The risks of payment card fraud and data breaches haunt contact centre managers – Article by Curtis Nash CEO and Founder of Cognia
No wonder. Last year, 700 million records were exposed in data breaches with an estimated financial loss of £256 million and stolen credit card details sell for up to £13 each on the black market.
There is a clear and present danger to companies that process payment card data in call and contact centres. Despite this, a recent report by ContactBabel highlights a surprising level of complacency and an opportunity to make quick improvements by replacing out-dated ‘pause-and-resume’ recording technology.
Your customer data at risk
The threats are evolving and constant so companies need to review and update their controls regularly to stay ahead of the criminals. In this context, it may not be a viable strategy to rely on measures that are merely ‘good enough’, or controls that worked in the past.
Similarly, in this light, it may not be enough to meet the high standards of PCI DSS compliance if it means doing so at a single point in time while ignoring the need for on-going security. Indeed, PCI DSS version 3.0 already recommends more business-as-usual control measures than previous versions and future standards may raise the bar higher.
One area of particular concern is ‘pause-and-resume’ recording as a way of securely handling customer payment card data. It ‘has had its day,’ says ContactBabel’s Inner Circle Guide to PCI DSS Compliance in the Contact Centre, ‘It is high risk and not efficient for a PCI compliant environment.’
The high price of ‘pause and resume’
Even with expensive clean rooms, pause-and-resume gives virtually no protection against malicious employees, increasing the risk of reputation-damaging data losses. In addition, it increases the risk of accidental exposure of credit card information because it relies so heavily on people following procedures properly all the time. (And how often does that happen in the real world?)
Once toxic data gets into your call centre, it requires expensive exception handling and potentially brings all your systems into scope for PCI compliance. With 904 separate reporting entries in PCI DSS version 3.0, compliance can be very expensive to achieve if any agent is potentially exposed to toxic data.
Despite these dangers and despite the fact that one in five of the 200+ UK contact centres that took part in ContactBabel’s survey are not yet fully PCI compliant, 59 percent of them were still using pause-and-resume voice recording while taking payment card data over the phone. It’s time for a change.
No longer fit for purpose
The report is conclusive: ‘When the first set of PCI DSS regulations came out, pause and resume was seen as a quick and easy fix to handle the problem of keeping sensitive authentication data out of call recordings. As time has passed, regulations have grown more strict and the growing importance of and focus upon wider data security has meant that many organisations are now looking beyond simply keeping call recording compliant.’
Criminals and hackers are not going away and neither is the risk (and opportunity cost) of out-dated approaches to security. Instead, the report recommends that companies: ‘Embrace the power of true cloud offerings that are highly secure and based on market leading Infrastructure-as-a-Service. Outsource the problem while you focus on your customers.’ Here at Cognia, we couldn’t agree more.
Curtis Nash –CEO and Founder at Cognia
For additional information see the Cognia Website