Some contact centres rely on outdated, risky practices for customer interaction, data collection and fraud prevention. This exposes organisations to inside and outside security threats, and puts sensitive customer information at risk, according to a survey by a company that provides software to contact centres.
According to Semafone, contact centres still use data collection and customer interaction practices that create opportunities for agent fraud and leave data vulnerable to a breach.
Most, 72 per cent of agents who collect credit/debit card information over the phone require customers to read numbers aloud, despite the readily available technologies that secure voice transactions; and 30 per cent reported that they have access to payment card information even when not on the phone with customers.
Agents are experiencing and witnessing breach attempts from both insiders and outsiders, yet many do nothing to mitigate the risks. Some 7 per cent of agents admitted that someone inside their organisation has asked them to access or share customers’ payment card information or other sensitive data; and 4 per cent said the same about someone outside their organisation. Near one in ten, 9 per cent said they personally know someone who has unlawfully accessed or shared customers’ payment card information; and 42 per cent of those approached said they did not report the situation to either management or the authorities. According to the software firm these percentages may seem small, but one successful breach attempt could cost an organisation.
In other findings, most, 79 per cent of agents are not allowed to have cell phones at their work station; 38 per cent are not allowed paper or pens at their work station; 31 per cent are not allowed personal items or bags at their work station; 28 per cent must pass through a security check before entering or leaving work; and 26 per cent work in a contact centre “clean room,” which prohibits any personal items and recording devices of any kind. About a third, 35 per cent of agents in the Business Process Outsourcing (BPO) industry have access to customer information when they aren’t on the line with them; 11 per cent have been approached to share customer information.
Tim Critchley, Semafone CEO said: “Our survey confirms that many contact centres are still using inadequate practices when capturing, processing and storing payment card data and other personally identifiable information (PII). When a single data breach can cost a company millions, traditional security controls like clean rooms and check points are not enough. The only way to truly protect sensitive data is to remove it from the business infrastructure completely.
“Although just four and seven per cent of survey participants had been approached by outsiders and insiders respectively, these are alarming numbers when extrapolated to the greater contact centre agent population. While the majority of agents are good, honest people, it takes just one malicious person to expose sensitive data and ruin a business’ reputation. Contact centres need to act now—otherwise, they are just sitting around, waiting to be breached.”
To address data security, Semafone urges organisations to descope their contact centres from Payment Card Industry Data Security Standard (PCI DSS) compliance. This is achievable by adopting dual-tone multi-frequency (DTMF) masking.
