely to increase than that of web input.

Notes, recordings, and home operators are the cause of accidents

Information leakage does not only occur from external attacks. Accidents can also occur in daily power receiving tasks, such as notes to prevent mishearing, call recordings for quality checks, and the working environment of home-based operators.

If card information remains in paper receipts and recorded data, the number of management targets will increase. Since it is necessary to control operations, including contractors and home seats, it will be difficult to prevent them with only on-site rules.

In the event of an accident, it will lead to suspension and compensation for the merchant contract

When an incident related to card information occurs, it takes time and money to investigate the cause, confirm the scope of impact, deal with customers, and develop measures to prevent recurrence.

When fraud occurs, refund and chargeback are also required, which naturally increases the burden on normal operations. In some situations, merchant contract may be required to suspend or review conditions.

This may lead to damages, which can lead to not only sales losses but also a decline in corporate credibility.

Security measures for card information required for phone orders

When accepting card payment through telephone orders and reservations, the design is designed to reduce the time people touch the card information and the place where the card information remains.

Specifically, it is important to solve the problem by eliminating the operator's overhearing, preventing it from being mixed into memos and recordings, and adopting a policy of not passing card information into the company's system.

Make the card number inaccessible to the operator

If you have the card number read aloud verbally, the information will be exposed every time you repeat or listen again. Therefore, only the input of payment is switched to a different route, and the operator does not listen to the number.

For example, a typical example is the flow of directing to automatic voice input while maintaining the call, or guiding you to a separate input link. The closer you are to a design that does not involve people, the narrower the leak path.

Do not note, record, or save card information

"Paper memos to prevent mishearing" and "call recordings to confirm content" are easy to cause information such as card numbers and expiration dates to remain on paper, recorded data, and system records.

Paper memos will be prohibited, and the card number will not be left in the remarks column of the customer management system and in the response records that manage inquiries and reception contents.

When recording calls, you should design a set of procedures to stop recording at the time of card entry and responsible person checks. The more storage objects there are, the more time and risk there is to manage.

Don't let card information pass through your own system

By entering and linking card numbers to order management and customer management systems, the scope of management expands, such as managing where to store, limiting the number of people who can view them, and checking operation history.

Therefore, the design is designed to receive card information on the payment processing business side and only handle payment results and transaction IDs on the company side. Even if system linkage is required, the basic form is to link only the information necessary for payment processing without passing the card number itself through the company's system.

Introduce non-retention mechanisms such as automatic voice input

Operational rules are judged by people and tend to collapse during busy seasons, home seats, and outsourcing companies.

If you use automatic voice entry (IVR) and other devices to allow customers to enter their card information through push operations, it will be possible to fix the flow of operators not touching the number, and as a result, it will be easier to realize operations that do not retain card information (non-retention).

However, whether or not non-retention can be achieved depends not only on the service mechanism, but also on recording settings, internal operations, and business flows, including outsourcing, so it is important to check with the provider about the scope of application and necessary measures before designing.

What is IVR payment?

IVR payment is a mechanism that uses an automated voice response (IVR) to perform payment without touching your credit card information when you take an order in a call center.

After the operator confirms the order details and payment method, they transfer the customer to the IVR, where the customer pushes in the card number, expiration date, and Security Code.

This makes it easier to de-retain card information in telephone orders.

Benefits of implementing IVR payment services

If you want to increase security while leaving phone orders, IVR payment is a way to make it easier to "not be touched by people", "not have it yourself", and "easy to connect to existing operations" at the same time.

The advantages of IVR payment services include the ability of operators to payment without touching card information, the ability to aim for non-retention and non-passage of card information on their own PCs, servers, and networks, and the ease of connecting to core systems through API linkage.

In addition, choosing services that are delivered in a secure environment that complies with PCI DSS will help reduce operational risk.

Allow operators to payment without handling card information

The advantage of IVR payment is that the operator does not have to ask for the card number.

When the call is transferred to the IVR after receiving the call, the card information is entered by the customer's own push operation.

It is easier to reduce information exposure through repetition and re-listening, which leads to a reduction in the risk of artificial information leakage.

Card information can be de-retained

Implementing IVR payment services makes it easier to design card information that does not persist or pass through your own PC, server, or network.

Since it is possible to reduce the "remaining paths" such as paper memos, recordings, and writing in the remarks column, it will be easy to move to an operation that does not carry card information in-house even when receiving orders by phone.

In addition, it is effective in promoting the development of operations that do not retain card information in-house, among the "PCI DSS (Payment Card Industry Data Security Standard) Compliance when retaining card information" required by the credit card security guidelines.

It can support home call center operations

In call center operations, including telecommuting operators and contractors, there are easy differences in the work environment and rules, and the more people handle card information, the more management costs increase.

With IVR payment, card information is entered on the customer's side, so operators can focus on fulfilling orders.

Therefore, it is easy to create the premise of "not asking for card information" even when operating from home, and it is easier to reduce the risk of accidents.

