Data theft is a big business nowadays and no company is immune. From attacks by hackers attempting to steal customer information to abuse of customer information by staff - there are several key areas of risk you should consider to ensure you protect your customers' details. Derek Bishop, director of Culture Consultancy, considers the steps you can take to tighten up your data security
Protecting customers from fraud has always been a major concern, especially in the financial services industry. I have seen and heard of many security breaches whereby sensitive data has been lost. Unfortunately, security breaches are far more common than they should be, calling into question just how serious many businesses actually are when it comes to protecting their customer data from everyday fraud opportunities.
Chip and PIN doesn't always win
Chip and PIN was a move in the right direction to clamping down on opportunities for card fraud, but there are vast number of instances when full card details need to be provided over the phone, such as paying for car insurance or making a payment on a credit or store card for example. In these cases, without the right security measures in place, you could essentially be placing your customers right into the hands of a fraudster without even realising it.
Whilst your business may provide all the assurances online, behind the scenes there could be some significant breaches going undiscovered. A number of contact centres have been found guilty of this and it brings into question the use of having all the guarantees for the online processing, when offline is so unsecure! And more worryingly, if customers were informed of a security breach linked to your company they would loose all trust and will make sure everyone else is aware of the problem as well.
Offline security flaws exposed
According to the Privacy Rights Clearinghouse, more than 898 million records containing sensitive information were breached between January 2005 and April 2016. They reveal that vulnerabilities can appear anywhere in the sales process and could include POS (Point of Sale devices), personal computers or servers, wireless hotspots or web shopping applications, in paper-based storage systems and unsecured transmissions of cardholder data to service providers.
Perhaps the focus on enhancing web security has led many customers to divert their attention away from offline security protocols, and as result call centres have become a too relaxed when it comes to offline processes. I am sure that a large proportion of customers on receiving a call from a trusted supplier would not think twice about providing their card details on request, assuming that the same security they have grown to expect online will be in place here too. Customers cannot ultimately know what security processes are in place at the call centre and so are willingly providing their card details, including security codes and expiry dates to potential fraudsters on a daily basis.
A focus on security protocols for the web has meant that all too often some of the basics within the internal operational areas are forgotten. Or what many are finding is that policies and procedures were implemented but they have not been sustained so the scope for a breach against industry standards and the risk of fraud re-appears again and again.
Call centres are an easy target
Contact centre operations which handle customer data and collect payment details from customers should have strict policies and procedures in place to prevent misuse of customer data, yet we still see examples of operations where mobile phones are permitted in the contact centre and payment card data can be fully retrieved at a later point after the specific transaction has been completed.
The BBC sent a journalist undercover to expose the weaknesses in call centre procedures. The journalist managed to get a job easily, had basic training and before you know it they were on the phone handling customer data. There have been many more instances of this and I am aware of one instance where a call centre was taking credit card details over the phone with mobile phones present. And yet again, full details were retrievable after the transaction had been completed so a call centre agent could go back and write the details down at a later point.
This risk is further heightened where the work is outsourced and organisations need to ensure full adherence to the security standards, as whilst the outsourcer may be in breach, ultimately it's your data so you need to protect it. But how?
There are specific standards when accepting payment from cards such as the Payment Card Industry (PCI) DSS. The PCI DSS are a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, that include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI data standards should be adhered to by every call centre operation, yet some organisations are still falling a long way short of their guidelines. It is worth reviewing your current processes, or those of your outsourcers, to see whether your centre measures up.
PCI DSS guidelines
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
Fraud in the offline world will always be a hot topic, so be prepared to face up to any issues which may arise from reviewing your security measures and take appropriate action. Ignoring the problem won't make it go away. Bad news travels fast, so you can be sure that customers will find out about security breaches if you don't fix the problems now.
Written by Derek Bishop of Culture Consultancy.