How Municipalities Can Reduce Risk of Securing Payment Data

( Published Wednesday, March 14, 2018)

safepay card and phoneWhat is card-not-present (CNP) fraud and how does it affect government entities?

CNP includes over the phone payments, internet and e-commerce transactions, and mail-order transactions where the cardholder does not physically present the card to the merchant.

According to a U.S. Payments Forum report, CNP fraud is currently the most prevalent type of fraud reported in countries that have migrated to EMV chip, and it continues to increase. With the exponential growth of e-commerce, many are struggling to keep up with security standards in place to prevent CNP fraud.

The impact of this growing area of credit card fraud impacts PCI Compliance for a variety of businesses and government entities. It is no longer the banks or the credit card companies that bear the risk or responsibility for security. Breaches and theft of cardholder data affects everyone, including individuals, businesses, and government—

  • customers lose trust in merchants or financial institutions
  • individuals are at risk for bad credit scores and identity theft
  • merchants lose credibility and future business
  • government agencies risk painful audits and recovery costs
  • risk of lawsuits, class-action lawsuits, and settlement payments

What Can Municipalities Do? Reduce Risk Through De-scoping.

We have worked with municipalities, utility companies, and other industries and organizations who want to outsource PCI Compliance requirements to another company. By passing on the requirement to be compliant to Ivrnet and by no longer processing credit cards, PCI Compliance is no longer in their scope of requirements.

Outsourcing payment processing to a third-party provider decreases costs and risks of compliance requirements, and helps you gain greater efficiencies, while continuing to offer the convenience and immediacy of taking credit card payments over the phone.

Removing sensitive credit card data from your infrastructure eliminates your organization’s risk of fraud associated with telephone credit card information by moving it out of scope from the Payment Card Industry Data Security Standards (PCI- DSS). The technology solution Ivrnet offers allows your customer to enter credit card information securely using their phone keypad, rather than speaking it aloud to a customer service agent.

If your customers do not read out their payment information over the phone, your agents cannot hear it, write it down, record it or pass it on to anyone else.

When agents do not enter sensitive payment information into their desktop, this too takes both the desktop and the network out of scope for PCI compliance.

PCI-DSS has 222 compliance requirements for processing, transmitting or storing credit card information. Implementing these controls require significant investment in the development of new policies, tools and manual procedures, and also to document them for evidence purposes. Each control and its environment incur its own cost and the cost of a security audit. As a result, organizations are finding it more cost-effective to eliminate credit card information altogether. For example, the Government of Alberta has mandated the de-scoping of all credit card data as an effective method of improving efficiency, lowering costs, eliminating risks and safeguarding its reputation on behalf of Albertans. Ivrnet is proud to partner with the Government of Alberta employing Ivrnet SafePay.

Serving citizens in Alberta who qualify for low income support. Individual login to secure website or call into IVR services when they need to report income, change of circumstance, etc. Ivrnet worked with ARC to set.pngAgencies within the government are using automation to improve service for citizens and make their processes more efficient.

One such agency serves local citizens who qualify for low income support. These individuals login to a secure website or call into IVR services when they need to report income, change of circumstance, and other reports. 

Ivrnet worked with this agency to set up a secure, automated system for users to report via the web or phone. The system uses an auto-process or a post-verification process. This means it's easier for citizens to report, and case workers get to spend more time with individuals rather than manually processing reports.

Prior to automation, reports were filed via mail or phone, and a manual verification process. Now after a 10 year process, about 60% of citizens are using the online system and 40% are using the phone system.

By de-scoping, or outsourcing the PCI requirement to another company, not only did they this government agency reduce their risk and burden of compliance requirements, they improved efficiency and the quality of service for their citizens.

LEARN MORE Over the Phone Credit Card Fraud:   A PCI Compliance Guide for Business and Governmention


Ready to get started?

If you need online and telephone payment as part of your business, Ivrnet is your solution. If you simply need the transaction to happen off your systems so you are PCI compliant, Ivrnet has your solution. Simple, elegant and easy.

Learn More About Ivrnet Safepay