70 per cent of contact centres require customers to read sensitive data aloud, increasing security risks
Global survey of contact centre agents shows the use of outdated practices for customer interaction, data collection and fraud prevention are compromising security
A new survey of contact centre agents conducted by Semafone reveals the dire state of contact centre data security. Drawing responses from more than 500 agents across industries around the globe, the survey shows that a concerning number of contact centres rely on outdated, risky practices for customer interaction, data collection and fraud prevention. This exposes organisations to inside and outside security threats, and puts sensitive customer information at risk.
Key survey findings
Contact centres still use data collection and customer interaction practices that create opportunities for agent fraud and leave data vulnerable to a breach.
– 72 per cent of agents who collect credit/debit card information over the phone require customers to read numbers aloud, despite the readily available technologies that secure voice transactions
– 30 per cent reported that they have access to payment card information even when not on the phone with customers
Agents are experiencing and witnessing breach attempts from both insiders and outsiders, yet many do nothing to mitigate the risks.
– 7 per cent of agents admitted that someone inside their organisation has asked them to access or share customers’ payment card information or other sensitive data
– 4 per cent said the same about someone outside their organisation
– 9 per cent said they personally know someone who has unlawfully accessed or shared customers’ payment card information
– 42 per cent of those approached said they did not report the situation to either management or the authorities
– These percentages may seem small, but just one successful breach attempt could cost an organisation an average of £2.5 million, according to IBM’s 2017 Cost of a Data Breach Study
Contact centres aren’t doing enough to protect customer data and prevent fraud, while current practices contribute to low employee morale and high turnover.
– 79 per cent of agents are not allowed to have cell phones at their work station
– 38 per cent are not allowed paper or pens at their work station
– 31 per cent are not allowed personal items or bags at their work station
– 28 per cent must pass through a security check before entering or leaving work
– 26 per cent work in a contact centre “clean room,” which prohibits any personal items and recording devices of any kind
Industry trends are apparent.
– 35 per cent of agents in the Business Process Outsourcing (BPO) industry have access to customer information when they aren’t on the line with them; 11 per cent have been approached to share customer information
– The findings pertaining to BPO emphasises the increased risks created by outsourcing and offshoring. In fact, research shows that poor outsourcing decisions cause 63 per cent of data breaches, so strong data security is vital for those with such business models.
Tim Critchley, Semafone CEO said,
“Our survey confirms that many contact centres are still using inadequate practices when capturing, processing and storing payment card data and other personally identifiable information (PII),”.
“When a single data breach can cost a company millions, traditional security controls like clean rooms and check points are not enough. The only way to truly protect sensitive data is to remove it from the business infrastructure completely.”
Critchley continued, “Although just four and seven per cent of survey participants had been approached by outsiders and insiders respectively, these are alarming numbers when extrapolated to the greater contact centre agent population. While the majority of agents are good, honest people, it takes just one malicious person to expose sensitive data and ruin a business’ reputation. Contact centres need to act now—otherwise, they are just sitting around, waiting to be breached.”
To address and simplify data security, Semafone urges organisations to descope their contact centres from Payment Card Industry Data Security Standard (PCI DSS) compliance. This is achievable by adopting dual-tone multi-frequency (DTMF) masking technologies, which allow customers to enter payment card information and other PII directly into the telephone keypad. DTMF tones are masked with flat tones so they are not captured on call recordings, and neither the agent nor an eavesdropper can decipher the numbers. The agent is also able to remain on the line in full voice conversation with the customer, which ensures better customer service. The sensitive data is then sent straight to the appropriate third party, such as the payment processor, bypassing the contact centre’s infrastructure altogether.
To download the full report Click Here
To download the infographic Click Here
For additional information about Semafone visit their Website
Tom Harwood, Co-Founder and Chief Product Officer at Aeriandi, says:
“Typically, contact centres use dual tone, multi frequency (DTMF) technology to enable callers to make secure payments over the phone. Our experience shows that between one and five per cent of people cannot use – or don’t wish to use – manual DTMF technology to make phone payments. This could include sufferers of rheumatic and musculoskeletal diseases (RMDs) such as arthritis, for whom joint pain, particularly in the hands, is a serious problem. For this group tasks like using a manual phone keypad can be extremely painful, if not impossible.
It is important for contact centres to offer a payment option to callers who cannot use the telephone keypad without compromising security or PCI compliance. Companies should not be disadvantaging disabled customers or customers that do not wish to use DTMF, but this has to be balanced with protecting their data and maintaining a secure card data process
Automatic speech recognition (ASR) extends this secure payment capability to callers who are unable to use a manual keypad. ASR uses voice-to-text technology to capture, convert and verify the information before processing the payment. Cardholder data is then relayed to the Payment Service Provider (PSP) via secure private cloud, without the information entering the contact centre. The ensures a good customer experience, streamlines the payment process and achieves PCI DSS compliance for every caller.”