Member Article

London Borough of Waltham Forest: A Compliance Case Study

The London Borough of Waltham Forest in North East London spans Chingford in the North, Walthamstow in the centre and Leytonstone in the South. Formed in 1965, the Borough is now home to an estimated 278,000 people.

The Compliance Challenge - Case Study:

As a large London Borough, Waltham Forest Council provides the full range of civil services, many of which entail taking payment for items such as Council Tax, Business Rates, rent and commercially oriented services.

While the Council enables residents to pay for all services online, its resolution centre is also set up to answer residents’ queries and take payments over the phone.

Business Support and Customer Service Officers and other teams who also process payments respond to a full range of enquiries from social care requests, to planning applications and refuse collection times, with each officer having the ability to handle telephone-based payments.

The Council also manages several Grade 1 listed buildings which can be hired for weddings and other public functions and staff members are responsible for handling operator-assisted payments over the phone to allow the Council to exercise due diligence around the use of each venue.

Commenting on the Council’s responsibilities, Marcus Power, Resident Financial Services Manager, Waltham Forest Council explains, “It’s not just card data and PCI DSS compliance that we have to worry about, but also GDPR. A breach would cause significant reputational damage. As a result, we focus heavily on technology and on making sure we have measures in place to handle residents’ data in the most sensitive and secure ways possible.”

Securing the Card Data Environment:

The Council needed a way to enable resolution centre staff to guide residents through the process of paying over the phone, while maintaining privacy of cardholder data. Because all calls are recorded, previously, when processing payments over the phone, staff used call recording suspension as residents read out their payment card details so that these were not recorded.

Recognising the challenges of meeting PCI DSS Compliance, the Council consulted its QSA and IT and ePay services partner, Civica, to find a solution that would make the process of handling card payments over the phone more secure, while still enabling contact centre staff to help residents while they were on the phone.

The Solution:

To remove the risk of staff being exposed to sensitive payment data, the Council needed a mechanism to descope its data and voice network from PCI DSS. Civica helped the council to implement the PCI Pal Agent Assist solution.

Agent Assist uses Dual-Tone Multi-Frequency (DTMF) masking technology so that agents can maintain their conversations with residents while they are going through the payment process, allowing the resident to enter their payment card data using their telephone keypad.

Marcus commented: “Before implementing PCI Pal Agent Assist, operators were exposed to sensitive data when residents read out their payment details over the phone. When considering the route to PCI DSS compliance, Civica’s partnership with PCI Pal was the best option”.

Adds Marcus, “One of the great features of Agent Assist is that hardly anyone needed training. The system is intuitive, so everyone got to grips with it very quickly. It’s very straightforward.”

“The whole payment process is seamless: the card capture page changes to the PCI Pal widget and there are simple steps for resolution centre agents and other staff to follow.”

Helping Residents:

In addition to strengthening compliance, Waltham Forest reports that PCI Pal supports social inclusion by enabling its diverse community to interact with the council and make payments over the phone while being guided through the process by an agent.

Marcus Power reports that residents have readily adopted the new telephone payment system facilitated by PCI Pal Agent Assist, “The acid test of success is if technology just works with no issues, it becomes part of the fabric immediately.”

The Council acknowledges that PCI DSS is a continuous process and that systems and processes need to be continually reviewed to minimise risk and maintain compliance across channels, including ecommerce and face to face.

As well as aiding compliance, the implementation of PCI Pal serves to strengthen local residents’ trust in the Council’s governance, as Marcus concludes, “The introduction of PCI Pal demonstrates to residents that the Council is taking security seriously. We care about their data and protecting their payments and information.”

This was posted in Bdaily's Members' News section by PCI Pal .