Interactive Voice Response (IVR) is a wonderful tool that helps businesses and their customers get more done in less time.
Because people share sensitive data over the system — personal information, patient information, credit card numbers, and so on — IVR compliance is a nontrivial consideration. The most impactful IVR regulations come from the Payment Card Industry Data Security Standard (PCI DSS) and the Telephone Consumer Protection Act (TCPA), but there are others.
I’ll cover everything you need to know about IVR compliance in this post and provide tips for finding vendors that offer the features you need to minimize your regulatory burden and simplify compliance.
Managing risk with IVR compliance
When it comes to IVRs, several compliance risks are associated with the use of tools that automate functions for boosting revenue — such as collecting payments and scheduling callbacks with prospective or existing customers.
The top risks you’ll face as an organization when accepting payments via IVR include the following:
- Data breaches: When your company accepts card payments and financial information, it becomes a prime target for hackers to steal credit card information. However, if the organization that suffers a data breach is PCI-DSS compliant, its penalties are significantly lowered due to that adherence.
- Legal action: Data breaches can result in legal action from all affected parties (including credit card companies), which can be very costly and punitive.
- Complaints and disputes: Improper routing and long call wait times can lead to many unsavory outcomes, especially when money is involved. This dissatisfaction can cause customers to abandon calls in frustration or even switch to competitors.
- Negative brand perception: One of the main intangible losses a business can face is irreversible damage to its reputation, which is what a data breach caused by lax IVR compliance can inflict.
- Compliance issues and penalties: Failing to adhere to PCI-DSS standards can result in hefty fines, increased transaction fees, or even the loss of the ability to process credit card payments.
The major credit card companies, namely MasterCard, Visa, Discover, and AMEX, formed PCI SSC, and they are the ones who dole out fines for violations. For instance, failure to meet PCI-DSS compliance requirements for over seven months can cost up to $100,000 per month.
Additionally, more specific penalties include penalties of $5,000 per month (for low-volume clients) and $10,000 per month (for high-volume clients) if the non-compliance is between 1 to 3 months. If the non-compliance is between 4 to 6 months, the penalties jump to $25,000 per month (for low-volume clients) and $50,000 per month (for high-volume clients).
It is important to note that these violations aren’t the same as those imposed by government regulations. With IVR compliance, card brands will impose fines on the payment processor for violations, who, in turn, penalize the responsible merchant.
Keep in mind that most risks and penalties can be managed and absorbed relatively easily by institutions like large banks, but if you are a small business, it could lead to bankruptcy. To mitigate the risks, it’s a good idea to incorporate or implement the built-in compliance features of many IVR services.
Encryption and data loss prevention measures
You must ensure that credit card information is never transmitted across the network in plain text. It is incumbent upon contact centers to mandate that financial data must be encrypted in use, transit, or at rest.
Furthermore, point-to-point encryption (P2PE) standards, which are a comprehensive list of security requirements, must be implemented by P2PE providers.
Adhere to PCI DSS and other security best practices
IVR platforms must implement appropriate data retention policies that won’t jeopardize your customer information. For instance, while handling credit card payments, sensitive authentication data such as CVV/CVV codes cannot be stored after authorization.
Moreover, call centers must not store any card data and therefore need to dispose of all stored credit card information.
Use an IVR with built-in compliance solutions
If you lack the resources or time to build a secure system infrastructure yourself, embracing an existing IVR-compliant payment platform is a viable option.
You’ll most likely want to seek a PCI-compliant hosted IVR service provider that implements secure payments — because, apart from taking care of various delivery aspects, one of the advantages is that it removes the need for live agents to handle sensitive card information. In this descoped environment, you eliminate the risk of data breaches caused by mishandled sensitive information.
Of course, you’ll also want your solution to be cost-effective and easy to deploy. Check out my guide to IVR pricing if you are unfamiliar with these products — divining the true cost of these systems can be a little confusing.
In any case, finding the right IVR provider for you comes down to investigating the following six prospective features.
SEE: Learn why you should use a hosted IVR rather than hosting your own.
Six important features for IVR compliance
1. Compliance certifications
I thought about not including this on the list because it’s common sense — but this is a post about compliance, so I am not taking any chances.
It’s crucial to confirm the provider holds the necessary compliance certifications to ensure secure and lawful operations. Key certifications to look for include:
- PCI-DSS (Payment Card Industry Data Security Standard).
