Customers, employees, investors, competitors – how a successful business is built upon good relationships

Customers, employees, investors, competitors – how a successful business is built upon good relationships

Tim Critchley humorously references a popular TV comedy show catchphrase when he talks about the aspirations of contact centre, data security and compliance payment security specialist Semafone, when the company launched in 2009. “We thought that if everything worked in our favour, ‘this time next year, we’ll be millionaires Rodney’.”

In the beginning

It did not quite work out that way; overnight success, to coin another phrase, has taken longer than expected. Doubling turnover in the last three years is not to be sniffed at. Critchley, who has been CEO of the business from its inception, is excited about the prospects for further growth as the contact centre industry ups its game in regard to security and compliance.

Product innovation

Semafone provide a patented payment method that enables contact centres to take payments over the phone securely and be compliant with the Payment Industry Data Security Standards and crucially, without compromising on customer experience.

The core philosophy of the product: “You can’t be hacked for data that you don’t hold. If someone is taking credit or data cards over the phone in a contact centre, we take away the pain of processing and securing the sensitive data. Cardprotect enables callers to enter payment card information directly into their telephone keypad. DTMF tones (the variable sounds used for touch tone dialing) are masked with flat tones, so the contact centre agent on the line, call recording systems and eavesdroppers are unable to decipher the numbers. The agent can’t hear or see the numbers and can stay in full conversation with the customer throughout the entire payment process, which provides a positive customer experience. As soon as the card numbers are entered into the telephone keypad, they are sent straight to the bank for processing.”

Offering solutions customers need

Semafone are not limited to protecting contact centre voice transactions, he adds. “Merchants can send us any complex transactions, for example credit card numbers entered into their website that they want to reuse for repeat purchases or subscriptions, without the security risk and headache of storing numbers for future use.”

The solution grew out of the problem of how to make contact centres taking payments secure and compliant, without turning them into draconian places where staff are banned from having paper and pens, mobile phones and other personal items which can have a negative and damaging impact on morale and lead to high employee turnover.

Existing automated systems resulted in a poor customer experience so Semafone came up with a way of enabling the contact centre agent and the customer to carry on talking to each other while the payment is made. The prototype worked well and the product evolved into a “reliable and resilient” system that would protect payment data in a “rock-solid” way.

Successful business built upon good relationships

“One of our challenges,” observes Critchley, “is keeping in front of mind with our customers. Once the system is in and working, it rarely goes wrong, so customers forget about us. It’s then a challenge to get face-time with them. Having the opportunity to chew the fat with them and solve other data security problems for them.”

Semafone now employ more than 100 people in Europe, North America and Australia. They have customers on five continents, including well-known brands in sectors as varied as banking, casinos, debt recovery, healthcare, financial services, utilities, travel, and hospitality.

Business strategy

But Semafone are not the only business offering this kind of thing, so what sets them apart? “We have some very capable and credible competitors,” agrees Critchley. “It would be a lonely place if we were the only people thinking this was a good idea and in business-to-business environments, procurement people don’t like it if they don’t have a choice, if you are the only kid in town.”

“But we would say we are the pioneers. We created the market and we have more customers and secure more transactions than others. Our USP is our experience, because we have been doing it longer than anyone else and we provide a better quality of security. We can be accused of being a one-trick pony, but when we are up against other guys we can say we are specialists. We have done this time and time again, for big and small companies.”


And crucially, he adds: “We know we can out-tech anyone else. There is a technological difference, rather than a functional difference. We are very happy to have that kind of discussion with our customers, though we have to be careful not to get too techy.”

Much of any new business is related to PCI DSS (the aforementioned Payment Card Industry Data Security Standard). “Ten years ago, the level of security across the payments industry was very poor. It wasn’t hard for bad guys to get in and steal sensitive data,” says Critchley. “Led by major players such as Visa, Mastercard, and American Express, the card industry decided to tackle the problem of fraud by drawing a net around the entire system to stop card numbers leaking out. If a bad guy gets hold of a credit card number and you don’t know, it’s very difficult to stop it being used nefariously. But you can stop it being leaked out in the first place.”

Preventing fraud

Fraud numbers keep going up as the use of cards increases. Due to this Critchley would like to see more compliance with the PCI DSS. “Personally, I think it’s a pretty good standard and if everybody followed it, there would be less fraud.”

