By Ben Rafferty
Imagine if you had to read your PIN out loud at the ATM to make a transaction. With the possibility of someone overhearing and maliciously using your information, this notion is unthinkable. So why is it still commonplace for call centers to ask customers to read their card numbers, sensitive authentication data (SAD), and other personally identifiable information (PII) over the phone?
A recent secret shopper survey of leading insurance companies’ call centers unveiled that insurers are inclined to use the outdated, risky practice of asking customers for verbal confirmation of payment card details. In fact, ten of the top insurance companies in the United States anonymously surveyed said that they require customers to read their card numbers out loud to pay for insurance services over the phone. Moreover, four out of those same ten insurers admitted that customer services representatives (CSRs) read card numbers back to customers. Although many customers and CSRs may not think twice about verbalizing sensitive data, there are far too many risks involved. And, given the 371 percent increase in data breaches in the insurance industry, and the 113 percent increase in call center fraud, insurers cannot afford to be complacent.
Inside, or CSR fraud, is a real threat. As customers read their information aloud, the CSR could be copying it down for fraudulent use. Without clean rooms (no bags, pens or paper, or cell phones) and other stringent security measures, there is no telling what the CSR may do when exposed to sensitive data. Also the customer may be reading the information aloud in a public place, such as the grocery store. Who knows who may be listening and jotting down their information?
When it comes to call recordings, the verbal confirmation of card numbers poses additional security concerns. This survey showed that eight of the ten insurers record calls, but how (and if) they remove PII from recordings varied. Some CSRs said they rely on a program to automatically block card details from the recording as callers talk. Others said PII is manually removed from the recordings after the call is completed. One insurer said they randomly record calls and keep recordings for thirty days before deleting them. Overall, it was also clear that CSRs were unaware or uninformed about how to shield sensitive information from recordings.
Unfortunately, the problem goes beyond the ambiguity and lack of a standardized approach to avoiding capturing card details. Most notably, a common method of removing card details cited in the survey was some form of “stop/start” or “pause and resume,” whereby the call recording is stopped, paused, or muted, either manually by a CSR or automatically. It is then restarted, resumed, or unmuted once sensitive information is captured. Stop/start systems are particularly inadequate, as the CSR is still exposed to verbalized information and in some cases is also responsible for pausing and resuming the call recording. Here there is opportunity for CSRs to misuse the system, whether intentionally or unintentionally.
What if the CSR pauses the recording to leave out portions of the call while he or she engages in fraudulent behavior? Or what if the CSR accidentally forgets to pause the recording? This could log sensitive information, leaving it vulnerable in the event of a data breach.
On top of these risks, the Payment Card Industry Data Security Standard (PCI DSS), which governs all card payments, explicitly prohibits the recording of card security codes and the manual intervention of staff to remove data from recordings. Thus, insurers who practice stop/start or manually scrub recordings of PII are noncompliant.
Fortunately there is a simple security solution for call centers in the insurance industry and beyond, and it involves de-scoping the call center. This is most effectively accomplished by using dual-tone multifrequency (DTMF) masking technologies. Such solutions allow customers to enter payment card information on their telephone keypad and shield the numbers from the CSR and recordings by replacing DTMF tones with flat tones. Payments are sent directly to the payment processor and never touch the call center’s systems. These technologies enable call centers to keep customer data safe and out of their infrastructure, thereby reducing the risks associated with a reputation-damaging data breach. This also cuts compliance costs.
Because insurance call centers hold so much PII, from credit card numbers to social security numbers, it is in the companies’ and their customers’ best interests to ensure that their security and compliance efforts are in order—before it’s too late. This begins with making the practice of reading payment card numbers aloud over the phone a thing of the past.
Ben Rafferty has fifteen years of experience of delivering speech recognition, IVR, and contact center automation on CPE and hosted platforms. At Semafone, Rafferty is responsible for the smooth deployment of solutions into hosted environments and for the overall management of Semafone’s hosted offering.