News : Top U.S. Insurers Compromising Security and PCI DSS Compliance
Semafone, a provider of secure payment software for contact centers, announced findings from a new "secret shopper" survey of leading insurance companies. Ten of the top insurance companies in the U.S. were anonymously surveyed and all responded that they still require customers to read their card numbers out loud when paying for insurance services over the phone, which means that they risk compromising security and Payment Card Industry Data Security Standard (PCI DSS) compliance.
"Nobody would dream of reading out their PIN at an ATM, but in the insurance industry it’s still commonplace to be asked to provide card details out loud over the phone," said Tim Critchley, CEO, Semafone. "I’m sure most of us have overheard someone doing this in a public space; it’s not secure and it should not be happening."
Call Recording Presents Additional Risks
The research also showed that eight of the U.S. top insurers record calls. This creates another challenge, as the PCI DSS, which governs all card payments, specifically prohibits the recording of full card numbers and card security codes. If a payment takes place over the phone, and the call is being recorded, the insurer needs to find a way to avoid capturing these details. Some insurers surveyed stated that they transfer customers to a voice recognition system which automatically blanks out card numbers on a recording, or use a start and stop method to avoid recording. Both methods have been proven to have drawbacks.
Critchley continued, "In the financial sector, it’s important to record calls in case you need to provide a legal record during any disputes. But if contact center agents are pausing the calls to remove card details, the recording can’t be deemed ‘complete’ and, therefore, no longer fits this purpose.
The "pause" system also often depends on the service agent pressing the button at exactly the right moment. This means that it is far too easy to make a mistake and accidentally capture the card details on the recording. In some cases, we have even known agents to deliberately pause the recording at the wrong moment to blank out part of the conversation with the customer. It’s just not possible to guarantee that it will work."
U.S. Insurers Lag in Security of Call Center Data
To make matters worse, four out of the 10 top insurers in the U.S. admitted to reading card numbers back to customers; a practice that makes compliance with PCI DSS even more taxing. Additionally, most agents in the U.S. were completely unsure as to whether numbers were recorded.
"All contact centers in the U.S. need to do more. The insurance sector has been charging higher premiums for corporate policyholders who fail to take cybersecurity seriously; now it’s time for insurers to get their own house in order," stated Critchley. "We’re very pleased to be working with an increasing number of insurance companies who are addressing the problem, but there is still work to be done. Asking customers to read credit and debit card numbers aloud over the phone must become a thing of the past."
Today's Tip of the Day - Headsets
More Editorial From Semafone
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Friday, April 28, 2017
Eckoh is the UK’s largest provider of hosted speech recognition services, with experience in successfully deploying self-service solutions. These allow our clients to efficiently manage their contact ...
Avaya is a recognized innovator, leading business communications for the digital age. Avaya delivers smart global solutions and technologies for customer and team engagement, unified communications an...
Noble Systems Corporation is a global provider of contact center, workforce engagement, and analytics technologies, offering premise, cloud, and hybrid platforms. Noble Systems has been providing inno...
Cisco provides Unified Customer Contact solutions that extend customer care beyond simple phone transactions and the traditional contact centre to unique content-rich customer centric experiences. The...