This company, based in Madrid, is a telecommunications operator specialized in secure credit card payments via IVR on telephone calls and in compliance with the PCI DSS standard. It has just received a concession from the Barcelona City Council for the next two years, extendable for another two years, with a very competitive offer based on its comparative technological advantages.
Press release published in EuropaPress
For four years now, it has been possible for the citizens of the municipality of Barcelona to pay their municipal taxes and fines through a very simple and effective mechanism that is very much in tune with the times. A call is made to the 010 telephone number, the bills to be settled are indicated and that’s it.
But this means that the user of this service must give, to an unknown person, a series of personal data that, although they are essential to perform the operation (name and surname and credit or debit card number, mainly), and even if a priori the name of the company is very reliable and even if we know that the company is listed on the IBEX35, and much less, if the management we are doing is with a public administration, we must know that this operator should never ask for the card data, and that it is mandatory to use a machine with IVR technology certified PCI DSS especially for telephone collections, as they can put at risk not only your privacy, but also facilitate an illegitimate use of your card. How is this dilemma resolved?
Everything has been invented, and the mechanism to give our most sensitive data over the phone without fear of it being used fraudulently also exists: it is called PCI DSS, and it is the solution that any public institution and private company that handles this type of data will have to adopt sooner rather than later. The company Pay by Call company successfully applies it in the case of Barcelona taxes, and at a very competitive cost.
The technology behind it
But before we go any further with the news, let’s clearly explain the crux of the matter, i.e., where the problem lies and how it is solved. To see this clearly we will begin by adopting the perspective of the citizen who has a municipal tax to pay and decides to do so through the municipal telephone service created for that purpose.
When calling 010 we will talk to an application, that is, an interactive voice response(IVR) system, to which we will inform the concept and the amount we want to pay. If we decide to make the payment immediately, the application informs us that we are going to use what is usually called “automatic payment system by phone”.
The PCI DSS standard is based on a stringent security protocol with no human intervention or data recording.
The application ends the call and immediately (in less than five seconds) we receive another call. In it, the application asks us to confirm our identity and the concept and amount indicated before, and now it asks us for our credit card information, which we can type in our terminal or say out loud.
The application then contacts the corresponding bank to verify the transaction (if this is not possible, it will inform us of the reason at the same time) and the transaction will be completed. This is made possible by the PCI DSS standard, which is based on a stringent security protocol with no human intervention or data recording.
PCI DSS: the coming storm
Let’s dig a little deeper. PCI DSS stands for payment card industry data security standard and is precisely that, a security standard to prevent fraud with these financial instruments at any point in the payment chain.
The standard has been put in place by a consortium of well-known providers of such services, including Visa, Mastercard and American Express. This consortium requires any public or private institution working with credit cardholder data to adhere to the twelve rigorous security requirements that make up the protocol.
What happens if this protocol is breached? The consortium applies heavy penalties (which can be financial, up to €300,000 or even higher, depending on the breach, number of customers and time during which the breach lasted, or even the withdrawal of the permission to use a POS) to the bank that has managed the transaction, which in turn passes the penalty on to the end customer, whether the holder of a POS or, as in the present case, a public administration.
The storm is brewing: today, many private corporations, some from the IBEX35, as well as public administrations do not comply with the requirements of the PCI DSS standard, and offer the automatic card payment service over the phone in an insecure manner. In fact, Barcelona was the first municipality in Spain to comply to the letter with this regulation and one of the few, counted on the fingers of one hand, that currently complies with PCI DSS in its collections through telephone transactions.
Pay by Call award, a question of economics
We return to the news that has motivated this article, the award of the contract for the management of this service by the City Council of Barcelona to the company Pay by Cal, SL for the biennium 2022/23. The most striking aspect of the tender for many has been the budget that this specialized company has managed to offer, less than 150,000 €/year, which is more than 10% below the price of the rest of the bidders.
The reasons offered by Pay by Call are clear, and have to do with a significant technological difference. “Our infrastructure is cloud-based, which allows us to optimize resources and adapt better: our annual costs of maintaining PCI-DSS certification compared to a technology on-site are lower by one-third. In addition, our client portfolio allows us to reduce costs while guaranteeing a quality service”.
An agile service, in four languages and available 24 hours a day; but above all, a secure service.
This company was spun off from its parent, Quality Telecom, in 2019, when two executives of the subsidiary carried out a significant capital increase through which they acquired 90 % of the company. This share will be increased with the purchase of the remaining 10 % from Quality Telecom until it controls 100 % % of the capital in 2022. With this award, the company (which also has private clients such as Naturgy, Mercadona, Balearia or Spanish Red Cross among others), and which had already been providing the service for the Barcelona City Council since 2019, will provide the service to the people of Barcelona until the end of 2023 with the possibility of obtaining a two-year extension until 2025.
An agile citizen service, in four languages and available 24 hours a day. But above all, a secure service, emphasizes Pay by Call.It is incomprehensible that this is still happening in most of the public organizations in this country and in the vast majority of private companies, in a situation of insecurity for the user, aggravated even more if possible by the COVID pandemic situation due to the generalization of telework of the teleoperators of these organizations in charge of making telephone collections that are being made from their own private homes,”.