With card fraud and identify theft continuing to hit the headlines, Jason Roos, CEO of Cirrus, discusses how call centres can navigate the options to ensure both PCI DSS compliance and the best possible customer experience
Data breaches continue to challenge and cost businesses
In today’s increasingly cashless society, customers rely more and more on using credit and debit cards for payments. Whether buying goods online or paying bills over the phone, they happily relay accounts and credit card details to a contact centre agent without a second thought, trusting that the company that they are dealing with will manage their card data securely. But how secure are they?
According to UK Finance (the collective voice for the UK banking and finance industry representing more than 250 firms across the industry), the theft of personal and financial data through social scams and data breaches was a major contributor to fraud losses in 2018.
In fact, in 2018 data breaches involving just three well-known brands are reported to have resulted in the attempted compromise of around 6.3 million payment card details. The Information Commissioner’s Office (ICO) reports that during the second quarter of 2018/19, there was a total of 4,056 data security incidents. Worryingly, information stolen through a data breach can be used for months - or even years - after the event.
PCI DSS compliance – the challenges
Card fraud is a threat that the finance industry cannot tackle alone, which means that it is the responsibility of all companies in the chain to take preventative measures and secure data. If a business loses a customer’s card data i.e. suffers a data breach and is not PCI DSS compliant, they could incur fines for the data and be liable for the costs of fraud incurred and those associated with replacing the accounts. Not to mention the reputational damage that may mean losing even its most loyal customers.
Yet for many businesses, compliance means expense and changes to IT infrastructure that they can ill afford. According to Verizon’s 2019 Payment Security Report, (PSR) there has been a negative trend globally for companies reporting full compliance with PCI DSS. Assessments from other Qualified Security Assessor (QSA) companies also show lower full compliance. Since 2008, Verizon has tracked the percentage of organisations that achieve PCI DSS compliance, and noted in previous editions of the PSRs, that it has varied from a low of 11.1% in 2012 to a high of 55.4% in 2016 and dipping well below 40% (36.7%) in 2018.
While these statistics show improvement, when the PCI Security Standards Council first published the PCI DSS in 2004, it was expected that organizations would achieve effective and sustainable compliance within about five years. Today, less than half maintain programs that prevent PCI DSS security controls from falling out of place within a few months after meeting formal compliance requirements.
One size does not fit all
Depending on the merchant level (i.e. how many card payments are taken), businesses can either self-certify PCI compliance or use a Qualified Security Assessor (QSA) who is accredited by the PCI SSC. Only Level 1 merchants with over 6 million transactions per year or who are a ‘Compromised Entity’ (having experienced attacks before) must have an annual on-site QSA audit rather than one of the self-assessment questionnaires (SAQs) now available in current PCI DSS standards.
Recognising that one size did not fit all, and that smaller and less at-risk companies should not have to complete the same list of requirements as a large multinational, the recent PCI DSS 3.0 Standard has also introduced a number of different types of SAQ (a list and explanation of each SAQ is available from the PCI Security Standards Council). . Many contact centres do not require a full audit with a QSA and self-assessment questionnaires are becoming far more popular.
The view from the contact centre
The need for many contact centres to record calls, for security and training purposes, makes protecting the data more difficult. There is no single right way to handle payments in order to be PCI-DSS compliant, but companies can meet the security levels required by achieving compliance.
There are many methods available that contact centres can employ to prevent card fraud and technology plays an important part in these practices, however, it can be a complex and costly technical process to set up and follow. To reduce these costs and comply with the standards, many organisation’s call centres choose to minimise (often called ‘de-scoping’) or eliminate altogether the customer card data that they hold in their systems. Not holding on to data reduces the risk that customers will be affected by fraud.
Offering different payment options means checking every possible area of security exposure in the payment process. The latest UK Contact Centre Decision-Makers’ Guide (DMG) published by analyst ContactBabel, outlined eleven different ways in which contact centres currently attempt to reduce card fraud. Ranging from technology solutions to physical methods such as clean rooms, where pens, paper and mobiles are prohibited, different ways of processing card payments have their pros and cons:
New ways to pay with digital channels are ringing the changes
There are also recent new ways to pay that make it even easier for customers. As an example, Cirrus’ new LinkPay+ service (a partnership with Semafone) sends the customer a secure payment link, via any digital channel (such as web chat, WhatsApp, SMS, Facebook Messenger etc.), while they are on the phone or conversing with the contact centre agent or bot using these digital channels. Customers entering card details in a web chat is high risk – in a contact centre quality assessors, team leaders and tech support people could all look up the history of chats and potentially pull out credit card details.
