With card fraud and identify theft continuing to hit the headlines, Jason Roos, CEO of Cirrus, discusses how call centres can navigate the options to ensure both PCI DSS compliance and the best possible customer experience
Data breaches continue to challenge and cost businesses
In today’s increasingly cashless society, customers rely more and more on using credit and debit cards for payments. Whether buying goods online or paying bills over the phone, they happily relay accounts and credit card details to a contact centre agent without a second thought, trusting that the company that they are dealing with will manage their card data securely. But how secure are they?
According to UK Finance (the collective voice for the UK banking and finance industry representing more than 250 firms across the industry), the theft of personal and financial data through social scams and data breaches was a major contributor to fraud losses in 2018.
In fact, in 2018 data breaches involving just three well-known brands are reported to have resulted in the attempted compromise of around 6.3 million payment card details. The Information Commissioner’s Office (ICO) reports that during the second quarter of 2018/19, there was a total of 4,056 data security incidents. Worryingly, information stolen through a data breach can be used for months - or even years - after the event.
Sponsor message - content continues below this message
2022 '17th annual' Global Contact Center World Awards NOW OPEN
Enter your Center, Strategy, Technology Innovation, Teams and Individuals into the ONLY TRULY GLOBAL awards program - regarded by many as being like the Olympics for the Contact Center World! Join the best from over 80 nations and compete for the most prestigious awards out there!
Content continues ….
PCI DSS compliance – the challenges
Card fraud is a threat that the finance industry cannot tackle alone, which means that it is the responsibility of all companies in the chain to take preventative measures and secure data. If a business loses a customer’s card data i.e. suffers a data breach and is not PCI DSS compliant, they could incur fines for the data and be liable for the costs of fraud incurred and those associated with replacing the accounts. Not to mention the reputational damage that may mean losing even its most loyal customers.
Yet for many businesses, compliance means expense and changes to IT infrastructure that they can ill afford. According to Verizon’s 2019 Payment Security Report, (PSR) there has been a negative trend globally for companies reporting full compliance with PCI DSS. Assessments from other Qualified Security Assessor (QSA) companies also show lower full compliance. Since 2008, Verizon has tracked the percentage of organisations that achieve PCI DSS compliance, and noted in previous editions of the PSRs, that it has varied from a low of 11.1% in 2012 to a high of 55.4% in 2016 and dipping well below 40% (36.7%) in 2018.
While these statistics show improvement, when the PCI Security Standards Council first published the PCI DSS in 2004, it was expected that organizations would achieve effective and sustainable compliance within about five years. Today, less than half maintain programs that prevent PCI DSS security controls from falling out of place within a few months after meeting formal compliance requirements.
One size does not fit all
Depending on the merchant level (i.e. how many card payments are taken), businesses can either self-certify PCI compliance or use a Qualified Security Assessor (QSA) who is accredited by the PCI SSC. Only Level 1 merchants with over 6 million transactions per year or who are a ‘Compromised Entity’ (having experienced attacks before) must have an annual on-site QSA audit rather than one of the self-assessment questionnaires (SAQs) now available in current PCI DSS standards.
Recognising that one size did not fit all, and that smaller and less at-risk companies should not have to complete the same list of requirements as a large multinational, the recent PCI DSS 3.0 Standard has also introduced a number of different types of SAQ (a list and explanation of each SAQ is available from the PCI Security Standards Council). . Many contact centres do not require a full audit with a QSA and self-assessment questionnaires are becoming far more popular.
The view from the contact centre
The need for many contact centres to record calls, for security and training purposes, makes protecting the data more difficult. There is no single right way to handle payments in order to be PCI-DSS compliant, but companies can meet the security levels required by achieving compliance.
There are many methods available that contact centres can employ to prevent card fraud and technology plays an important part in these practices, however, it can be a complex and costly technical process to set up and follow. To reduce these costs and comply with the standards, many organisation’s call centres choose to minimise (often called ‘de-scoping’) or eliminate altogether the customer card data that they hold in their systems. Not holding on to data reduces the risk that customers will be affected by fraud.
