Semafone leads by example with latest Payment Card Industry Data Security Standard (PCI DSS) certification

PCI DSS Level 1 Service Provider status renewed in advance of January 2018 deadline

Semafone, the leading provider of compliance and data security solutions for contact centres, has achieved compliance with the latest Payment Card Industry Data Security Standard, PCI DSS V3.2. The certification was awarded on 16 August 2017, five months before the mandatory deadline in January 2018.

As data breaches and cyber threats continue to dominate headlines around the world, data security and risk reduction have become a top priority for all businesses so Semafone’s new PCI DSS certification has been well-received by its merchant customers and channel partners. The company has also retained its listing with Visa Europe as a Merchant Agent.

CEO Tim Critchley said “It’s about practising what you preach. Our customers are under a significant burden to prove they are compliant with PCI DSS, and part of this is being able to demonstrate that their service providers are also adhering to the requirements.

“Our own security team has gone above and beyond to achieve the certification earlier than the 2018 deadline, and in many cases have exceeded the assessment criteria. Customers can see that our actions are consistent with our words, and that we are dedicated to providing them with rigorous data security. We’re building trust through compliance.”

Bryan Scaife, managing consultant at NCC Group; the organisation responsible for granting the certification said “NCC Group is pleased to confirm that Semafone has successfully completed its PCI DSS assessment as a Level 1 Service Provider, for the 4th year running. This important assessment was undertaken to certify the company’s secure voice transaction solution for contact centres and merchants that accept cardholder not present payments via telephony using its Hosted, Customer Premises Equipment (CPE) & Platform based solution.”

Key changes to the data security standards within version 3.2 will see service providers required to deliver on nine new requirements, including:

  • multi-factor authentication; the use of more controls than username and password combinations alone to protect sensitive data environments
  • increased frequency of penetration testing; service providers must test IT systems every six months to detect potential data security vulnerabilities
  • increased employee assessment; service providers must perform quarterly reviews to confirm that employees are following security policies and operational procedures

Gill Woodcock, senior director of certification programs for the PCI SSC, said in a recent blog that “all organisations should consider implementing these best practices into their environment as soon as possible, even if they are not required to validate to them. Don’t wait until your 2018 compliance assessment is on the horizon – if you haven’t starting planning for these controls then start now!”

Semafone provides software to contact centres so they can take personal data securely over the telephone. Semafone’s patented data capture method collects sensitive information such as payment card or bank details and social security numbers directly from the customer’s telephone keypad for processing. This prevents personal data from entering the contact centre, which protects against the risk of fraud and the associated reputational damage, ensuring compliance with industry regulations such as PCI DSS.

The company was founded in 2009 and now supports customers in 25 countries on five continents.

Semafone is vertical agnostic and its extensive customer base includes companies such as AXA, AO, The British Heart Foundation, Rogers Communications, Santander, Sky, TalkTalk and parts of the Virgin Group.

BT offers a hosted version of Semafone’s technology – Cloud Contact PCI. Major investors of Semafone include Octopus Investments and BGF (Business Growth Fund).

Semafone has achieved the four-leading security and payment accreditations: ISO 27001:2013, PA-DSS certification for Cardprotect its payment solution, PCI DSS Level 1 Service Provider and is a registered Visa Level 1 Merchant Agent.