Providing a service like LinkPay+ means the customer can enter their card details on a secure website page with confidence. The agent or bot on the call doesn’t see the card information, but sees a checklist of the steps completed. This means the purchase can be completed during the call or chat, saving the customer the hassle of ringing a different number or visiting a website (with the risk of losing the sale). It’s more convenient for the customer than entering card details over the phone using the keypad and help and advice can be given while on the phone or online.
There are also plans in the future for this technology to tie up with Apple Pay and Google Pay, which will make it even easier for customer to pay securely and confident that they are protected from card fraud.
Being compliant with PCI DSS means that companies are doing their best to keep customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. At the end of the day the responsibility for compliance lies with the merchant - the key is to choose the right technology solution that fits the organisation and delivers the best possible customer experience.
About Jason Roos:
Jason Roos is CEO of Cirrus
About Cirrus Response:
Cirrus is a provider of omni-channel cloud Contact Center Solutions (CCaaS) and IPT telephony, with over 10 years’ experience of using the best technology to deliver business outcomes and effortless customer experiences. Modern technology and a team that has many years of experience working in and around the Contact Center and IPT environment, provides a recipe for business transformational success. With a true cloud infrastructure, Cirrus operates on a true real-time basis with unlimited scalability and the highest level of resilience and security. We can help you leverage the best AI solution available to deliver an awesome experience for your customers; getting better results for less cost. At the point you want to introduce agents into the customer journey, Cirrus then brings contact from voice, email, web, SMS, video, social, Messenger, WhatsApp, app store reviews, YouTube and more into a simple view that your advisors will love.
Published: Wednesday, December 18, 2019
Agara is an autonomous virtual voice agent powered by Real-time Voice AI. It is designed to have intelligent conversations with your customers, vendors, and partners without any assistance from human agents. It can handle a wide variety of calls including inbound customer care calls, outbound lead generation calls, appointment scheduling calls, and overdue payment recovery calls.
Agara is available for several industries including banking, insurance, retail, e-commerce, airlines, and telecom. Powered by advanced Real-time Voice AI that understands speech in real-time, automatically determines the right process to follow and guides the caller along in the process with natural conversation.
EVA Voice Biometrics
Powered by Auraya's patented ArmorVox engine, EVA is a voice biometric extension that provides secure and seamless identification & verification capabilities for Amazon Connect. EVA provides delightful customer experience by removing the friction of providing PINs, passwords or secret information in order to prove caller identity. EVA comes standard with active and passive modes and a simple yet powerful agent interface. This allows for personalised self-service and a more friendly and efficient experience when interacting with an agent.
Outdated security methods such as PINs, passwords and security questions have become insecure and unreliable. Forgetting passwords and security answers o...
Call Adapt is a cloud-based digital soundboard application designed for contact centers. It works with any type of call and integrates with your existing dialer system. Powered by smart audio technology, Call Adapt gives your agents the ability to converse with customers in real time using programmed keyboard shortcuts. The result is perfect pitch delivery and less time spent on repetitive tasks.
Cognigy is a global leader in Conversational AI Automation. Its platform, Cognigy.AI, enables enterprises to automate customer and employee communications using intelligent voice and chatbots
UniCloud™ is an intuitive platform that allows Enterprises to deploy and manage their Unified Communication (UC) and Contact Center (CC) services with ease and entire provisioning can be completed in seconds using this comprehensive tool supporting digital transformation. The latest release 7.0 of UniCloud™ is a multi-tenant platform that transforms the delivery, management, and integration of collaboration and contact center solutions, for both Cloud and On-Premise deployment models.
With its single-pane-of-glass views and quick provisioning tool, UniCloud™ is instrumental in reducing the time to provision an entire multi-cluster Cisco collaboration platform, including contact centers (C...
Proven, Easy, and Guided Journey to Automate Customer Engagement in a Digital+AI World
Automated Language Testing
Emmersion offers automated assessments to quickly and accurately test speaking, writing, and grammar fluency in 9 languages and counting. We help contact centers improve CSAT scores by screening for top talent and retaining top performers.
SPEED & PLUS
The SPEED solution solves for service level issues while cost optimizing the environment with automation.
Provides an enhanced way to speed up & optimize invoking temporary agent skills configuration changes into the contact center environment.
Speed allows you to schedule both future changes & temporary changes that auto-revert back to the original state when scheduled time expires.
*Automated / Scheduled Temporary Agent Skills Configuration Management
*Immediate Temporary or Reoccurring Schedule Skills Configuration Changes
*Easy to Use/Operations Administration Focused
*Descriptive Monitoring Activity Dashboard
*Detailed “End to End’ Audit Trail and Perfor...
I am checking out all the amazing and daily updated content on ContactCenterWorld.com and networking with professionals worldwide
Send To Friends Post On My Wall