|Survey respondents to ContactBabel’s report (The Inner Circle Guide to Fraud Prevention & PCI Compliance) were presented with a long list of solutions, approaches and business processes that aimed to reduce the risk of card fraud within the contact centre, and were asked to indicate which they used.
It should be noted that some of these methods used do not in themselves render the operation fully PCI-compliant. Respondents used a mean average of 2.5 card fraud reduction methods.
Pause and Resume (62%)
Pause and resume is historically the most popular method of assisting with PCI compliance, and has several obvious benefits, not least of which include a low set-up cost and the speed of implementation. It aims to prevent sensitive authentication data and other confidential information from entering the call recording environment, although does not stop the card data from entering the spoken / agent environment.
Automated pause and resume may use an API or desktop analytics to link the recording solution to the agent desktop or CRM application, being triggered when agent navigates to a payment screen or a specific field, for example. The recording may then be paused, to be resumed at the time when the agent leaves the payment screen, which in theory should remove the period of time whereby the customer is reading out the card details.
This principle is similar to that applied to screen recording applications, where 24% of respondents stated that their application does not record card details from the agent’s screen. 33% of respondents mask card details on the agent’s screen, to prevent photographic copies being made.
PCI DSS 3.0 guidance states that “Pause-and-resume technologies may be manual or automated, and whilst a properly implemented pause-and-resume solution could reduce applicability of PCI DSS by taking the call recording and storage systems out of scope, the technology does not reduce PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment." The new PCI 3.2 guidelines have moved away from just securing recorded card data, to securing spoken and recorded card data, the former of which pause and resume cannot assist with.
IVR Payments – post-call (11%) and mid-call (10%)
Most IVR is used for call routing and self-service. However, a minority of respondents, especially those with a large contact centre, use an automated IVR process to take card details from the customer, descoping the agent environment.
Mid-call IVR (or agent-assisted IVR) is seen as a more customer-friendly approach than post-call IVR: the caller may have additional questions or the requirement for reassurance and confirmation after the payment process, perhaps around delivery times or other queries not related to the payment process.
Many businesses which use IVR for payment will use a third-party provider and this will take the card data out of the organisation altogether. If they do not, the card data will still be within the organisation’s network, so although this approach takes the agent out of scope, it does not in itself ensure PCI compliance.
Detect and Block the Phone’s DTMF Tones (22%)
22% of this year’s respondents use DTMF suppression (also known as masking) in order to assist with card fraud reduction. DTMF suppression describes the practice of capturing DTMF tones and altering them in such a way that cardholder details cannot be identified either by the agent, the recording environment or any unauthorised person listening in. DTMF suppression aims to take the agent out of scope as well as the storage environment, as card details on the agent’s screen may be masked as well as the DTMF tones being neutralised (thus removing any - albeit theoretically small - danger of a handheld recorder being used).
Tokenisation takes place in order to protect card information by replacing it with non-sensitive data which merely represent the initial data. The purpose of this is to devalue the data so that even if it is hacked or stolen, it is of no use to a criminal. One of the main benefits to tokenisation is that it requires little change to the existing environment or business processes, as apart from the addition of a decoding mechanism, the flow of data, its capture and processing works in the same way as if it were true card information coming into the contact centre environment.
Businesses that wish to take card payments, but not have any spoken or recorded card data in their telephony or agent environment have a number of choices of solution, including IVR and DTMF suppression/masking.
An alternative to these solutions is to send the customer a secure hyperlink via SMS, email, chat or social media which directs them to key in their card details, potentially treating this as a 3D Secure ecommerce payment rather than a MOTO (mail order / telephone order) payment, which are likely to be treated as non-secure payments by card brands. This attracts lower fees and protects the merchant against fraud-related chargebacks.
While this method takes the voice channel out of scope, it may not work for customers who do not have access to a device that allows them to pay online, who are prevented from doing so by disability, or who see online payments as insecure and refuse to use this option.
Third-Party Cloud-Based Payment Solution (19%)
19% of survey respondents use third-party cloud-based payment solutions. Using a hosted or cloud-based solution to collect card data at the network level means that no cardholder data is passed into the contact centre environment, whether infrastructure, agents or storage. As such, this can be seen to de-scope the entire contact centre from PCI compliance.
Like any cloud or hosted solution, it relies heavily upon the security processes and operational effectiveness of the service provider, although the PCI DSS attestation of compliance and external audits, along with regular penetration testing may well show superior levels of security over what is present in-house.
A cloud-based payments provider can also offer a number of payment channels (e.g. web, IVR, SMS, live phone, etc.), and enable recurring payments to be made securely without having to repeat card entry, through tokenisation.
People & Process
The PCI SSC Information Supplement states that “people represent the highest risk when it comes to the security of data, whether compromises are intentional or accidental.”
Some of the risks involved include:
- Misuse of data and access privileges (insider’s threat)
- Employees being compromised by external criminals (e.g. through blackmail or threats)
- Copying of card data through removable hardware, keylogging software or photographing screens / copying onto paper, handheld recorders etc.
- Opening of fraudulent phishing emails which install malware or look to steal data. ‘Spear phishing’ is targeted towards a specific individual or business, and may come from an ostensibly trustworthy source.
- Homeworkers’ physical locations are likely to be accessible to non-employees.
Businesses must be aware that PCI compliance and general data security is not just about implementing technology, but also requires ongoing training, reminders and checks on what employees are doing.
Improving Manual Processes and Agent Training (55%)
After pause and resume, the second-most widely used fraud prevention method is that of improving manual processes and agent training: the biggest risk in any organisation relating to data theft is its staff – not necessarily from fraudsters, but laxity in taking proper care of data – and the relatively low cost of training and education of the risks can go a long way in making staff vigilant to perils such as phishing emails and such like. Phishing emails can mean that staff innocently allow hackers to enter the system, and is a far bigger risk than a rogue staff member writing down the occasional card number.
Clean Rooms (33%) and Dedicated Payment Teams (15%)
Some organisations set up dedicated payment teams, working away from other agents, often in a clean room environment with no pens, paper or mobile phones, so that customers can be passed through this team to make payment. As these agents have a single responsibility - handling card payments - sometimes they are underutilised, and at other times there can be a queue of people waiting to make payments.
In terms of the customer experience, this latter scenario is suboptimal. For the agents, a clean room is generally not seen as being a particularly pleasant working environment, being spartan of necessity, and raises staff attrition levels as a result. Not being able to be in touch with the outside world, for example with children or schools, can be a significant problem for some agents. It has been estimated that it takes around £2,000 per agent per year to create and maintain a clean room environment.