IVR Payment Processing

Why Using IVR Software for Payment Processing Makes Sense

It’s no secret that, historically, interactive voice response (IVR) gets a bad rap. How can a technology that is so naturally intuitive, like voice, become so frustrating for so long? Much of this criticism boils down to blaming technology for human design problems. Companies that take the time to optimize and improve their IVR system, rather than employing a “set it and forget it” approach, yield significant benefits.

One area of business where IVR can have a huge impact is on payment processing. There are a number of reasons for this, several of which are addressed in this blog. In order to set the stage for IVR discussion, a few broader topics receive attention as well, including:

Processes: It’s helpful to understand, in general terms, what the major players and processes are in a credit card transaction.

Security: Security is a critical aspect to generating value from IVR payments.

Voice Self-Service: We’ll look at voice self-service and how some companies use it in conjunction with live agents.

Then, we’ll turn our attention to a specific industry example that combines all of these elements. This will be followed by an examination of how IVR can help protect businesses against unforeseen problems with the payment process by looking at chargebacks as an example.

We’ll wrap up by offering some suggestions for improving customer experiences for over-the-phone payments that don’t require you to touch your IVR at all, but will still make it an easier payment channel for end-users.

We’re not suggesting that over-the-phone payments will replace other payment channels. That’s not the case at all. Instead, this blog demonstrates the value that IVR payment processing brings to businesses and how it functions as a critical component in a broader payment processing portfolio.

How Credit Card Payments Work

Have you ever wondered what happens after someone swipes a credit card—how, exactly, does the payments process work? Truth be told it’s a complex and confusing process. Understanding how the process works puts you in a better position if something goes wrong and enables you to resolve issues faster by going directly to the root cause.

There are a lot of moving parts when it comes to the credit card payments process (Note: things are a bit different for debit cards). As a business your goal is to get as many payments completed as possible and you don’t want to waste valuable time figuring this stuff out after the fact.

Payment Processing Touch Points

There are six different touch points in the payments process.

  1. Acquirers: These are the infrastructure companies and oftentimes banks. They help get merchants set up in the payments process. This includes providing point of sale (POS) terminals.
  2. Processors: These companies are responsible for actually transmitting transaction data between different entities in the payments process. Some acquirers double as their own processors.
  3. Card Issuers: Again these are banks, but these are the ones who manage the credit and debits on credit card accounts. Some banks function as all three, acquirers, processors, and issuers, but there are enough different issuers that don’t perform those other functions to keep them as a separate category. The main point here is to understand what role(s) your bank plays in your payment process.
  4. Card Networks: In the U.S., the two big card networks are Visa and Mastercard. These companies function like traffic cops in the payment process directing information between different entities. They also set rules and fees around card us age, including security like the PCI-DSS standard.
  5. Infrastructure Middlemen: Acquirers tend to deal with sure bets in order to mitigate risk. However, there are tons of small businesses that need merchant infrastructure for accepting payments. The companies that provide these services to other merchants that acquirers won’t are basically infrastructure middlemen. They tend to work directly with the card networks to get merchants up and running.
  6. Payment Gateways: These are interfaces for processing payments online or over the phone. Essentially if you don’t have a brick and mortar store and don’t physically process credit cards, you’d need a payment gateway for each channel you use to process credit cards. Processors may provide a payment gateway to a merchant.

Of course, there’s always the caveat that some bigger companies might control multiple roles in the process, but when thinking about a typical credit card payment, the process generally looks like what we’re talking about here.

The Work Flow

Is there a more frustrating message to receive when making a payment than “card denied”? Without authorization you’re stuck between a rock and a hard place. Before any money is moved, a payee needs their card authorized to complete the transaction. Here’s what that process looks like:

  1. Customer swipes their card at the POS terminal or enters it into a phone self-service gateway to request permission on behalf of the merchant.
  2. The merchant then passes the request on to the acquirers and the processors.
  3. The acquirers and processors pass the request on to the card network (e.g. Visa, Mastercard).
  4. The card network then passes the request to the bank that issued the card. Here is where the card is checked against fraud activity, account balance, etc. The issuing bank approves or denies the request, and the decision is then relayed back downstream.

The whole process only takes a few seconds. At this point no money has changed hands, the merchant simply received permission to charge the payee’s card for the amount requested.

Batch Processing

As you can imagine, processing every single transaction as it happens isn’t the most efficient way to go about moving money around. It does happen sometimes, notably with debit cards, but those are a slightly different animal.

