With card fraud and identify theft continuing to hit the headlines, Jason Roos, CEO of Cirrus, discusses how call centres can navigate the options to ensure both PCI DSS compliance and the best possible customer experience.
Data breaches continue to challenge and cost businesses
In today’s increasingly cashless society, customers rely more and more on using credit and debit cards for payments. Whether buying goods online or paying bills over the phone, they happily relay accounts and credit card details to a contact centre agent without a second thought, trusting that the company that they are dealing with will manage their card data securely. But how secure are they?
According to UK Finance (the collective voice for the UK banking and finance industry representing more than 250 firms across the industry), the theft of personal and financial data through social scams and data breaches was a major contributor to fraud losses in 2018.
In fact, in 2018 data breaches involving just three well-known brands are reported to have resulted in the attempted compromise of around 6.3 million payment card details. The Information Commissioner’s Office (ICO) reports that during the second quarter of 2018/19, there was a total of 4,056 data security incidents. Worryingly, information stolen through a data breach can be used for months – or even years – after the event.
PCI DSS compliance – the challenges
Card fraud is a threat that the finance industry cannot tackle alone, which means that it is the responsibility of all companies in the chain to take preventative measures and secure data. If a business loses a customer’s card data i.e. suffers a data breach and is not PCI DSS compliant, they could incur fines for the data and be liable for the costs of fraud incurred and those associated with replacing the accounts. Not to mention the reputational damage that may mean losing even its most loyal customers.
Yet for many businesses, compliance means expense and changes to IT infrastructure that they can ill afford. According to Verizon’s 2019 Payment Security Report, (PSR) there has been a negative trend globally for companies reporting full compliance with PCI DSS. Assessments from other Qualified Security Assessor (QSA) companies also show lower full compliance. Since 2008, Verizon has tracked the percentage of organisations that achieve PCI DSS compliance, and noted in previous editions of the PSRs, that it has varied from a low of 11.1% in 2012 to a high of 55.4% in 2016 and dipping well below 40% (36.7%) in 2018.
While these statistics show improvement, when the PCI Security Standards Council first published the PCI DSS in 2004, it was expected that organizations would achieve effective and sustainable compliance within about five years. Today, less than half maintain programs that prevent PCI DSS security controls from falling out of place within a few months after meeting formal compliance requirements.
One size does not fit all
Depending on the merchant level (i.e. how many card payments are taken), businesses can either self-certify PCI compliance or use a Qualified Security Assessor (QSA) who is accredited by the PCI SSC. Only Level 1 merchants with over 6 million transactions per year or who are a ‘Compromised Entity’ (having experienced attacks before) must have an annual on-site QSA audit rather than one of the self-assessment questionnaires (SAQs) now available in current PCI DSS standards.
Recognising that one size did not fit all, and that smaller and less at-risk companies should not have to complete the same list of requirements as a large multinational, the recent PCI DSS 3.0 Standard has also introduced a number of different types of SAQ (a list and explanation of each SAQ is available from the PCI Security Standards Council). Many contact centres do not require a full audit with a QSA and self-assessment questionnaires are becoming far more popular.
The view from the contact centre
The need for many contact centres to record calls, for security and training purposes, makes protecting the data more difficult. There is no single right way to handle payments in order to be PCI-DSS compliant, but companies can meet the security levels required by achieving compliance.
There are many methods available that contact centres can employ to prevent card fraud and technology plays an important part in these practices, however, it can be a complex and costly technical process to set up and follow. To reduce these costs and comply with the standards, many organisation’s call centres choose to minimise (often called ‘de-scoping’) or eliminate altogether the customer card data that they hold in their systems. Not holding on to data reduces the risk that customers will be affected by fraud.
Offering different payment options means checking every possible area of security exposure in the payment process. The latest UK Contact Centre Decision-Makers’ Guide (DMG) published by analyst ContactBabel, outlined eleven different ways in which contact centres currently attempt to reduce card fraud. Ranging from technology solutions to physical methods such as clean rooms, where pens, paper and mobiles are prohibited, different ways of processing card payments have their pros and cons:
- offering pause and resume – or ‘stop-start’ recording, preventing sensitive and confidential data from entering the call recording environment. Cheaper to implement than almost any other option, it offers high levels of customer service but is inherently unreliable and depends on agent compliance with the process.
- having ‘clean rooms’ (where nothing can be written and no paperwork is allowed on desks) or having dedicated payment teams means agents can sometimes be underutilised or queues can form waiting to make payments, but they do provide the best customer experience. However, they are not considered a particularly pleasant working environment and can be expensive to operate.
- implementing an Interactive Voice Response (IVR) Payments system is an option that is often used by large contact centres. An automated IVR process takes card details from the customer, cutting the agent risk out of the loop entirely. However, the card data is still within the organisation’s network, so although this approach takes the agent out of scope, it does not in itself ensure PCI compliance, and is a cumbersome user experience.
- using a third party provider to handle data that is PCI-DSS compliant means that no cardholder data is passed into the contact centre environment, whether infrastructure, agents or storage. As such, this can de-scope the entire contact centre from PCI compliance, but does rely on the security processes and operational effectiveness of the service provider.
New ways to pay with digital channels are ringing the changes
There are also recent new ways to pay that make it even easier for customers. As an example, Cirrus’ new LinkPay+ service (a partnership with Semafone) sends the customer a secure payment link, via any digital channel (such as web chat, WhatsApp, SMS, Facebook Messenger etc.), while they are on the phone or conversing with the contact centre agent or bot using these digital channels. Customers entering card details in a web chat is high risk – in a contact centre quality assessors, team leaders and tech support people could all look up the history of chats and potentially pull out credit card details.
Providing a service like LinkPay+ means the customer can enter their card details on a secure website page with confidence. The agent or bot on the call doesn’t see the card information, but sees a checklist of the steps completed. This means the purchase can be completed during the call or chat, saving the customer the hassle of ringing a different number or visiting a website (with the risk of losing the sale). It’s more convenient for the customer than entering card details over the phone using the keypad and help and advice can be given while on the phone or online.
There are also plans in the future for this technology to tie up with Apple Pay and Google Pay, which will make it even easier for customer to pay securely and confident that they are protected from card fraud.
Being compliant with PCI DSS means that companies are doing their best to keep customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. At the end of the day the responsibility for compliance lies with the merchant – the key is to choose the right technology solution that fits the organisation and delivers the best possible customer experience.
About the Author
Jason Roos is CEO of Cirrus. Cirrus delivers business benefits made possible by its Contact Centre as a Service (CCaaS), Cloud platform. Modern technology and a team that has many years of experience working in and around the Contact Centre, provides a recipe for business transformational success.