We’ve all been there right? On the end of the phone when the contact centre agent has asked us to make a payment. Whether it’s a car insurance renewal, a last-minute birthday present, or in the case of one of our team, the deposit for a new car. So, the agent asks for your credit or debit card details, but you pause, should I be reading these out? Is the agent trustworthy? Could I be overheard? As consumers in this connected world, we want what we want, and we want it right now, so did you go ahead and do it anyway?
When a business takes card payments over the phone there are a number of risks, and not only to the customer who could become a victim of credit or debit card fraud. Every month organisations suffer card data breaches, and the net result is that customers lose confidence in the brands affected, businesses go through costly and lengthy investigations, and in some cases shoulder very substantial fines from the regulators.
According to the UK Government’s Cyber Security Breaches Survey, 2017, nearly half of all UK businesses suffered a cyber breach in the last 12 months (1). As more data protection laws in the form of the EU’s General Data Protection Regulation (GDPR) come into force next month, there is even greater pressure on businesses to demonstrate compliance in the ways they handle their customer and payment data.
So, who’s at risk? And what can you do as a business to protect your customers, reduce your risk, and the threat to your reputation?
Any organisation that takes card payments over the phone is potentially putting themselves and their customers at risk every time they take a payment.
The PCI Data Security Standard (PCI DSS) was introduced in 2006 by the Payment Card Industry Data Security Standards Council to combat the threats posed by card data fraud to both individuals, and businesses. The PCI DSS council has the power to investigate and levy fines on organisations which have suffered card data breaches, and these fines can amount to many hundreds of thousands of pounds.
Its commonly assumed that PCI DSS only applies to larger organisations, but infact, the standard applies to any business (or merchant) that accepts or processes card payments. It doesn’t matter how many payments of this type are processed, if the appropriate security processes aren’t in place, the risk of card fraud is present. In reality, small businesses are more likely to fall victim to hackers and card fraud as they tend to have less robust security measures in place.
How does card fraud happen?
When the government cracks down on one method of fraud as they did with contactless payments, the criminals just move to the next easiest opportunity. Individuals or criminal gangs target organisations with contact centres that take payments by simply calling to make a purchase themselves and noting what security controls are in place. If they are offered telephone payment as an option and asked to provide all the card security data, such as the 16-digit number, expiry date and CVV, they know that this data is taken in an unsecured way. This can then make that business and their customers targets for card fraud.
When it comes to contact centres, the main risks come from the following groups:
Hackers attack contact centre systems directly or they use malware, phishing scams or social attacks. Their methods are increasingly sophisticated. They could be after card details or call recordings where numbers were read out.
Rogue agents or groups of agents within in a contact centre may want to steal card or personal data for their own gain or to sell on, or they could be placed there by a criminal gang which has identified a weakness in the contact centres payment handling methods. It’s a painful truth that any contact centre could have rogue agents working there and only rigorous security processes in recruitment and staff training can help reduce the risk.
What can you do to mitigate the risks?
Any salesperson will tell you that once you’ve got somebody on the phone, you have a much better chance of closing the sale if you keep them there, so transferring a call to a payment IVR could result in that call being abandoned and the sale being lost.
So, what can you do to keep your customers engaged to the end of the payment process, and remove the risk of card data fraud?
Well, you can avoid taking telephone payments at all of course, but doing so removes a key payment channel, one that many customers still prefer, and that can be more practical in many situations.
Alternatively, you can ensure your payment processes and your business are safeguarded from the risks by employing PCI DSS compliant payment technology.
There’s one thing we should mention at this point. In your search for secure telephone payment solutions, you’ll see and hear the word ‘compliance’ used a lot, but beware, many technology providers claim to be compliant, but this may not be enough.
To achieve compliance with PCI DSS, organisations need to protect their customers’ card holder data by following the PCI DSS Council’s 12 steps.
What a lot of people don’t realise is that there is a difference between certification and compliance when it comes to PCI DSS. Whilst many organisations claim to be compliant, to be certified by the Payment Card Industry Security Council requires an organisation’s technology, network, and internal processes to be audited by an independent Qualified Security Assessor (QSA), and an Attestation of Compliance (AOC) document issued. Companies also need a quarterly network scan by an Approved Scanning Vendor (ASV). Only organisations with this accreditation can guarantee the security of the payments they handle. So, you need to ask your payment technology partner to provide this document.
For certain organisations, certification can be achieved through a simpler, Self-Assessment Questionnaire which removes the need for a QSA. The Self-Assessment Questionnaire (SAQ) is a validation tool for eligible organisations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). There are various different levels of certification that an organisation can have, depending on the value of the transactions they handle.
