As the threat landscape changes, contact centres are increasingly becoming prime targets for credit card fraudsters because of the high volume of card not present (CNP) transactions that take place daily. CNP transactions refer to payments made online, by telephone or by mail order. Thanks to regulation and security advances such as 3D Secure, online payment security has vastly improved, leaving telephone and mail order payments an increasingly attractive target.
The trouble with these payments is that it is very hard to implement second layer authentication, such as Chip and Pin, and so prove the cardholder really has authorised the payment. When firms review their CNP transaction safety in the context of the contact centre, it's important to take into account threats coming from outside and within, digital or physical, covert or brazen. Usually, it's a mixture.
In my line of work, I have personally witnessed some idiotic security blunders. For example, correctly disposing of payment details should be obvious. And yet one security auditor at QSA CIPHER was proudly told that the contact centre's business continuity procedure was to jot down payment card details lest the IT systems crash mid-transaction. If for whatever reason these payments failed, the details would be thrown into the bin, totally intact. The auditor was then shown an unlocked office in which the successful payment details were kept, in bundles secured by bulldog clips to keep them ‘safe'.
Just as important as physical security is IT security, which also requires careful planning. Here, too, basic procedures are often lacking. Still we find networks are not consistently segmented. Still we find payment details being entered manually into payment systems. Still we find inadequate access controls governing what information agents can see.
The latest update to the PCI DSS standards came out in April this year and by following this, firms will go a long way to achieving good practice. However, compliance with PCI DSS or other information security standards does not necessarily guarantee cardholder information will be safe.
Call centre workers can be vulnerable to coercion from fraudsters looking to get hold of this information, or they can willingly participate in the crime – the threat posed is equally concerning.
The best way to protect cardholder information is to make sure it never enters the contact centre environment in the first place. After all, criminals can't steal what isn't there.
Separating out the transaction in this way is possible with solutions such as Dual Tone Multi Frequency (DTMF), a secure phone payment processing system. With DTMF payment technology, the customer enters the card details into the telephone keypad instead of reading it out loud to the agent. These tones are then captured before they enter the contact centre, so the contact centre agent never comes into contact with the information. On the agent's screen, asterisks appear instead of numbers as the customer enters the details, and he/she receives conformation once the payment is successfully processed.
This system achieves a number of goals. Improved security means peace of mind for the customer, it removes temptation from a petty or opportunistic criminal and it protects call centre agents from coercion by serious criminals. Contact centres can go further still: any manual records and/or legacy call recordings should be destroyed wherever possible, or kept securely stored off-site with an accredited service provider if it is necessary to keep them for compliance reasons.
Ultimately, contact centres have a duty of care towards customers and staff. Protecting customer data and employees from fraudulent activity requires immediate action to review the processes and technologies currently in place.
And, as I have said already, the most effective way to minimise the threat of insider fraud is to stop payment data from ever entering the contact centre.
Contributed by Matthew Bryars, CEO, Aeriandi