We’re talking about credit cards here, and what happens is that a merchant compiles all their transactions at the end of the day and aggregates them into a single batch. This batch of files follows the same upstream chain that the authorization request does.

The primary difference is that the batch file includes transactions from a ton of different card issuers. Once the batch hits the card network, Visa, for example, then breaks the batch down into its component card issuers and sends each bank the transactions it is responsible for. At this point, it’s hours after the original transaction took place and the money still isn’t moving yet.

Moving Money

Once the issuing banks have their respective transaction batches, they can start moving money around. As you might assume, every entity involved with a transaction charges a fee for doing so. Here’s an example of where that money goes.

  1. The bank takes out a fee for processing the transaction and sends the balance to the card networks.
  2. The card networks take their fees out of those funds and send the balance, sans fees, to the acquiring bank.
  3. The acquiring bank takes out their fees and sends the balance to the merchant.

Knowing which entities charge fees and at what rates enables companies to shop around to find the best service and rates based on their payment volume.

Technical Considerations

Companies that leverage payment gateways for card-not-present transactions need to ensure that their front-end technology will play nicely with their payment gateway. Opting for a solution that is payment gateway agnostic ensures that your payment channel will be able to connect to any payment gateway. That means that you can bring your own gateway or change it at will without altering end-user’s customer experience.

What It Takes to Be PCI-Compliant

If your company does or is thinking about processing credit card payments, whether it’s a single transaction or millions, it’s wise to ensure that those payments go through a PCI-DSS compliant environment. PCI-DSS is a set of security standards established by the leading credit card companies, e.g. Visa, MasterCard, American Express, and Discover.

To be clear, there are a number of different devices and technologies that require security. These include card readers, point of sale systems, networks and wireless access routers, payment card data storage and transmission, and online payment applications and shopping carts.

Whether your company falls into one or multiple of these categories, it’s worth achieving and maintaining PCI compliance to not only better protects customers and their important financial data, but also to reduce payment processing risks for your company.

Getting Started

Typically, the road to PCI compliance starts with a phone call. That call is placed to an IT security company that guides the PCI compliance process. It’s important to find a company that is a certified PCI assessor for this type of work to ensure optimal results. Fortunately, the folks at the PCI governing body have a searchable database of licensed companies that perform these services around the globe.

After finding a company to help direct the process, an individual assessor comes to begin the audit of the technology environment. With PCI, the requirements for compliance are codified. Following the initial audit, the assessor issues a Report on Compliance (ROC), a two hundred page document that indicates which aspects of the technology environment meet the PCI standard and which do not.

Some of the broad headings that the ROC covers include:

  • Firewall and router configurations
  • Change passwords on all components from vendor-supplied defaults
  • Protecting card holder data, e.g. not storing authentication data after authorization
  • Use of strong and secure encryption when transmitting data over open or public networks
  • Keeping third party software up to date with appropriate patches, bundles, etc.

All of these items each have several pages of detailed requirements that must be met.

Compliance Factors

It should come as little surprise that the technological and security requirements for PCI compliance are extensive. With the ROC in hand a company then must begin the process of bringing the areas that are not complaint up to standard.

So, what kinds of things does a PCI assessor need to certify an environment as compliant? Assessors evaluate the way in which users access the environment. This includes how many layers of authentication one has to go through. For example, an authorized person might have three or four different layers where they need to enter a password to gain access to the environment. It’s not a bad idea to bolster the login process with additional authentication steps, such as those available with something like Google Authenticator or similar software.

The process also includes a thorough scan of the environment, including firewalls. They look at actual network architecture schematics and make sure that companies have a documented recovery plan in place in the event that something happens to the data or the physical servers, i.e. they’re destroyed in a fire or some other unplanned or unexpected event.

The physical location where the environment servers are stored needs to be PCI-compliant as well. This means that access to the physical servers needs to be restricted with lock and key, or electronic locks that work with security badges. Points of egress and ingress must be under video surveillance at all times. PCI requires limiting access to any devices in the PCI chain to relevant personnel. It probably doesn’t make sense for the executive assistant or intern to have access to the PCI environment because it’s not part of their job function.

If a company keeps their rack servers in their office, then the office itself needs to meet the PCI requirements in terms of physical security and access to those devices. If a company’s servers exist in a data center somewhere off site, then that data center needs to be PCI-compliant as well.

