With so much technological advancement happening so quickly, we’ll see more malicious attackers — both internal and external — working harder than ever in 2019, using both old and new attack techniques to exploit consumers and organizations of all sizes. As a result, organizations are now more aware of the financial and reputational dangers of lax data practices and are heavily investing in proper data security and compliance solutions. And, with new US data regulations on the horizon, we can expect to see companies both updating their IT infrastructure and ensuring staff are well educated to help them stay out of the data breach news headlines. But who exactly will be the prime targets for these sophisticated hackers? And how can they best prepare themselves to stave off a potential future attack?
Contact Centers – More Desirable Hacking Target Due to Their Volume, Frequency and Variety of Data
The contact center is often seen as a high-risk area for data security compromises. Because contact centers process and store a host of Personally Identifiable Information (PII) – including payment card data and social security numbers (SSNs) – they are prime targets for fraudulent activity. However, external threats (like hackers and phone scammers) aren’t the only ones eyeing the contact center’s PII goldmine, as those inside the organization can also put sensitive data at risk. Potential insider threats can come from contact center agents and customer service representatives (CSRs), who may be tempted to copy down verbalized customer payment card data; to coerce or bribe a colleague into sharing PII; or even accidentally leak data by human error or by falling victim to a phishing attack. While the vast majority of agents are diligent, customer-focused and trustworthy, it only takes one employee succumbing to curiosity to violate compliance laws and potentially cause a massive data breach.
A recent survey of 500 contact center agents across industries around the globe revealed the dire state of contact center data security. The survey revealed that a concerning number of contact centers rely on outdated, risky practices for customer interaction, data collection and fraud prevention:
Contact centers still use data collection and customer interaction practices that create opportunities for potential agent fraud and leave data vulnerable to a breach.
- 72 percent of agents who collect credit/debit card information or social security numbers (SSNs) over the phone require customers to read numbers aloud, despite there being readily available technologies that secure voice transactions
- 30 percent reported that they have access to customers’ payment card information or SSNs on file even when they’re not on the phone with the customer
Because of these lax data security practices, agents are unfortunately experiencing and witnessing breach attempts from both insiders and outsiders:
- 7 percent of agents admitted that someone inside their organization has asked them to access or share customers’ payment card information or other sensitive data
- 4 percent said the same about someone outside their organization
- 9 percent said they personally know someone who has unlawfully accessed or shared customers’ payment card information.
What Contact Centers Can Do To Combat Payment Security Concerns
As data privacy and security remain top-of-mind for consumers, it’s imperative that contact centers take the necessary precautions to mitigate data theft – both internally and externally – and keep their brand names out of reputation-damaging headlines. Here are some key initial steps to take:
- Vet all potential hires: Even if you need to hire someone as soon as possible, make sure to take the time to perform background checks – even on temporary hires.
- Spend time to train employees: Implement specialized training and hold seasonal employees to the same security practice standards as full-time employees. Run through real-world scenarios and describe the ideal response, as well as the repercussions of a breach.
- Emphasize security basics: Reinforce security best practices, including locking computers when leaving a workstation and enforce the requirement to regularly change passwords. Roll out clear steps to report breach attempts, security incidents or anything suspicious to management.
- Enforce the principle of least privilege user access (LUA) on all systems: This principle means that employees should have the minimum level of access to PII to perform their jobs at any given time.
- Segment networks to protect payment data: For instance, accept payments on systems that are entirely separate from day-to-day business activities, such as email.
- Focus on compliance: Perform a Payment Card Industry Data Security Standard (PCI DSS) audit, or at the very least, a self-assessment – do your due diligence and inspect your information security infrastructure and plan before major hiring efforts.
Resources to Help Contact Centers Understand Security and Compliance Essentials
In late 2018, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly revised guidance for Protecting Telephone-based Payment Card Data — a major information security resource for contact centers. Updated for the first time since 2011, this guidance underscores the urgency for protecting telephone-based payments in light of the evolving technology, and an ever-changing regulatory and fraud landscape.
The highly anticipated new guidance provides a much clearer path for contact centers looking to ensure compliance with the PCI DSS and provides critical recommendations on new technologies and processes for securing payment card data.
The new guidance brings more clarity on how contact centers can reduce PCI DSS scope and mitigate risks with the application of new technologies and tighter controls. Here’s a summary of the key recommendations that contact centers can act on:
- Call Recorders Need Additional Controls: As call recordings may contain cardholder data (CHD) and sensitive authentication data (SAD), they must undergo additional controls. For example, recordings that contain CHD/SAD must be securely deleted, while the contact center should only allow single call recordings to be retrieved or listened to by an authorized senior manager. The guidance also provides considerations around monitoring the effectiveness of controls for call recordings with, in particular, Data Leak Detection and Data Leak Protection.
- Pause-and-Resume Solutions Need More Supervision: Solutions based on the Pause-and-Resume approach, at best, may prevent the capture of CHD/SAD on call recordings. A proper Pause-and-Resume solution could reduce the applicability of PCI DSS by taking call recordings and storage systems out of scope, but the technology does not reduce PCI DSS applicability to the agent, nor their desktop, phone or chat environment. The new guidelines specify a need for greater supervision of manual systems and prescribe testing for automated systems.
- VoIP, Softphones Must Be Segmented: The adoption of VoIP and softphones create an opportunity for massive “scope creep,” as they are often connected to the desktop environment processing payments. Therefore, contact centers must segment their data and telephony networks, otherwise, they will require a host of additional PCI DSS controls.
Embrace dual-tone multi-frequency (DTMF) masking: Recommendations for DTMF masking stand out within the guidance as one of the most effective solutions for keeping sensitive authentication data completely out of the contact centers and maintaining PCI DSS compliance. DTMF masking solutions can be used to securely capture and process credit card payments taken over the telephone, without the need to pause and resume call recorders mid-call. But beware of “DTMF bleed”. The guidance warns that a misalignment of the masking risks DTMF digits being exposed, meaning card data is revealed and the organization is brought back into scope for PCI DSS. So, check that your solution has built-in bleed prevention!
The new guidance provides contact centers with a much deeper understanding of the new-age risks and recommends technologies and strategies to maintain compliance and keep customer payment card data safe. Following these guidelines, which were contributed by a wide variety of Subject Matter Experts, QSAs, technologists, merchants and vendors, would serve contact centers well, as they move towards accepting an even greater volume of payments over both traditional and new communication channels – such as VoIP, webchat, softphones and chatbots. We recommend that all contact centers do frequent audits of practices and technology solutions and consult with security and compliance professionals to ensure that they are adequately securing their customer data and protecting their organization from both insider threats and outside attacks.
Ben Rafferty is responsible for heading up product Innovation at Semafone (www.semafone.com): advising on new product development and new markets and technologies to facilitate customer compliance programmes. Ben has been responsible for the deployment of Semafone’s award-winning solutions, and for the overall management of the company’s carrier cloud and cloud offering as well as gaining and maintaining Semafone’s own PCI DSS compliant status and associated Service Provider Listings.