Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


By Rob Crutchington – Director at Encoded

Every business or merchant that accepts payment via debit and credit cards has a contractual obligation with its acquiring bank (or acquirer) to be PCI DSS compliant.  The Payment Card Industry Data Security Standard (PCI DSS) was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to standardise controls surrounding card holder data and to help protect consumers and merchants against security breaches.

Rob Crutchington
Rob Crutchington

To become PCI compliant the 12 requirements, consisting of 258 controls, must be implemented and the cost of this to a business can range from the tens of thousands to the tens of millions of pounds. To many, the costs involved can be prohibitive but there is money to be saved by undertaking a program of reducing the scope of the cardholder data environment (or de-scoping).

What is de-scoping?
To be PCI compliant organisations have to demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non-PCI compliant organisation.  De-scoping is the process to reduce the number of requirements (tick-boxes) for PCI compliance.  This can be achieved by passing the responsibility of handling card data to a third party. As the merchant account agreement is between the merchant and the acquirer, the responsibility for PCI compliance cannot be entirely removed, however the amount of time and work required demonstrating compliance can be dramatically reduced.

How to de-scope
To begin the process of de-scoping it is essential to identify where in an organisation card data is handled.  This is usually in the contact centre or wherever card holder data is being processed.  There are many options available to organisations that regularly take card payments over the telephone.  For example working with an interactive payment solutions company such as Encoded allows organisations to offer either IVR (interactive voice response) or virtual terminal payment options.  Automated IVR payments reduce contact centre agent involvement and can be available 24x7x365 days of the year.  Virtual Terminal payments allow agents to take payment over the telephone by logging into a secure online virtual terminal interface to in-put card details directly or conferencing in the customer who uses their touchtone telephone to securely enter their card details themselves. Tokenisation is another way of keeping card data safe and out of scope of the PCI process. Tokenisation is the process of replacing card data with random numbers that, when used within a specific payment gateway, reference back to the actual card data without compromising its security.  Tokens can be used repeatedly by merchants where payments are regularly made.

Why de-scoping saves money
Taking areas of an organisation’s business out of the scope of PCI compliance minimises the cost and complexity associated with PCI DSS standards.  As mentioned before a PCI project can cost anything from £10k to several millions of pounds plus there is a requirement for quarterly network scans and an annual audit.  External Qualified Security Assessor (QSA) fees are typically £1000 per day which can rule out smaller merchants and can soon add up for larger organisations.  By working with a fully Level 1 PCI compliant interactive payment solutions supplier to de-scope, by removing customer card data from the process, means there is less for the QSA to audit.  Therefore, by de-scoping PCI compliance can be achieved in less time and with a much reduced price tag.

Remember the buck stops with the merchant to ensure PCI compliance.  However, whether customer card data is handled within a contact centre, via web pages or a chip and pin terminal, PCI compliant payment companies such as Encoded, offer solutions to ensure compliance is achieved with minimum cost and maximum security.

About Encoded
Encoded is a leading provider of interactive voice response solutions and automated payment solutions. Encoded has invested in achieving the highest level of PCI DSS compliance.  It has a Level 1 Attestation of Compliance (AOC) which applies to organisations that store, process and/or transmit more than 300,000 Visa transactions per year it also appears on the Visa Europe Merchant Agents List http://www.visasmerchantslist.com

All the company’s services are designed to fulfil three key objectives:

  • Reduce costs by automating business processes
  • Increase sales by offering new fulfilment channels
  • Improve customer service by maximising resource efficiency

Encoded was established in 2001 to offer affordable, pay-as-you-go solutions to the growing payment handling requirements of small and large businesses. Today, the company’s software regularly supports 30 million customers and 10 million calls globally and automates £100 million of secure payments without operator intervention.
For more information please visit www.encoded.co.uk