An Annual Tradition

PCI compliance isn’t simply a one-and-done task. The PCI standards are constantly evolving to keep up with best practices vis-à-vis technology. Therefore, it’s necessary to audit the environment every year. In total the PCI compliance process takes anywhere from 2–3 weeks to several months to complete so a considerable deal of planning and coordination goes into the audit process.

During an audit, an assessor observes the way people access the environment, at times literally watching over the shoulder of a system engineer to ensure everything is up to standard. The assessor also tries to gain access to the system, in essence to hack into the system in an attempt to uncover weaknesses.

At the end of the audit, and assuming the environment meets PCI standards, the assessor issues an Attestation of Compliance (AOC) that the company can then use to prove the security of their technology.

In addition to the annual audit it’s necessary to scan your own system monthly for documentation purposes. Above and beyond these internal scans, companies than want a PCI environment must have quarterly external scans as well. This means hiring a licensed IT security firm to essentially hack your environment and document their findings.

It Takes a Village

In order to ensure the process progresses efficiently companies should invest in a project manager dedicated to compliance or a compliance officer. A considerable amount of documentation goes into PCI compliance, and having someone in place to track and manage that documentation is a virtual necessity.

In addition to administrative needs, it takes a whole host of people to establish and maintain a secure PCI environment. This includes network engineers, systems engineers, software engineers, external auditors, and lawyers for any legal documentation. It’s true that these individuals don’t need to commit 100% of their time to PCI compliance, but they all play critical roles in the maintenance of a PCI environment.

When thinking about the cost of obtaining PCI compliance, the audit itself typically costs upwards of $10,000, but that doesn’t include the personnel costs associated with all of the contributors to the process. There is also the cost of hiring an external security firm for quarterly system scans. On top of this, PCI requires background checks on anyone who enters a PCI environment, so factoring in the time and funds for that is important as well.

Not a DIY Task

While some people may think that obtaining PCI compliance is a mere formality, in reality it is a time and resource intensive process.

The PCI merchant levels correspond to the volume of credit card transactions a company engages in on an annual basis. The levels range from 1 (highest) to 4 (lowest) and the technological and security requirements increase with each one.

PCI merchant level chart

Chart Key:

Qualified Security Assessor (QSA)

Approved Scanning Vendor (ASV)

Self-Assessment Questionnaire (SAQ)

Fortunately, here at Plum Voice we go through the lengthy and complicated compliance process so that our customers don’t have to. Our Plum Fuse platform is merchant level 1 PCI-compliant. That means that if a company wants to process payments over the phone, but don’t have (or want) to go through the PCI compliance process, they can do so by simply using Plum Voice, thereby gaining the benefit of best-in-breed voice communications technology and PCI compliance.

Why IVR Makes A Lot of Sense for Payments

Customers Don’t Like Hidden Fees

A recent Gizmodo article highlighted the fact that some telecom companies charge customers high fees for paying their bills over the phone with a representative. Depending on the company, these fees ranged from $5 to $8 per transaction. With the large customer bases these companies have, those fees could result in millions of dollars in extra revenue.

You can imagine this would be like going to a grocery store where the self-checkout was free, but having an employee scan and bag everything for you had a $5 fee attached to it.

Why Companies Don’t Want Agents Processing Payments

You can make your own assessment of the merits of this approach, but without pointing fingers it might be worth thinking about why companies are doing this. 

It’s very expensive and time-consuming to get a contact center of live agents PCI-compliant. There are a number of potential security risks when agents handle customers’ sensitive financial information. For example, employees may record credit card numbers and then be careless with disposing of those records. Or, even worse, employees could collect credit card numbers and use them or sell them to others.

It’s also expensive to have agents helping customers with rote tasks that can be done more easily through automation. The cost of having an agent process a payment can be $5, or more, per transaction. Conversely, the cost of automating the same process using IVR costs pennies on the dollar. All of a sudden, those extra fees start to make a lot more sense from the company’s perspective. 

Understand What Customers Want and How to Deliver It

Customers often assume it’s safer to have another human process their payment because the agent can confirm that the payment went through while they’re still on the call. If something goes wrong, they can deal with it right away instead of having to call back or re-do the payment process. The thought process typically follows the line that dealing with an agent in the first place may take a bit longer, but is less frustrating than dealing with a machine.

But given the security risks involved with agents processing payments, the onus falls on companies to 1) Do a better job of offering fast, secure, automated payment options over the phone, and 2) Educate all of their customers about how the process works and why automation is more secure than giving your credit card information to a total stranger.