Reduce workload by linking with existing systems

Some IVR payment services support API integration, making it easy to link order information with transaction data.

If connected to the order management system, it will be easier to reduce manual reconciliation and posting, which will lead to a reduction in input errors and confirmation man-hours.

As a result, it is easier to maintain the speed of processing phone orders while reducing the burden on operators.

How IVR payment Services Work and payment Flow

IVR payment is a mechanism in which end users and merchants (call centers) initiate a call and switch to IVR (Automated Voice Attendant) when a payment is needed.

Source: IVR payment Services

• (1) Telephone answering
  Respond to calls from end users and confirm what they are ordering and how to payment.

• (2) Enter payment data and transfer to IVR
  Enter the order information in the API-linked core system or IVR management screen, and the operator forwards it to the IVR.

• (3) Input card information, etc.
  The end user pushes in the card number, expiration date, and Security Code. The input information is premised on the operator's inability to hear.

• (4) Card payment Execution
  The IVR performs payment processes such as authorization (credit) and card enrollment.

• (5) Card payment Return of results
  payment The center returns the results to the IVR, such as approval or not.

• (6) Card payment Result return (operator result confirmation)
  The IVR returns the results to the merchant, and the operator confirms the approval results and proceeds with guidance and follow-up actions.

Sensitive information such as card numbers is entered by the end user through a phone push operation, and the payment processing is connected from the IVR side to the card company via the payment center.

Since only the "payment result" is returned to the merchant, it is characterized by the fact that the card information is designed not to be handled by humans.

Key Features of IVR payment Services

The IVR payment service not only cuts out the input of card information to the IVR side, but also provides functions to establish it as a call center business.

For example, the function to return the call to the operator after the completion of the payment and conclude the conversation after final confirmation and guidance, and the API integration function that automatically connects the order system and payment data.

It is an element that supports both safety and operational efficiency.

Operator Call Back Function (Standard)

After the card payment is completed in the IVR, it can be returned to the call between the customer and the operator.

payment You can end the conversation after telling "final confirmation of order details", "information on completion of reception", "precautions for delivery and visit", etc., so it is difficult to disrupt the experience of ordering by phone. In particular, in business formats where there are many items to be confirmed after payment, such as mail order subscription and accommodation reservations, the advantage is that it is easy to maintain the quality of follow-up.

API integration function (standard)

The API integration function allows you to automatically link the order information on the order system side with the payment data executed in the IVR payment.

This reduces manual transcription and reconciliation, which will lead to fewer typing errors and confirmation man-hours. As a result, it is easy to maintain the processing speed of telephone orders while reducing the burden on the operator.

Comparison points for IVR payment service providers

IVR payment are not "all the same" and vary in the scope of compliance and non-retention design, how they work together, and the scope of operational support.

To avoid problems after implementation, make a checklist of requirements and select them from a comparative perspective.

Check PCI DSS compliance coverage

Even if it says "PCI DSS compliant", the extent to which it is compliant varies from provider to provider.

Check whether it is only for the IVR platform or whether it includes management screens, APIs, and operations.

In some cases, additional measures may be required on your own side, so it is important to organize the scope of compliance and the scope of your company's responsibilities as a set.

The presentation of audit trails and operational rules is also a comparative point of view.

Does it support non-retention of card information?

The goal of IVR payment is to design not only to prevent operators from handling card information, but also to prevent card information from being held or passed through their own PCs, servers, and networks.

Check whether the system does not mix card information into call recordings and whether it is designed to prevent card information from remaining in the management screen and logs.

You should also look at whether the operation is difficult to collapse even if you include the outsourcing company and home seats, and whether there is support for on-site design.

Can it be linked to your own system or order management system?

In a phone order, the order information and the payment result collision occur.

It is safe to check whether the API is integrated, the items that can be linked (order ID, amount, customer number, etc.), and the handling of retries and exceptions.

Weak collaboration will eventually result in manual transcriptions, resulting in more errors and confirmation man-hours.

Connectivity to core systems and CRMs Actual and the scope of technical assistance during deployment are also comparable.

Check the response time of the fault response and inquiry desk after introduction

Telephone orders are often handled during business hours, and the impact of failures is directly related to sales.

Check the response time of the contact desk, emergency contact routes, estimated time for recovery, and how to notify of fault information.

If you are a business that accepts orders at night and on weekends, the range of support during that time is important.

At the same time, if you check the provisional response in the event of a failure (such as whether or not manual handling is possible), you can reduce the risk of operational outages.

Conclusion

In the business format of leaving phone orders, both convenience and safety are essential.

Since there are limitations to the operation of human handling of card information, it is important to review the design on the premise of non-retention.

Based on the mechanism and comparison points of IVR payment, please consider the operation that suits your company.

If you want to keep your phone orders and switch to a human-free operation with card information, consider PG Multi-Payment Service 's IVR payment.

According to your company's operational situation, we will guide you after organizing how to proceed with non-retention, cooperation methods, and introduction steps.

Please contact us first by requesting materials or contacting us.