Safeguarding your Contact Centre against employee misconduct – Jane Goodayle, Marketing Director, PCI Pal
With the busy pre-Christmas shopping periods upon us, including the infamous Black Friday, it’s vital that organisations which take customer payments over the phone (Card Holder Not Present, CNP) have the right security measures in place to reduce the potential risk of employee misconduct.
By this, we mean having unauthorised access to customer data, including payment card details.
A new survey from Egress recently revealed that 24 per cent of workers have purposefully shared confidential business information outside their organisation, including almost one in ten accidentally leaking sensitive attachments such as bank details or customer information.
The survey comes at a time when global data breaches are in the headlines and demonstrates the importance of organisations taking payments securely without bringing their environments into scope of Payment Card Industry Data Security Standard (PCI DSS).
Similarly, earlier this summer an Australian energy company, ActewAGL, was subject to a high-profile employee misconduct case which centred on a member of its team fraudulently accessing customer’s payment card details for her own personal benefit.
A customer had phoned the ActewAGL contact centre to query a $2,000 refund that appeared on her bill, but which she claimed she had never received. Upon further investigation, it became apparent that this customer was not the only one to be missing money. In fact, the employee had been siphoning off customer credit for at least three months.
The employee had the ability to issue bills, reverse bills and provide refunds within her job role – all of which gave her access to the personal information of every customer she had contact with, including ID, bank details, account details and transaction history.
She had devised a scheme whereby she would identify accounts of customers who made regular payments, before phoning her own call centre and using the customer’s personal data to impersonate them, requesting that any credit was refunded into her own account. After just three months, she was estimated to have stolen around $13,000.
With data protection at the top of the agenda, it is so important to ensure that customer data is protected in a way that ensures sensitive payment data is not brought in to the contact centre environment, in order to avoid the risk of such misconduct from occurring.
What could employee misconduct mean for your contact centre?
Any data security breach, whether external or internal, has the potential to be devastating to an organisation in many ways.
Firstly, there are the fines to take into account; businesses found to be at fault for a data breach face Information Commissions Office (ICO) fines of up to £500k (or €20m / 4% of annual global turnover following the implementation of the new GDPR rules in May 2018).
That doesn’t consider the lawsuits, legal costs, insurance claims, increased banking fees, or share price drops that may happen as a result, in addition to reputational damage.
It is estimated that today, on average, a security breach will cost an organisations $3.62m (£2.8m).
Steps towards preventing employee misconduct
PCI DSS requirement 12.7 says that any employee who is going to have access to sensitive data ought to undergo strict background checks, such as employment history, criminal record, credit history and reference checks. However, these are only recommendations and such checks are not infallible – people can be unpredictable, after all.
The best way to avoid the risk of employee misconduct entirely is to ensure that employees never have access to your customers’ personal data in the first place. For example, the PCI Pal Agent Assist tool uses DTMF capture technology to mask key tones and prevent agents from ever seeing or hearing card details. Instead a customer keys in the card details, rather than read them out over the phone, and the sensitive data never enters the company’s contact centre environment.
Using PCI-compliant secure payment technology like this allows contact centre agents to take payments safely and securely, while maintaining a conversation with the customer over the phone, yet without any sensitive information ever coming into contact with the business. This removes the risk for the business and its customers.
Sadly, data breaches are frequently hitting the headlines and the time for organisations to act is now.
Businesses need to ensure that they are protecting sensitive payment data; not only for the benefit of customers, but to de-risk and safeguard their future operations by not capturing or storing any payment card data within internal systems (and therefore exposing this to unscrupulous staff).
Plus, with the new GDPR rulings soon coming into force, organisations could face significant financial penalties, and will be held far more accountable and legally liable for any breaches that occur. It therefore means that making sure compliant payment security is in place and removing that vulnerability is more of a priority than ever before.
Jane Goodayle is Marketing Director at PCI Pal
For additional information on PCI PAL visit their Website