PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Events
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Events
No Result
View All Result
PaymentsJournal
No Result
View All Result

Why The Contact Center Should Be A Security Priority in 2019

Ben Rafferty by Ben Rafferty
March 1, 2019
in Industry Opinions, Security
0
Why The Contact Center Should Be A Security Priority in 2019

Why The Contact Center Should Be A Security Priority in 2019

10
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

With so much technological advancement happening so quickly, we’ll see more malicious attackers — both internal and external — working harder than ever in 2019, using both old and new attack techniques to exploit consumers and organizations of all sizes. As a result, organizations are now more aware of the financial and reputational dangers of lax data practices and are heavily investing in proper data security and compliance solutions. And, with new US data regulations on the horizon, we can expect to see companies both updating their IT infrastructure and ensuring staff are well educated to help them stay out of the data breach news headlines. But who exactly will be the prime targets for these sophisticated hackers? And how can they best prepare themselves to stave off a potential future attack?

Contact Centers – More Desirable Hacking Target Due to Their Volume, Frequency and Variety of Data

The contact center is often seen as a high-risk area for data security compromises. Because contact centers process and store a host of Personally Identifiable Information (PII) – including payment card data and social security numbers (SSNs) – they are prime targets for fraudulent activity. However, external threats (like hackers and phone scammers) aren’t the only ones eyeing the contact center’s PII goldmine, as those inside the organization can also put sensitive data at risk. Potential insider threats can come from contact center agents and customer service representatives (CSRs), who may be tempted to copy down verbalized customer payment card data; to coerce or bribe a colleague into sharing PII; or even accidentally leak data by human error or by falling victim to a phishing attack. While the vast majority of agents are diligent, customer-focused and trustworthy, it only takes one employee succumbing to curiosity to violate compliance laws and potentially cause a massive data breach.

A recent survey of 500 contact center agents across industries around the globe revealed the dire state of contact center data security. The survey revealed that a concerning number of contact centers rely on outdated, risky practices for customer interaction, data collection and fraud prevention:

Contact centers still use data collection and customer interaction practices that create opportunities for potential agent fraud and leave data vulnerable to a breach.

  • 72 percent of agents who collect credit/debit card information or social security numbers (SSNs) over the phone require customers to read numbers aloud, despite there being readily available technologies that secure voice transactions
  • 30 percent reported that they have access to customers’ payment card information or SSNs on file even when they’re not on the phone with the customer

Because of these lax data security practices, agents are unfortunately experiencing and witnessing breach attempts from both insiders and outsiders:

  • 7 percent of agents admitted that someone inside their organization has asked them to access or share customers’ payment card information or other sensitive data
  • 4 percent said the same about someone outside their organization
  • 9 percent said they personally know someone who has unlawfully accessed or shared customers’ payment card information.
What Contact Centers Can Do To Combat Payment Security Concerns 

As data privacy and security remain top-of-mind for consumers, it’s imperative that contact centers take the necessary precautions to mitigate data theft – both internally and externally – and keep their brand names out of reputation-damaging headlines. Here are some key initial steps to take:

  1. Vet all potential hires: Even if you need to hire someone as soon as possible, make sure to take the time to perform background checks – even on temporary hires.
  2. Spend time to train employees: Implement specialized training and hold seasonal employees to the same security practice standards as full-time employees. Run through real-world scenarios and describe the ideal response, as well as the repercussions of a breach.
  3. Emphasize security basics: Reinforce security best practices, including locking computers when leaving a workstation and enforce the requirement to regularly change passwords. Roll out clear steps to report breach attempts, security incidents or anything suspicious to management.
  4. Enforce the principle of least privilege user access (LUA) on all systems: This principle means that employees should have the minimum level of access to PII to perform their jobs at any given time.
  5. Segment networks to protect payment data: For instance, accept payments on systems that are entirely separate from day-to-day business activities, such as email.
  6. Focus on compliance: Perform a Payment Card Industry Data Security Standard (PCI DSS) audit, or at the very least, a self-assessment – do your due diligence and inspect your information security infrastructure and plan before major hiring efforts.
Resources to Help Contact Centers Understand Security and Compliance Essentials

In late 2018, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly revised guidance for Protecting Telephone-based Payment Card Data — a major information security resource for contact centers. Updated for the first time since 2011, this guidance underscores the urgency for protecting telephone-based payments in light of the evolving technology, and an ever-changing regulatory and fraud landscape.

The highly anticipated new guidance provides a much clearer path for contact centers looking to ensure compliance with the PCI DSS and provides critical recommendations on new technologies and processes for securing payment card data.

