Call centers face inside, outside threats

Semafone Inc. is urging call centers to update their data collection and storage methods. The global security company surveyed more than 500 call center agents across multiple industries and compiled the findings in The State of Data Security in Contact Centers, published Oct. 30, 2017.

When asked about data-security vulnerabilities, seven percent of survey respondents admitted that people within their organizations have asked them to share confidential customer data; 4 percent stated the same was true of people outside of their organizations; 9 percent said they know someone who has unlawfully accessed or shared customer information.

Tim Critchley, Chief Executive Officer at Semafone, said these findings underscore the need to keep customer data out of Payment Card Industry Data Security Standard (PCI DSS) scope. "[T]he only way to truly protect sensitive data is to remove it from the business infrastructure completely," he added.

Infrastructure remedies

Critchley said the report highlights systemwide risk exposure, especially at contact centers that fail to protect consumer data. Thirty percent of survey respondents said they can access payment card data and personally identifiable information (PII), even when not on the phone with customers. Forty-two percent of agents don't report breach attempts to supervisors or law enforcement, which means most merchants are unaware of the magnitude of these problems, he noted.

Organizations must put policies in place to protect consumer data, or they may have no other option than to implement draconian workplace cultures, Critchley noted. "Contact centers aren't doing enough to protect customer data and prevent fraud, and current practices are contributing to low employee morale and high turnover," he said.

Following are some examples Critchley provided:

• 79 percent of agents said cell phones are prohibited at their work stations.
• 38 percent said no paper or pens are allowed at their work stations.
• 31 percent are not allowed personal items or bags at work stations.
• 28 percent pass security check points when entering or leaving work.
• 26 percent work in contact center "clean rooms," which prohibit personal items and recording devices.

High-tech, high-touch

Additional findings indicate 72 percent of agents collect audible payment card information and Social Security numbers over the phone in areas where information can be easily intercepted. In addition, technologies such as dual-tone multifrequency (DTMF) schemes can be used to mask voice and keyboard tones when customers share sensitive information, report authors stated.

DTMF and other masking technologies can improve the customer experience by keeping customers and agents connected while customers input sensitive information from their connected devices, researchers noted. Payment card data and PII are sent directly to third parties, bypassing the contact center's infrastructure.

"We're not blaming agents or customer service representatives or suggesting that they're responding to requests for data," Critchley said. "Most are good, hardworking people who may unwittingly respond to a phishing email or pick up a USB drive with a free download offer that contains malicious code. The issue we're highlighting is exposure to risk. As Equifax and other incidents demonstrate, you only need one breach to impact millions and tarnish your reputation."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.