Embrace Customer Self-Service

Here at Plum, we make solving the first problem easy. With our Fuse platform, companies can use our pre-built payment processing application. Fuse is PCI-compliant so customer data is always secure. Our payment app is optimized using years-worth of data to ensure the payment process over the phone is easy, fast, and efficient.

Companies concerned with PCI-compliance likely already know why it’s so important, and therefore, already have the tools and information to re-package that information in a customer-centric way.

A Better Way

Implementing self-service payments helps speed up the payment process for customers and also helps agents by reducing overall call volume. This means that agents spend less time on rote tasks and can, instead, focus more on resolving more complex issues, without having to worry about a full call queue.

Delivering Great Customer Experiences Transcends Industries

The World of Healthcare Billing

A recent article from Advance Healthcare Network highlighted some of the issues that exist in the world of healthcare billing and offered a number of specific areas where healthcare companies can focus their energy to create a better experience for patients.

This article shows that no solution exists in a vacuum. But that just means looking for a single cure-all is a waste of time. The most salient recommendation for making the billing process more customer friendly is to provide practical payment options.

“In order to deliver a truly exceptional customer experience companies have to offer payment options through every channel.”

Consider Your Payment Channels

When it comes to the actual payment process there are a lot of different options that healthcare companies can offer to patients. Here’s the kicker though: in order to deliver a truly exceptional customer experience companies have to offer payment options through every channel.

Big companies with lots of customers need to be able to cater to all their customers’ preferences. Limiting payments one or two channels means longer remittance times and having less cash-flow available. If the goal is to process more payments, faster, then limiting payment options runs counter to that goal.

Advantages of Voice

For this reason, adding or upgrading your voice payment channel warrants serious consideration. One of the benefits that voice offers is familiarity; it’s a trusted and reliable communications medium. That counts for something, especially when it comes to ease of use.

Customers may not want to have to create an account or remember yet another login and password, but everyone knows how to work a phone. And while not everyone may have easy internet access, virtually everyone has access to a phone.

Another thing to consider when offering a phone payment option is that nowadays the PSTN is all digital anyway, which means that for backend processes no one channel is inherently “easier” to use than another.

Choosing an IVR solution for over-the-phone payments makes a lot of sense.

  • First, removing humans from payment transactions reduces the risk of fraud. That’s not an indictment of anyone’s employees. But eliminating even the temptation makes an automated voice channel option a better alternative to having agents manually process payments.
  • Second, while on the topic of security, Plum’s platform is both PCI and HIPAA compliant, making it easy to deliver the type of data protection that customers–and outside oversight bodies–want.
  • Third, an IVR is a lot cheaper than using agents; pennies on the dollar cheaper. For rote processes like payments, use an IVR so your agents can handle more complex issues that require human intervention.

As healthcare companies seek to create a better, simpler customer experience when it comes to bill collections, it pays—literally—to provide customers/patients with bill pay options that fit their needs. Adding an over-the-phone payment option is a cost-effective way to process payments quickly while giving customers a reliable, familiar communications medium.

How IVR Can Protect You against Payment Processing Snags: The Case of Chargebacks

What Are Chargebacks?

A chargeback is when a bank forces a company to refund a received payment. Granted, there are times when a chargeback is understandable, like in cases of fraud. But just because a chargeback is justified doesn’t mean it’s any less of a hassle for the company that has to deal with it.

At the same time, let’s not pretend that all chargeback requests are created equally. Situations may arise when a company wants to challenge the legitimacy of a chargeback request. Therefore, companies need a record of the charge approval in order to have a leg to stand on. But if people are paying over the phone, how, exactly, can they generate good supporting evidence?

Complete Call Recordings

One method is to record calls where someone makes a payment over the phone. With the right technology you can limit the recording to the most important part of a call–the actual transaction. A good call recording captures all the audio heard on the call as it happened. This includes the prompts that callers heard, and speech the caller said, all the buttons the caller pressed—in short, everything.

Easy Setup in Plum Fuse

To make effective use of this information companies need to set up a database on their end to house these recordings. Plum Fuse doesn’t store any information after a call ends. Once a call hangs up any information input or created for that call is deleted automatically. Therefore, you need to make sure you have a web service set up that can send the recording to your company’s database. If you’re capturing a complete call, simply put the web service call out (either a SOAP or REST module in Fuse) in the call-flow before the call terminates.

