Why credit cards and contact centres shouldn’t mix

Credit card fraud is a tough nut to crack. Tightening regulation, a cooperative financial sector and smart technology solution have all played a part in making credit card payments safer, however the weak link in the chain remains the contact centre. One of the main reasons contact centres are such an attractive target for fraudsters is the huge concentration of Card Not Present (CNP) transactions being processed on a daily basis.

CNP transactions are those that take place online, over the telephone or by mail order where it is difficult to prove the actual cardholder is indeed authorising the purchase. Given the inconsistent and often varying levels of security operating at contact centres, exploiting these vulnerabilities for potentially huge gains counts among the top temptations for credit card criminals.

> See also: Advanced analytics: another line of defence in the battle against insurance fraud

Whilst measures such as 3-D Secure have improved the security of CNP transactions performed online, telephone and mail order transactions remain vulnerable. Many customers phone contact centres instead of paying online because they prefer to speak to a 'real person', not realising they are placing the security of their card information in the hands of a complete stranger.

Contact centre staff don’t need to have malicious intentions for payment fraud to happen. Consider the following scenario, the contact centre equivalent of writing one’s password on a post-it note and sticking to the computer. During a recent contact centre audit, a site auditor witnessed agents manually writing down phone payment details as part of the business continuity policy in case the IT systems went down mid-transaction.

This information was then entered into a pin pad to complete the transaction. If the transaction failed for any reason, the pin pad slip and hand written card details were simply discarded into bins under the agents’ desks, information intact. When the auditor asked where the successful transactions were kept, he was taken to an unlocked office full of pin pad slips. The staff member proudly showed him how they were held together with bulldog clips to prevent them blowing away or getting mixed up!

Not all errors are this obvious, or innocent. In a chaotic environment with lax physical or digital security, insiders can easily give in to temptation, or be coerced into wrongdoing by criminal gangs.

A few years ago, CIPHER (an independent security auditor and Quality Security Assessor) was asked to investigate suspicious activity for a bank that had noticed unauthorised use of credit cards taking place.

It was able to track the problem back to a contact centre employee who was entering the building outside their normal shift pattern and using a co-worker’s computer to access customer card details. It turned out that the employee in question was part of an organised crime gang, who had compromised over 15,000 credit cards in this manner.

Luckily, there have been impressive advances in technology in recent years as well as increased awareness of the threat against our personal information, especially cardholder data. The problem remains that few credit card fraud solutions address the insider threat.

> See also: How the 7 myths of PCI-DSS are holding back compliance

So, what can be done? Here are the top three areas firms should review within their contact centres.

Keep up with PCI DSS standards

This should be the bare minimum and will go along way to address the insider threat. However, compliance does not equal security. Ultimately the best way to ensure cardholder information is completely safe is to make sure it never enters the contact centre environment in the first place.

Criminals can’t steal what isn’t there

Solutions such as Dual Tone Multi Frequency (DTMF) secure phone payment processing can do just this. With DTMF payment technology in place, the customer is asked to enter their card number into the telephone keypad instead of reading it out loud to the agent.

These tones are then captured before they enter the contact centre, so the agent is never privy to it. Instead, the agent sees asterisks appearing as the customer enters their details via the keypad, and receives a confirmation once the payment has been successfully completed.

Don’t hold onto legacy records longer than you need to

Contact centres do need to retain certain records for compliance and, often, internal reasons. But staff need to be trained to avoid the temptation to hoard data, either manual records such as the scribbled down numbers from the earlier anecdote, or recordings. Store only what you need for compliance purposes, and do so off-site with an accredited secure service provider.

Finally, remember that combatting credit card fraud from within the contact centre requires an understanding of how the criminals work as well as what actually goes on in a contact centre. As the threat landscape changes, criminals are increasingly drawn to contact centres as one of the few remaining ways to exploit CNP transactions.

Until credit card companies can roll out a viable global solution to the remaining CNP security vulnerabilities, contact centres will continue to be a prime target. In the meantime, the best way to protect vulnerable credit card information is to stop payment data from ever entering the contact centre environment.

Sourced from Matthew Bryars, CEO of Aeriandi

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...