Recent high profile data breaches show how vulnerable call centres are to fraud – and why the card companies such as Visa, Mastercard and American Express are now imposing tighter controls on merchants.
NB This is a viewpoint by Simon Beeching, executive director of Syntec. (We first published this late last week, but due to the holidays in some parts of the world are republishing.)
I still remember vividly the day we discovered that many of our customers’ credit cards had been defrauded at a large travel company I ran in the 1990’s. It took three months to sort out and contain the potential reputational damage – and AMEX even turned it into a case study!
So why is there still an industry problem today?
Quite simply, the payment card data is too easy to compromise.
When the data enters the contact centre environment it’s available both audibly and in networks, databases and call recordings. So while chip ‘n pin has broadly resolved ‘cardholder present’ security in retail, ‘cardholder not present’ phone payments remain a weak link and thus a honeypot for fraudsters.
PCI DSS controls and why partial measures are unsuccessful
The introduction of the new ‘Payment Card Industry Data Security Standards’ (PCI DSS) tackled this exposure by insisting that merchants improve card data security across all channels.
This includes payment by phone, where the regulations impose over 200 controls on the accessibility, storage and encryption of the sensitive card details - the primary account number and card verification value specifically - even where third parties are handling MOTO (mail order/telephone order) payments on your behalf.
Various methods have been tried over the past couple of years to try and meet these new regulatory requirements including ‘pause and resume’ for call recordings to stop recording the card numbers when read out; ‘clean rooming’ agents so they can’t capture or transmit the card numbers to anyone else; and/or other workarounds such as transferring calls to smaller teams of agents to take payments.
But none of these methods overcomes the key issue, which is that consumers don’t want to read out their card numbers out over the phone at all any more.
Consumers want new technology to be introduced
Incredibly, our latest annual research found that 62 percent of IT and operations managers in contact centres are reluctant to make payments over the phone in their personal lives, due to the possibility of data breaches. This is what consumers have told us every year for four years.
So our research white paper into PCI DSS in contact centres recommends sensitive payment card data should not be available to agents or their organisations to see, hear, store or record at all.
There’s good reason for this, as it’s not just external hackers who are after the data: Sophie Wapshott, business engagement manager from Cifas said:
“36 percent of the internal fraud cases reported by Cifas members in 2014 were committed in contact centres, with many of these offences involving staff disclosing customer or commercial data to organised criminal, third parties. This is an increase of over 15 percent of cases when compared to 2013.”
Consumers are highly aware of this problem from media reports, so only 11 percent now agree that ‘organisations I buy from over the phone will keep my personal and card payment details secure’ and only 5 percent think that reading their card details out over the phone is secure, leading to a marked reluctance to complete transactions over the phone when this is required.
My own forecast is that within three or four years, consumers will simply refuse to give their card numbers out in this way, with our research indicating a clear consumer preference for new secure technology to hide the credit card details from the contact centre agent altogether.
DTMF is the new method to achieve this
The new ‘fintech’ approach to resolving the regulatory and consumer requirement for better card security in contact centres is called de-scoping technology, where consumers can use the touchtone signals of their phone keypad (DTMF, or ‘dual tone multi-frequency’) to convey their card numbers for payment authorisation, either in mid-conversation with the agent or using an automated (interactive voice regognition-based) customer self-service system.
The DTMF touchtones themselves are masked so the numbers cannot be deciphered and the sensitive card numbers thus bypass the call centre , agent and call recordings, in turn de-scoping the contact centre from the majority of PCI DSS controls, as there is no longer any card data to protect.
This new DTMF suppression technology is a win-win for both consumers and contact centre managers alike. DTMF voice payment solutions prevent the sensitive card data from entering the contact centre environment at all, improving customer trust as well as reducing compliance hassle and costs for the merchant while improving the customer experience at a stroke.
Our white paper concludes with the advice of Kevin Dowd, PCI DSS QSA and group chairman, CNS Group who simply says to organisations:
“If you don’t need the card data, don’t touch it!”
NB1 This is a viewpoint by Simon Beeching, executive director of Syntec. It appears here as part of Tnooz's sponsored content initiative.
NB2 Simon will be moderating the ‘As easy as pay: making payment frictionless’ session at Travel Technology Europe, taking place from 24-25 February 2016 at London Olympia. Visitors at the session on the Thursday morning will hear panellists from Realex, Paypal and Zapp talk about how to reduce customer drop out during the online payment process and how to make the process simple yet secure.
To find out more and to register, click here.
NB3Image by Shutterstock