It’s possible to capture multiple sections within a call as well. In this case, you’d need to bookend the section you want to capture with start/stop Call Recording modules. Additionally, you need to send the recording to your database via a web service before the next recording session begins. Fuse apps can only hold one recording at a time so if you start a new one before sending off the old one, the old one will be overwritten.

Once you have these recordings, you can organize and archive them as you see fit.

It’s worth bearing in mind that Plum Fuse is a PCI-compliant platform so no matter what sensitive customer financial data is safe and secure.

Analog Solutions for Easier Phone Payments

The true test of how effective your IVR solution is often lies in the containment rate. This corresponds to how many callers use, or are contained within, the IVR from the entirety of their transaction. That means not abandoning the IVR to speak to a live agent.

Now IVR technology is a huge boon to payment processing. It gives people an easy-to-use, easy-to-understand payment channel that is available 24/7/365. Companies can set up their IVR to be as user-friendly as possible, but there are still some factors that lead callers to hit the ole zero button and transfer out to speak with a live agent.

Luckily, with VoiceTrends, it’s easier than ever to identify bottlenecks and trouble areas in your IVR. But even when you know where callers are bailing out of your IVR, it isn’t always clear why they’re doing so.

Here are some common “whys” that we’ve found over the years.

“Companies can set up their IVR to be as user-friendly as possible, but there are still some factors that lead callers to hit the ole zero button and transfer out to speak with a live agent.”

Get Clear

Let’s think about the workflow that callers go through to make a payment. Typically, they receive a paper bill in the mail, and then call your IVR to make a quick payment.

To ensure that your system processes everything correctly it’s necessary to have the caller input some sort of identifying information. This can be anything along the lines of a customer number, an invoice number, or an account number.

One of the biggest problems that callers have is that when they call, they spend too much time looking for the necessary information on the actual bill. What ends up happening is that the IVR times out before they find it. Depending on the IVR’s default behavior this could result in looping the caller back to the main menu, or it might even terminate the call.

The next step is to call back and re-do the whole transaction, or simply transfer to an agent. Neither of these presents a good customer experience.

To get around this problem, make sure that the necessary information is clearly indicated on the paper bill. Using a bold font for the most important information is a great way to draw attention to it.

It’s important to make sure that the language you use is consistent between the actual bill and your IVR. Don’t call the same piece of information an account number on one and a customer number in the other.

Get Organized

Another analog solution, related to the clarity issues, revolves around organization. Think about what customers see when they look at their bill. Place all the relevant payment information right next to each other, e.g. total due, phone number, identifying information, etc.

If the bill total is listed in the top right corner, the customer information in the bottom left corner, and the phone number and website are listed on the back of the bill then customers tend to have more trouble completing transactions.

“One way to ensure that customers pay bills before they become delinquent is with automated, proactive notifications.”

Put ALL that information in the same corner, on the same side of the bill to make the payment process easier. It’s even a good idea to list those pieces of information in the same order on the bill that your IVR asks for them.

This is another place to make sure you have consistency across all your payment channels. Ask for the same pieces of information in the same order regardless of whether customers are paying by phone, the web, or any other channel.

Get The Message Across

As a payment processor, you want customers to pay bills as quickly as possible because that translates to more cash flow for your company. One way to ensure that customers pay bills before they become delinquent is with automated, proactive notifications.

Using messaging, either SMS or MMS, for this type of communication not only has a high engagement rate, but it’s also easy to setup and integrate directly with your IVR. Messaging is also very cost-effective.

Just make sure that the information you present to customers via text message is consistent in terms of content and structure with the rest of your billing system.

So, there you have it. Three different strategies—two analog, one digital—that help you deliver a better customer experience for your IVR payments application without having to lay a single finger on the IVR itself. We’ve seen customers with containment rates in the 50-60% range jump all the way up to 90% simply by making these types of changes.

Getting Started with IVR Payment Processing

There are a lot of ways and reasons that companies can utilize and benefit from IVR payment processing. Whether your company is looking to reduce development time, to improve customer experiences, to increase the number of completed payments, to build out your payment security portfolio, or many other reasons, IVR payment processing can help.

Fortunately, Plum Voice makes getting started with IVR payment processing a very easy process. With an industry leading security portfolio, production-ready payment processing apps, and an agnostic platform that integrates with any payment gateway, you can be up-and-running in days.

To learn more about Plum Voice and IVR payment processing, visit:

Find out more about optimizing IVR payment processing: