New Research Reveals Payment Card Data Security Vulnerabilities in Contact Centers

November 23, 2017         By: Tim Critchley

Even in today’s digital age, consumers often prefer to speak on the phone with a live agent when making a purchase or paying an outstanding bill. In fact, a study by Google showed that 61 percent of mobile users call a business when they’re in the purchase phase of the buying cycle. While speaking to a live agent may provide a better customer experience, a new survey of contact center agents across the globe revealed some alarming practices used for collecting and handling customers’ payment card data.

Since the conversion of point-of-sale payment systems to EMV chip readers, which are more difficult to compromise, cybercriminals and fraudsters have shifted their focus to card not present (CNP) transactions – such as those that take place over the phone in contact centers. From payment card data to addresses, to account numbers, social security numbers (SSNs) and more, contact centers collect, process and hold significant amounts of consumers’ personally identifiable information (PII). To better understand how contact centers are handling this sensitive data, Semafone surveyed more than 500 agents across industries about their organizations’ data security practices. Despite the increasing threats targeting contact centers, many organizations continue to use outdated, risky practices when it comes to payment card data security and fraud prevention.  

For example, more than 70 percent of contact center agents reported that their organizations require callers to read their payment card information aloud. This outdated practice unnecessarily exposes the caller’s payment card numbers to agents, who could potentially write down the numbers for their own malicious, personal use. Additionally, the payment card information could be captured on call recording systems where it may be vulnerable in the case of a data breach. Plus, if Sensitive Authentication Data (SAD) is recorded, the contact center is violating the Payment Card Industry Data Security Standard (PCI DSS).

Furthermore, 30 percent of contact center agents surveyed revealed that they have access to customers’ payment card information and other sensitive data even when they are not on the line with the customer. This means that a rogue agent (or an otherwise good employee who has been bribed or coerced) could access a customer’s payment card numbers for fraudulent use, or even for selling on the black market. The survey confirmed that these acts are indeed happening in contact centers: 7 percent of agents said they have been approached by someone inside their organization to illicitly access or share customer PII, and 4 percent had been approached by someone outside their organization to do the same.

These percentages may appear small, but considering that there are 2.2 million contact center agents in the U.S. alone, it is possible that thousands of agents have been approached at some point in their career to illicitly access or share customer data. Worse, 42 percent of those who had experienced these breach attempts admitted that they did not report the situation to management or law enforcement.

Now, it’s important to note that most contact center agents are not malicious. Most are honest and hard-working employees. However, these survey findings highlight the need for enterprises to do more to strengthen data security practices within their contact centers. It only takes one successful breach attempt – one rogue agent, one honest mistake or one determined hacker – to compromise the payment card information of millions of consumers and ruin the reputation of a business.

One of the most effective methods for protecting consumers’ card data is to keep it out of the contact center infrastructure in the first place. Dual-tone multi-frequency (DTMF) masking technologies enable callers to input their payment card information into the telephone keypad rather than speak it aloud. Keypad tones are replaced with flat tones, preventing agents and nearby eavesdroppers from deciphering the numbers, and call recordings from capturing the data. Unlike interactive voice response (IVR) systems, DTMF masking solutions allow agents to remain in full voice communication with callers as data is entered, ensuring a positive customer experience. Most importantly, card information is encrypted and sent directly to the payment processor, so it never touches the businesses’ IT infrastructure.

In addition to using DTMF masking solutions, contact centers should enforce the principle of least privilege, which means giving agents the minimum level of access required to perform their job function at the appropriate time. If the agent doesn’t need to view customer payment card data when a phone transaction isn’t taking place, then they shouldn’t have access to it.

Ultimately, the crux of the situation is that consumers’ sensitive payment card information is being exposed to agents, held in multiple business systems and captured on call recordings – just waiting to be compromised. The best way to reduce risk is to keep that data out of the contact center environment completely. After all, they can’t hack data you don’t hold.