- ISO 27001 (International Organization for Standardization – Information Security Management).
- SOC 2 (System and Organization Controls 2).
- GDPR (General Data Protection Regulation).
- CCPA (California Consumer Privacy Act).
For healthcare-related use cases, HIPAA (Health Insurance Portability and Accountability Act) compliance is especially important. The business phone service or IVR provider must be prepared to sign a Business Associate Agreement (BAA) to ensure the protection of sensitive health information.
If the vendor is unwilling to sign a BAA, it won’t matter how secure their system or access controls are. See my full post on how to find HIPAA-compliant VoIP for a full breakdown of organizations that need to consider.
2. Secure payment gateways
Ideally, the IVR should integrate seamlessly with a payment gateway your organization already uses, as this minimizes implementation complexity and ensures consistency in handling transactions. Familiar systems reduce the learning curve for your team and help maintain existing compliance workflows.
If the IVR requires switching to a new payment gateway, ensure the provider offers robust support, clear documentation, and evidence of their PCI DSS compliance to make the transition as smooth as possible.
Using a different payment gateway isn’t necessarily a disadvantage but can introduce challenges. You’ll need to assess the gateway’s compatibility with your existing infrastructure, its ability to tokenize and secure payment data, and the impact on descoping efforts. Additionally, verify that the new gateway can handle your transaction volume and meets the specific compliance needs of your industry or region.
SEE: Check out the best payment gateways to learn more.
3. PCI DSS descoping options
A compliant IVR system should offer features that facilitate “descoping” by keeping sensitive payment data out of your internal environment.
In practical terms, descoping simply means separating customer card and financial information from your company’s system so the excluded ecosystem is no longer “in scope.” This mitigates and minimizes the risk of card fraud by detaching your company’s infrastructure from customer card information.
Using a payment gateway is a good start, but there is more you can do, and it will be easier with some IVR systems than others. Key options to look for include:
- Call recording with redaction for call centers that can be configured to automatically redact or mask sensitive payment information.
- DTMF masking to obscure payment details during entry.
- Fraud prevention tools to identify and block fraudulent transactions before payment data is processed.
- Tokenization to replace cardholder data with non-sensitive tokens.
Be aware that IVR systems with limited integration options can complicate descoping efforts by requiring manual handling of sensitive data. Without seamless integration with secure payment gateways or tokenization services, these systems may increase the burden of compliance rather than reducing it.
4. Audit and reporting features
Comprehensive logs should be maintained for all interactions, ensuring that every customer engagement, especially those involving sensitive data, is traceable and accountable. These logs provide a valuable audit trail for internal and external reviews, ensuring transparency, and maintaining compliance with GDPR, PCI DSS, and other regulations.
Look for IVRs that allow you to customize and automate reports, which will simplify the compliance process. You’ll be able to track exactly what you need, ensure adherence to security protocols, identify potential compliance risks, and highlight areas needing attention.
In a compliance-driven environment, comprehensive audit and reporting capabilities are essential for IVR systems.
5. DNC compliance
Do Not Call (DNC) compliance is a critical aspect of regulatory adherence for any business involved in telemarketing or automated customer outreach with an outbound dialer. Under regulations like the U.S. Telephone Consumer Protection Act (TCPA) and similar laws worldwide, companies must ensure they do not contact individuals who have opted out of receiving marketing calls.
IVR systems can help businesses manage this compliance by incorporating features that screen outgoing calls against DNC lists in real-time. This ensures that no calls are made to numbers that appear on these lists, helping avoid significant fines and penalties.
While outbound IVR systems are primarily responsible for DNC compliance, inbound systems can also play a role in confirming whether a customer has requested to be added to the DNC list during interactions. For businesses that rely on automated call systems for marketing or outreach, ensuring DNC compliance through IVR features like automated list matching and real-time updates is essential for reducing risk and maintaining a good relationship with customers.
SEE: Learn why agents replaced by outbound IVR aren’t mad about it.
6. IVR accessibility features
IVR systems must be designed to be accessible to all users, including individuals with disabilities, to ensure full compliance with accessibility standards. This will be more important for contact centers with an IVR that includes channels like live chat.
Ideally, the vendor you choose will offer tools that help you ensure that the IVR system follows WCAG (Web Content Accessibility Guidelines) standards, such as providing voice prompts, clear navigation, and screen reader compatibility, helps meet legal requirements and provides an inclusive user experience.
