PCI and What It Means For You
Message from CEO Mark Rollans
Originally posted in the March issue of Texas Co-op Power.
We work for our members and our staff recognizes that. As a result, they are always looking for ways to make the member experience better.
In fact, because we're always working to improve the member experience, we survey members who have had recent contact with us, to get their feedback on what we did well and could have done better. These surveys are done weekly, and staff gets a monthly report to review and see where we can improve. If you're one of the members who gets surveyed, either by phone or email, please give us feedback. If you think there is an area where we could have improved your experience, tell us so we can make it better for the next person in line.
One trend I have noticed when reading many of the recent surveys is members unhappy that our staff can't take credit cards, a change made several years ago. If you call to pay with a credit card, you have to do so through the automated attendant. If you come into the office, you have to swipe your card at the machine at the counter.
Ultimately, we owe these changes to the Payment Card Industry Data Security Standard, or what we refer to as PCI compliance, and it comes down to member protection. PCI developed standard practices for companies that handle credit cards. Compliance is not federally mandated; however, most major card companies will not allow you to accept their cards if you can't demonstrate PCI compliance. So, if we want to accept payments through Visa and Mastercard, which we recognize is convenient for our members, we have to comply with PCI rules.
Among those rules are standards that have made it cost prohibitive for the cooperative to maintain credit card data in-house.
For example, if we want our employees to be able to take your credit card number over the phone, all call recordings must be encrypted. We record phone calls for the protection of our members and staff, and to encrypt them is an added cost. This is just one example of the added costs. Additional IT equipment and systems also would be needed, none of which is inexpensive.
In the end, when staff looked at the cost of all the systems that would have to be in place for the cooperative to handle credit card payments in-house, it was determined the only realistic and financially feasible solution was to use the expertise of an outside company that has made a substantial investment to meet PCI compliance standards. This means using their automated attendant, which doesn't record calls and only a computer hears the data you enter, to accept credit card payments over the phone. Machines also were set up in our offices for members to swipe their own card, so our staff is never even touching member credit cards and our system is not storing that information.
I know it can be frustrating not to be able to talk to a live person. It can feel like companies are moving away from a personal touch. However, our staff is always available to answer any questions you have or to help you—they just can't hear your card number or handle your credit card.
Ultimately, this protects our members and their credit card data. We have seen so many breaches in recent years, and we want to take all the steps we can to prevent such a breach. I'm not sure this explanation will make people like the process any more, but sometimes knowing the "why" makes it more understandable.
Until next time,