The new guidance brings more clarity on how contact centers can reduce PCI DSS scope and mitigate risks with the application of new technologies and tighter controls. Here’s a summary of the key recommendations that contact centers can act on:

  • Call Recorders Need Additional Controls: As call recordings may contain cardholder data (CHD) and sensitive authentication data (SAD), they must undergo additional controls. For example, recordings that contain CHD/SAD must be securely deleted, while the contact center should only allow single call recordings to be retrieved or listened to by an authorized senior manager. The guidance also provides considerations around monitoring the effectiveness of controls for call recordings with, in particular, Data Leak Detection and Data Leak Protection.
  • Pause-and-Resume Solutions Need More Supervision: Solutions based on the Pause-and-Resume approach, at best, may prevent the capture of CHD/SAD on call recordings. A proper Pause-and-Resume solution could reduce the applicability of PCI DSS by taking call recordings and storage systems out of scope, but the technology does not reduce PCI DSS applicability to the agent, nor their desktop, phone or chat environment. The new guidelines specify a need for greater supervision of manual systems and prescribe testing for automated systems.
  • VoIP, Softphones Must Be Segmented: The adoption of VoIP and softphones create an opportunity for massive “scope creep,” as they are often connected to the desktop environment processing payments. Therefore, contact centers must segment their data and telephony networks, otherwise, they will require a host of additional PCI DSS controls.

Embrace dual-tone multi-frequency (DTMF) masking: Recommendations for DTMF masking stand out within the guidance as one of the most effective solutions for keeping sensitive authentication data completely out of the contact centers and maintaining PCI DSS compliance. DTMF masking solutions can be used to securely capture and process credit card payments taken over the telephone, without the need to pause and resume call recorders mid-call. But beware of “DTMF bleed”. The guidance warns that a misalignment of the masking risks DTMF digits being exposed, meaning card data is revealed and the organization is brought back into scope for PCI DSS. So, check that your solution has built-in bleed prevention!

The new guidance provides contact centers with a much deeper understanding of the new-age risks and recommends technologies and strategies to maintain compliance and keep customer payment card data safe. Following these guidelines, which were contributed by a wide variety of Subject Matter Experts, QSAs, technologists, merchants and vendors, would serve contact centers well, as they move towards accepting an even greater volume of payments over both traditional and new communication channels – such as VoIP, webchat, softphones and chatbots. We recommend that all contact centers do frequent audits of practices and technology solutions and consult with security and compliance professionals to ensure that they are adequately securing their customer data and protecting their organization from both insider threats and outside attacks.

Author Bio:

Ben Rafferty is responsible for heading up product Innovation at Semafone (www.semafone.com): advising on new product development and new markets and technologies to facilitate customer compliance programmes. Ben has been responsible for the deployment of Semafone’s award-winning solutions, and for the overall management of the company’s carrier cloud and cloud offering as well as gaining and maintaining Semafone’s own PCI DSS compliant status and associated Service Provider Listings.

Tags: DataSecuritySemafone
10
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily
    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    How PayPal Achieves High Authorization Rates

    How PayPal Achieves High Authorization Rates

    January 19, 2021
    Explaining the Bill Payment Ecosystem

    Explaining the Bill Payment Ecosystem

    January 15, 2021
    QSRs Can Address Loyalty Program Shortcomings by Serving Up Better Offers

    QSRs Can Address Loyalty Program Shortcomings by Serving Up Better Offers

    January 14, 2021
    How Merchants Can Prevent Account Takeovers—and Why Failing to Do So Amplifies Operational Expenses

    How Merchants Can Prevent Account Takeovers—and Why Failing to Do So Amplifies Operational Expenses

    January 13, 2021
    How Banks Can Leverage Tech Partnerships to Enable Innovation for Commercial Clients

    How Banks Can Leverage Tech Partnerships to Enable Innovation for Commercial Clients

    January 11, 2021
    The Future of Phixius (and Interoperable Financial Services)

    The Future of Phixius (and Interoperable Financial Services)

    January 8, 2021
    Fraudulent Activity is the New Virus, and Here Are Some Possible Solutions

    Fraudulent Activity is the New Virus, and Here Are Some Possible Solutions

    January 7, 2021
    The Future for Restaurants is Touchless

    The Future for Restaurants is Touchless

    January 6, 2021

    Connect With Us

    • Advertise With Us
    • About Us
    • Terms of Use
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • COVID-19
    • News
    • Events

    © 2021 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result
    ×

    Login

    Forgotten Password?

    Lost your password?
    | Back to Login

      Subscribe!

      Thank you for visiting PaymentsJournal! Please subscribe to our newsletter to receive consumer data insights and daily analysis from Mercator analysts and industry experts.

      ×

      How will COVID-19 Effect the Payments Industry?

      Check out our latest:

      – Consumer Data – Complimentary Reports
      – Podcasts – Mercator Analyst Commentary
      – Industry Opinions

      ×

      WEBINAR:
      How Digital Acceleration Will Affect Payment Industry

      Please join us for this panel discussion on addressing the challenges to pave the way to payments innovation and profitability and gain insights on the key trends and challenges impacting the payments landscape in North America.

      REGISTER