proprietary & confidential 1

Protecting Phone-Based

Transactions and

Understanding

PCI Compliance

VG FOA Fa l l , O CTOBER 2018

JASON HERBERT, SENIOR ACCOUNT MANAGER

proprietary & confidential 2

C h a r l o t t e , N C – P a y m e n t u s H e a d q u a r t e r s

WHO WE ARE

PAYMENTUS

Paymentus is a leading provider of eBilling and Payment solutions in

North America

Founded in 2004

1,300 Local Government and Municipal Utility Clients

99.7% Annual Client Retention Rate

PCI Level 1 Hosted Service Provider

Recognized by Deloitte to be among the fastest growing

companies in North America

proprietary & confidential 3

WHAT IS PCI DSS? PAYMENTUS

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

PCI DSS was created jointly by Visa, MasterCard, Discover and American Express in 2004

proprietary & confidential 4

WHAT IS PCI DSS? PAYMENTUS

A secure network must be maintained in which transactions can be conducted.

There are 6 major objectives:

Cardholder information must be protected wherever it is stored.

Systems should be protected against the activities of malicious hackers.

Access to system information and operations should be restricted and controlled.

Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, functioning properly, and are kept up-to-date.

A formal information security policy must be defined, maintained and followed at all times and by all participating entities.

4.

1. 2. 3.

5. 6.

proprietary & confidential 5

DOES PCI DSS AFFECT MY BUSINESS? PAYMENTUS

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers.

PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Does PCI DSS apply to Telephone Call Centers – Absolutely!

proprietary & confidential 6

HOW YOUR BUSINESS IS IN PCI SCOPE

PAYMENTUS

Cardholder data passes through, and can be potentially stored, accessed, or directly compromised at a variety of points during a transaction… starting the moment the information is relayed from the cardholder.

proprietary & confidential 7

PCI PENALTIES AND FINES PAYMENTUS

If your business is found to be out of compliance, your business can be fined from $5,000 up to $500,000, depending on:

Size of business

Length of non-compliance

Degree of non-compliance

If non-compliance leads to a breach, the penalties can be even more damaging:

$50-90 fine for each compromised cardholder.

Suspension of credit card acceptance by credit card account provider.

Potential litigation.

Damage (potentially permanent) to public perception of the trustworthiness of your brand.

proprietary & confidential 8

PATHS TO CALL CENTER COMPROMISATION

PAYMENTUS

Call centers are not immune to sources of breach, CSRs have a variety of means and opportunities to record cardholder data…

Notebook and Pen

Mobile phone

— Camera

— Voice recorder

— Notes

Bluetooth recorder

Memory Stick

Key Logger

EXISTING SOLUTIONS PAYMENTUS

proprietary & confidential 10

EXISTING SOLUTIONS CURRENT ENVI RO NMENT

The most common approaches to

facilitate payments during a phone-based

request are loaded with risk (financial,

customer and security risk):

COMMON APPROACH #1

Customer reads card information to

employee who enters it into a payment

terminal

Significant security risks.

Business is in PCI scope.

proprietary & confidential 11

EXISTING SOLUTIONS CURRENT ENVI RO NMENT

COMMON APPROACH #2

Employee directs customer to website

to make a payment

Customer satisfaction risk.

Potential non-payment.

proprietary & confidential 12

EXISTING SOLUTIONS CURRENT ENVI RO NMENT

COMMON APPROACH #3

Employee transfers customer to IVR

to make payment

Customer satisfaction risk.

proprietary & confidential 13

EXISTING SOLUTIONS CURRENT ENVI RO NMENT

COMMON APPROACH #4

Employee engages IVR and uses DTMF

masking to hide payment details

Security risks exist and business is in

PCI scope.

Can be expensive.

proprietary & confidential 14

SECURE SERVICETM

SO LUTIONS

Paymentus Solution:

• Paymentus has developed a proprietary, patented solution (Secure Service™) that is positively changing how businesses conduct

phone based transactions

Critical Success Factor Secure Service™

Does not require additional action by customer (bill payer)

Removes call center from PCI scope (solution approved by PCI Council)

Supports continued connectivity between CSR and customer throughout service encounter

Is compatible with existing phone systems

Is easy to implement

Results in successful payment

Improves CSR productivity

proprietary & confidential 15

Thank You.

Jason Herbert

jherbert@paymentus.com