News : Top U.S. Insurers Compromising Security and PCI DSS Compliance
Semafone, a provider of secure payment software for contact centers, announced findings from a new "secret shopper" survey of leading insurance companies. Ten of the top insurance companies in the U.S. were anonymously surveyed and all responded that they still require customers to read their card numbers out loud when paying for insurance services over the phone, which means that they risk compromising security and Payment Card Industry Data Security Standard (PCI DSS) compliance.
"Nobody would dream of reading out their PIN at an ATM, but in the insurance industry it’s still commonplace to be asked to provide card details out loud over the phone," said Tim Critchley, CEO, Semafone. "I’m sure most of us have overheard someone doing this in a public space; it’s not secure and it should not be happening."
....NOTE - content continues below this message
SPONSOR MESSAGE: INVITATION!
We invite you and your colleagues to take a couple of days out of your busy schedule to join us and the elite in the industry to listen to the NEXT GENERATION Contact Center & Customer Engagement Best Practices.
Call Recording Presents Additional Risks
The research also showed that eight of the U.S. top insurers record calls. This creates another challenge, as the PCI DSS, which governs all card payments, specifically prohibits the recording of full card numbers and card security codes. If a payment takes place over the phone, and the call is being recorded, the insurer needs to find a way to avoid capturing these details. Some insurers surveyed stated that they transfer customers to a voice recognition system which automatically blanks out card numbers on a recording, or use a start and stop method to avoid recording. Both methods have been proven to have drawbacks.
Critchley continued, "In the financial sector, it’s important to record calls in case you need to provide a legal record during any disputes. But if contact center agents are pausing the calls to remove card details, the recording can’t be deemed ‘complete’ and, therefore, no longer fits this purpose.
The "pause" system also often depends on the service agent pressing the button at exactly the right moment. This means that it is far too easy to make a mistake and accidentally capture the card details on the recording. In some cases, we have even known agents to deliberately pause the recording at the wrong moment to blank out part of the conversation with the customer. It’s just not possible to guarantee that it will work."
U.S. Insurers Lag in Security of Call Center Data
To make matters worse, four out of the 10 top insurers in the U.S. admitted to reading card numbers back to customers; a practice that makes compliance with PCI DSS even more taxing. Additionally, most agents in the U.S. were completely unsure as to whether numbers were recorded.
"All contact centers in the U.S. need to do more. The insurance sector has been charging higher premiums for corporate policyholders who fail to take cybersecurity seriously; now it’s time for insurers to get their own house in order," stated Critchley. "We’re very pleased to be working with an increasing number of insurance companies who are addressing the problem, but there is still work to be done. Asking customers to read credit and debit card numbers aloud over the phone must become a thing of the past."
Today's Tip of the Day - Play Your Agents Their Calls
More Editorial From Semafone
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Friday, April 28, 2017
Genesys® powers 25 billion of the world’s best customer experiences each year. Our success comes from connecting employee and customer conversations on any channel, every day. Over 10,000 companies in...
Five9 is a provider of cloud software for the enterprise contact center market, bringing the power of the cloud to thousands of customers and facilitating approximately three billion customer interact...
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal ...
NICE (NASDAQ: NICE), is a worldwide provider of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in re...