Aller au contenu principal

Transact (PCI) – Frequently Asked Questions

Transact Overview

What is Aiphoria Transact?

Aiphoria Transact is a PCI DSS Level 1 compliant solution that allows organizations to take secure payments over the phone or digital voice channels (voice IVRs, live agents, chat, SMS) without exposing sensitive cardholder data to agents, recordings, or infrastructure. It helps organizations remain out of PCI DSS scope by removing card data from their environment.

How does DTMF suppression work?

When customers enter their card details using the keypad, DTMF tones are automatically suppressed so the information is not accessible to agents or call/audio recordings, thereby maintaining PCI compliance.

How long are card details stored during a transaction?

Card details are encrypted and only stored in memory with a default Time-To-Live (TTL) of 60 minutes, sufficient for the current transaction. They are securely managed and not retained beyond what is necessary for processing.

Can I use Transact in various regions or at scale?

Yes. Aiphoria Transact is Azure-native, architected for scale and resilience with dual SBCs per region, auto-scaling, and no single points of failure.

What branding options are available for digital channel (Pay by Link) journeys?

The capture page for Pay by Link can be branded to match your business and hosted on your custom domain for a seamless customer experience and enhanced trust.

Payments & Compliance

What payment methods does Transact support?

Transact supports a variety of payment methods: DTMF suppression (touch-tone keypad entry), speech recognition (for accessibility needs), Pay by Link (secure digital link via SMS/webchat/email), and Pay by Bank (coming soon in 2025).

What should I do if my domain uses a certificate authority (CA) other than GoDaddy and I want to use a custom domain for payment links?

You will need to add GoDaddy as an allowed CA via a CAA DNS record for your domain. This enables Aiphoria (which uses Azure and GoDaddy for SSL certificates) to request certificates on your behalf. Instructions are provided in the documentation for updating CAA DNS records.

How do I set up a custom domain for my payment links?

The process involves several steps:x000D

  1. (If necessary) Add GoDaddy as a CAA record.x000D
  2. Inform Aiphoria of your desired domains (e.g., production and test URLs).x000D
  3. Add the TXT DNS records provided by Aiphoria for domain verification.x000D
  4. Add A records provided by Aiphoria to route traffic to the platform.x000D
  5. (Optional) Set up email DNS records if you wish to send emails from your own domain via Aiphoria.
What happens if there is an error during the payment process?

Agents will see visual prompts for data or formatting errors. Aiphoria service errors are shown via in-app notifications, while errors from the payment service provider (PSP) are either displayed on the completion page or returned via datapost/redirect, depending on configuration.

Is it possible to keep my existing Payment Service Provider (PSP)?

Yes. Transact is designed to work with your current PSP. You can maintain your existing tokens and workflows or migrate to a new PSP if you prefer.

What PCI DSS responsibilities remain with my business when using Transact?

While using Transact removes your contact center, office, or telephony system from PCI DSS scope and reduces your compliance obligations, you must still:x000D

  • Verify your PSP remains PCI DSS compliant (Aiphoria provides an AoC for Transact)x000D
  • Complete a simplified Self-Assessment Questionnaire (SAQ-A or SAQ-D)x000D
  • Ensure staff are trained not to handle card datax000D
  • Have an incident response planx000D
  • Maintain necessary compliance documentationx000D Aiphoria provides guidance and templates for these requirements.

Integration

How can I integrate Transact with my existing workflows and systems?

Transact can be run as a standalone web app or embedded within your CRM. Data can be passed via query string parameters. Upon completion, Transact supports various actions, including sending data via HTTP POST, performing a redirect, or displaying relevant fields to the agent.