How can we ensure we are compliant?
Once you’ve identified which level of compliance you need to demonstrate there are two ways in which you can achieve it.
Securing your existing contact centre operation
You can implement technology that is able to mask card holder data and prevent it from entering your organisation. This technology, known as Dual Tone Multi Frequency Masking, or DTMF, enables customers to remain on the phone and in conversation with a contact centre agent whilst they make a payment. Instead of speaking the card details, the customer is able to input them directly into the telephone keypad. This removes the risk of the customer being overheard, or the agent hearing, writing down, or displaying the sensitive data on their computer screen.
Outsourcing your contact centre operation
If you outsource your entire contact centre to a third party that already has PCI DSS certification, it removes your business from the scope of PCI DSS. However, you should note, if a breach to one of your customers card data occurs, you will still hold some liability.
How to select a PCI DSS service provider
If you’re looking to implement a secure payment solution to remove your business from the scope of PCI DSS, these are some of the questions you should ask:
- Are they PCI DSS compliant and can they provide evidence of their certification? Ask for their current AOC.
- How long have they held their certification and has it been maintained continuously? PCI DSS assessment is a continuous process and monthly penetration testing, quarterly network scanning and annual reassessment is required for compliance to be maintained.
- Do they only provide PCI DSS payment services or can they provide you with a complete contact centre solution with PCI DSS certification? Service providers who are able to handle all your customer contact and payments may provide more cost benefits over using multiple supplier.
- What is the value of transactions they handle compliantly every year?
- How reliable is their service? What level of up-time do they guarantee?
How technology can help you?
By far the most effective strategy for ensuring that your business and your customers can’t fall victim to data fraud is to make sure card data never enters your contact centre in the first place.
It’s possible to do this simply and cost effectively by using the right technology from a PCI DSS certified provider like Ultracomms’ PaySure.
PaySure uses DTMF masking to enable your contact centre agents to remain on the phone to help customers through the payment process, and as a result, reduces the likelihood of abandoned calls.
Customers simply type their card details into their phone keypad, and DTMF Masking makes the tones indecipherable. This removes the need for the card details to be read out and enables continuous call recording, without any risk of card details being overheard or stored.
Without sensitive card data entering your contact centre, your business is completely removed from the scope and cost of PCI compliance. The risk of card data theft is removed, along with the potential for the financial and reputational damage that could occur as a result of a card data breech.
The beauty of cloud-based solutions like PaySure is that they can be easily integrated with existing infrastructure very simply and quickly. Their flexibility means they can also be deployed in a variety of ways, as an entire secure cloud contact centre platform, hosted within the telephone network, through Skype for Business, or installed locally on a client’s own premises. This means that they can be tailored to suit businesses of any size, cost effectively removing the risks, whilst at the same time ensuring a consistent customer experience.
Some questions we are often asked
What could happen if our business suffered a card data breach?
An organisation that handles payment card transactions and has suffered a suspected breach can be investigated by a PCI Forensic Investigator (PFI), leading to a detailed assessment of the organisation’s network and processes, and the full financial liability for that investigation. Such a breach can easily cost a minimum of several hundred thousand pounds in remediation work, fines, consequential liabilities and even result in financial institutions terminating their relationships with the company that allowed the breach to occur – and that’s without the cost of reputation loss and damage to the brand.
What is ‘Pause and Resume’?
Pause and Resume is often used by contact centres as a way to reduce risk. When a customer is asked for their card details to make a payment, the agent stops the call recording to avoid these details being captured or stored on the recording.
The customer is still required to read out their card details, so there is still a significant risk that these details could be overheard and captured, and fraudulent activity could result. This method of risk reduction also does nothing to protect the card data as it transits the telephony network. The technique has many downsides and opens businesses to the risk of fines from the PCI DSS Council, loss of merchant status, and of course, the resulting damage to the business’s reputation.
66% of organisations taking card payments by phone are still using Pause and Resume call recording solutions (2). This method of payment handling is expected to be deemed non-compliant when the PCI DSS council issues its next standard update.
How much does it cost to achieve PCI DSS compliance?
Attaining PCI DSS certification can be expensive, but costs vary depending on the level of compliance required. Achieving full certification can run into a six-figure sum. However, by choosing to work with a service provider that has already achieved PCI DSS level 1 certification (such as Ultracomms), it’s possible for an organisation to gain its own certification for a fraction of the cost and in a much shorter time-frame, using the Self-Assessment Questionnaire (SAQ) process.
To find out more about how to secure your contact centre payment processes, click here to download our new free White Paper, Card fraud. Time to act?
- ContactBabel UK Contact Centre Decision Maker’s Guide