New technologies help combat contact centre payment crimes

Contact centres face real challenges in meeting rigorous compliance regulations

September 21, 2012

Contact centres face real challenges in meeting rigorous compliance regulations for taking telephonic payments and in protecting themselves and customer card data from fraudulent card use.

Says Mark Edwards, director of product and services at Intuate Group, a privately owned, broad-based IT company that focuses on providing professional integrated technology: “Today’s contact centres risk data breaches from many potential sources, both internally and externally. Modern contact centres essentially present two opportunities for fraudsters. They are firstly a source from which to harvest card data and secondly, a target where such stolen cards can be used. The chip and pin number protects brick and mortar establishments and 3D Secure does the same for online transactions. Phone payments, however, remain vulnerable.”

The telephone element presents two challenges for contact centres. Firstly, how do they protect their customers’ card data and secondly, how do they protect themselves from fraudulent card usage?

The answer, says Edwards, lies in deploying new technology and systems. “The payment card industry data security standard (PCI DSS) compliance programme sets out to combat fraud and protect consumer card data. It applies to all organisations that store, process or transmit cardholder information from any of its members cards, including Visa, MasterCard, American Express, Discover and JCB.”

He adds that the larger organisations are obliged to have annual compliance assessments carried out by an independent qualified security assessor (QSA), while smaller companies can use a “self-assessment” questionnaire.

There are 12 requirements within six control objectives, namely build and maintain, protect card holder data, maintain a vulnerability management programme, use strong access controls, regularly monitor and test networks and maintain an information security policy.

“The main source of card data for fraudsters has been non-encrypted stored card data, mined by fraudsters using a technique called SQL injection. While it is not the most common vulnerability, its potential for bulk extraction of sensitive data makes it a serious threat.”

Edwards adds that PCI DSS is slowly eliminating this card data source by having merchants either remove card data within their environments or protecting the data through encryption. However, this has resulted in fraudsters moving on to gathering card data in transit and major frauds have occurred through this means.

“Contact centres, like point of sale and e-commerce applications, have customer relationship management (CRM) systems where data can be vulnerable but also have a source of card data at rest and another source in card data in transit.

“Card data can be at rest in call recordings and in transit using voice over IP (VoIP) and these are both points that are vulnerable to attack. It is therefore critical to examine how card data can be securely entered into the contact centre CRM and equally critical for contact centres to protect themselves with PCI DSS in the vulnerable areas.”

Edwards stresses that as soon as any agent has access to card data, having heard it spoken by a caller or through the CRM system, the contact centre is at risk from fraud. The risk should not be underestimated as statistics on agent-based contact centre fraud underline the seriousness of the situation.

In 1999, there were 9,000 cases of identity fraud reported in the UK. By 2010, this had escalated to 102,600. More than 80 percent of official institutions believe that mass data compromise is a growing threat: 71 percent reported credit and debit card fraud and 32 percent implemented solutions to take on internal fraud.

“The result is that many contact centres have implemented or are choosing to implement clean room environments to protect card data. This includes providing lockers for all contact centre workers, banning personal items within the work area, logging all visitors, CCTV monitoring, prohibiting paper, pens, mobile phones, web and e-mail access, implementing agent supervision, checking on agent backgrounds, implementing policies to protect card data within the contact centre and masking card data on all systems.”

Some organisations have been vilified by the media for even a single breached card, which in itself is a compelling reason to take card data out of the contact centre. Criminal gangs can target call centre staff and place them under duress to steal card data. However, it is possible to remove those risks from employees so that there is simply no card data to extort.

“Improved customer satisfaction, greater efficiency and effectiveness through DTMF-based solutions bring substantial benefits to the contact centres in which they are deployed and by shielding all data from agents the possibility of agent fraud is virtually eliminated,” concludes Edwards.