Much of Semafone’s growth so far has been thanks to a few big contracts, such as Sky, in the UK. The most significant growth over the past two years has come from the US, which now accounts for half of revenue and which is where they see much of the future growth. “There is massive potential in the US so I would truly love to secure the bridgehead there and make that a success,” says Critchley. “We hear a lot about British businesses not managing to do that, but we have some traction there. I would love us eventually to be an American business that just happens to have its software built in the UK, rather than being seen as a UK company with an office in the US.”

Business planning

Meanwhile, he would like to increase the size of their two UK offices, which would help to keep everything in-house. Outsourcing of development work, he believes, adds complexity unnecessarily for a security company. “Using a third party can have benefits, but if you build stuff around it then release it and there are vulnerabilities built in by the third party, you release that vulnerability. Saving two days by using a third party can lead to wasting a hundred times that in the long term, unpicking issues that could lead to data breaches.”

Critchley feels it is important for tech businesses not to over-promise while trying to excite customers. “Experience has reinforced my feeling that there is a balance between promising a big pot of jam tomorrow and the reality of what is achievable.” He makes the point that growing Semafone has turned out to be harder than he thought. “No one customer is exactly the same as the last one,” he explains. “So two different topologies need to be integrated. Then there has been the slow pace at which the new PCI standards have been enforced.

In the beginning

“When we started we assumed the PCI DSS would be more heavily enforced but it was not as robust as we might have thought. We would go into an environment where an organisation had been told to be compliant, and we’d say ‘let’s get on with it’; then nothing much more would happen and we would hear that they had been told they could do a bit this year and a bit next year. Rather than say ‘no, you must comply now’, the PCI would give them more time; it would turn into a negotiation and a compromise. I don’t think the sanctions are strong enough.”

That meant that the original business plan was optimistic. However, a lot of prospects Semafone talked to in the early days are finally signing up. “It’s just taking longer than we thought,” says Critchley. “But hitting £12million of revenue in a B2B environment without an enforced regulatory sanction feels like a pretty good result, albeit about two years behind where we had hoped to be.”

Working with investors

Matching actual performance to the plan has been made more of a priority by the fact that the business has external investors. Namely, VC company Octopus Investments (involved since 2010) and the Business Growth Fund (since 2014). But despite that ever present challenge, Critchley has found the relationship with the investors to be “wholly positive”. He says: “The venture capital community are super-smart people. They have been brilliant; they are patient but demanding and full of good ideas. Asking tough questions that forces you to think more about what you’re doing and why. And to question whether you’re really a multi-billion-pound opportunity that will make a good return for everyone. That’s helpful as you end up with a plan that has been properly battle tested.”

No frustrations with the investors then?

“I suppose I should be careful what I wish for,” replies Critchley. “Sometimes I wish they would be more prescriptive in terms of saying which corporate finance team/tax adviser/recruiter we should use. Quite rightly, they don’t want to be accused of force-feeding you with their advisers. However the trouble then is that you feel you have to meet all of the people they recommend. When probably there’s only one that they really rate. If they said ‘go and use them’ we probably would. They know who is good and we trust their judgement. They are smart guys who know what they’re doing.”

Planning for growth

Semafone had 40% growth in the past year and Critchley is considering making acquisitions to speed up the growth rate. “We have perennial discussions about this and I’m confident that both of our funders would put more money in if we asked them.

“But we can keep growing nicely without more funds. As a shareholder myself I know how important it is for any growth plan to be deliverable if we are asking existing shareholders to dilute. That said, if there’s a way for us to reach £100million in three years, why would we not do so? It’s important to remain ambitious.”

Growth is not just good for the shareholders

“It generates opportunities for staff, as well as increasing shareholder value. One of the best things for me is when people join in one capacity and later they develop something else. I don’t think they can do that in a business that is not growing. That’s part of ambition for me; it’s important that Semafone means something to everyone, that they feel they really learn something and stretch themselves when they work here.”

Finding the expertise

Which leads on to the lack of good cyber security people. “There is a drought of them, almost to the point where it’s an educational problem that the government must tackle. The market can say we need another hundred thousand cyber professionals but where are they going to come from? Who is going to train them all? There simply is not the supply.”


Another challenge, with European Union citizens accounting for some 15% of Semafone’s workforce, is Brexit. “I’m not too worried about existing staff having to leave. It’s more a question of whether we can keep bringing in technical talent from abraod. Poland, Bulgaria and the Czech Republic  are where some of our best techies have come from. Growing a technology business in the UK will become much harder if we don’t keep that supply of talent coming.”

Download this interview in PDF

For more information

Please call us on:

01483 416232