Offering different payment options means checking every possible area of security exposure in the payment process. The latest UK Contact Centre Decision-Makers’ Guide (DMG) published by analyst ContactBabel, outlined eleven different ways in which contact centres currently attempt to reduce card fraud. Ranging from technology solutions to physical methods such as clean rooms, where pens, paper and mobiles are prohibited, different ways of processing card payments have their pros and cons:
New ways to pay with digital channels are ringing the changes
There are also recent new ways to pay that make it even easier for customers. As an example, Cirrus’ new LinkPay+ service (a partnership with Semafone) sends the customer a secure payment link, via any digital channel (such as web chat, WhatsApp, SMS, Facebook Messenger etc.), while they are on the phone or conversing with the contact centre agent or bot using these digital channels. Customers entering card details in a web chat is high risk – in a contact centre quality assessors, team leaders and tech support people could all look up the history of chats and potentially pull out credit card details.
Providing a service like LinkPay+ means the customer can enter their card details on a secure website page with confidence. The agent or bot on the call doesn’t see the card information, but sees a checklist of the steps completed. This means the purchase can be completed during the call or chat, saving the customer the hassle of ringing a different number or visiting a website (with the risk of losing the sale). It’s more convenient for the customer than entering card details over the phone using the keypad and help and advice can be given while on the phone or online.
There are also plans in the future for this technology to tie up with Apple Pay and Google Pay, which will make it even easier for customer to pay securely and confident that they are protected from card fraud.
Being compliant with PCI DSS means that companies are doing their best to keep customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. At the end of the day the responsibility for compliance lies with the merchant - the key is to choose the right technology solution that fits the organisation and delivers the best possible customer experience.
About Jason Roos:
Jason Roos is CEO of Cirrus
About Cirrus Response:
Cirrus is a provider of omni-channel cloud Contact Center Solutions (CCaaS) and IPT telephony, with over 10 years’ experience of using the best technology to deliver business outcomes and effortless customer experiences. Modern technology and a team that has many years of experience working in and around the Contact Center and IPT environment, provides a recipe for business transformational success. With a true cloud infrastructure, Cirrus operates on a true real-time basis with unlimited scalability and the highest level of resilience and security. We can help you leverage the best AI solution available to deliver an awesome experience for your customers; getting better results for less cost. At the point you want to introduce agents into the customer journey, Cirrus then brings contact from voice, email, web, SMS, video, social, Messenger, WhatsApp, app store reviews, YouTube and more into a simple view that your advisors will love.
Published: Wednesday, December 18, 2019
A flexible way to take secure, PCI DSS compliant payments from home or remote locations. It’s quick to deploy needs no changes to processes or systems.
CallGuard Remote prevents agents from seeing, hearing or recording card details so, the agent, their screen, and any call recordings are removed from the scope of PCI DSS.
This simple approach means the customer effectively types their own payment information into the agent’s payment screen, but with the card details being shielded from the agent’s view. It’s simple, and highly effective.
SPEED & PLUS
The SPEED solution solves for service level issues while cost optimizing the environment with automation.
Provides an enhanced way to speed up & optimize invoking temporary agent skills configuration changes into the contact center environment.
Speed allows you to schedule both future changes & temporary changes that auto-revert back to the original state when scheduled time expires.
*Automated / Scheduled Temporary Agent Skills Configuration Management
*Immediate Temporary or Reoccurring Schedule Skills Configuration Changes
*Easy to Use/Operations Administration Focused
*Descriptive Monitoring Activity Dashboard
*Detailed “End to End’ Audit Trail and Perfor...
VADS Business Continuity Plan
VADS provides a business continuity plan by providing full outsource services and manage services. we've provided this to several clients. You can contact us for a detailed study case.
|4.)||Teckinfo Solutions Pvt. Ltd.|
Adapting to the new normal contact center industry has to be ready for work from anywhere agents to maintain business continuity. Even when working from remote locations, the work from home agents or remote agents need to be monitored for smooth customer service operations or effective tele sales.
InterDialog UCCS with its work from home agent ready call center software helps you to have complete control over your contact center operations. Agents can log in from any where , home, office or any other place where they are through their mobile phone or desktop , or even through our ID mobile app . With centralized recording & reporting , you gain visibility of all contact center metrics , and you can manage your center the same way as you were doing when working from office.