How can contact centres solve the card payments dilemma?
Recording conversations with customers is considered good practice in contact centres, but those accepting card payments face the tricky problem of whether to record calls containing sensitive payment card details. Tim Critchley of Semafone sets out the options available.
There are many reasons why you may want to record telephone calls with your customers.
In the financial services industry, for example, the “Treating Customers Fairly” Act requires calls to be recorded in full if they concern the sale of particular regulated products. The Data Protection Act of 1998 also offers customers the right to copies of recordings if they believe they have been subject to mis-selling. Even in less regulated environments it can be difficult to demonstrate the principles of fairness and good customer service without comprehensive call records, so the recording of calls is widely considered to be good practice in contact centres. As consumers become increasingly well-informed about their rights, it is essential that you can access accurate information when the need arises.
If your contact centre is accepting card payments over the telephone, however, call recording can mean that you face an awkward dilemma. In order to reassure your customers that their card data is in safe hands, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard strictly regulates the handling of credit and debit card data and prohibits the recording of any sensitive card numbers, such as the three digit code on the back of the card. So how can you take card payments over the phone and still record the call without putting yourself in breach of the PCI DSS?
Essentially, you have three options.
Option 1: Don’t take credit card numbers over the phone
There are still some contact centres where the option of paying by telephone does not exist. Somewhat counter-intuitively, however, the number of people choosing to pay by telephone has increased rather than declined with the growth in online shopping. Many people prefer to talk through their choice before they make a purchase; if you deny them the option of paying for it while they are still on the line you greatly increase the chance of losing the sale altogether.
Option 2: Deal with the data
The most popular ‘quick fix’ solution to the recording dilemma has been what is known as the “pause and resume” method. The call recorder is paused just before the customer reads out the numbers and resumed when they finish. There are a number of difficulties with this approach.
• It’s unreliable
Pausing the call recorder can either be done automatically or manually. If it is paused manually, the agent can effectively edit the call at will, choosing to remove any element that they would prefer not to be recorded. It is also subject to human error; if the agent presses the button at the wrong moment, the numbers will still be recorded. If the call pausing is automated, there is nothing to stop the customer from saying their number at the wrong moment.
• It makes the recording incomplete
By removing an element of the recording it is no longer a full record of the conversation and is therefore compromised if the recording is ever needed for use in court – as was the case during the recent prosecutions for the mis-selling of payment protection plans.
• It leaves everything ‘in scope’
PCI DSS compliance requires the stringent control of any part of the contact centre deemed to be ‘in scope’ – i.e. which has contact with payment card data. If customer service agents are listening to card numbers and entering them manually into a system, then they themselves, their computers, their desktops and the entire infrastructure of the contact centre will be in scope. This means that a set of checks and controls must be put in place across the contact centre and scrutinised regularly to ensure that security is as tight as it possibly can be.
Option 3: Remove the data altogether
This is by far the most effective system for securing telephone payments within a contact centre. If customers are able to enter their card details themselves and have these sent directly to the payment processor, the contact centre is “de-scoped” completely from PCI DSS, resulting in significant savings in costs and effort.
There are two ways of doing this:
• Interactive Voice Response (IVR)
Here, the customer is passed on to a machine for the payment part of the transaction. A recorded voice and a series of menu options will guide them through the process. This is effective in solving the PCI DSS problem, but is unsatisfactory from a customer service point of view; any problems are likely to result in the customer abandoning the process – IVR has a high drop-out rate.
• Remove the data
We have found that the only way to truly take the contact centre and the call recording out of PCI scope is to remove the data from the entire call centre infrastructure – by sending it directly to the bank from the customer. We have developed a method of masking the key tones, as the customer enters them into their phone keypad, so the agent doesn’t see or hear the numbers. This means that they can be safely recorded along with the rest of the call. If the customer has more questions, or makes a mistake while entering the card details, the agent is still on hand throughout the call to help.
The threats to contact centres are real. The majority of contact centre workers are simply trying to do their best for the customer but in a profession where many of those working on the phones are likely to be in place for only a short period of time, but there are inevitably some rogue employees.
Individual agents, however, are responsible for relatively small amounts of crime. Contact centre managers would do best to focus their concern on the organised gangs which are increasingly targeting card data. Professional criminals use a variety of different techniques to penetrate contact centres. Keyboard logging software, for example, records and reports every keystroke and can be hidden in emails such as ‘money off’ vouchers for local pizza restaurants, which will be quickly passed round the contact centre by well-meaning agents. There are also a number of ways in which hackers can access call routers; sometimes levels of security are so low that it is possible to listen into calls simply by pressing a few keys on the telephone.
In my own experience I have come across many intricate yet ineffectual methods which have been adopted to secure contact centres. These are frequently implemented with the best intentions, but without taking into account the fact that people make mistakes. For example, one of our QSA partners recently encountered a call centre which had banned all pens and paper to create a “clean room” in which the only place to write was a large whiteboard. The aim was to counter the problem of agents jotting down card numbers to enter later when the system was running slowly. Unfortunately, the agents continued to record the numbers, but in the absence of paper they wrote on the whiteboard itself, where the sensitive data was visible to the entire contact centre.
Trying to control card data within the contact centre is an awful job. It’s messy, it’s almost impossible and it involves trying to place artificial controls on people that simply don’t work. For peace of mind, companies have two real options; keep spending on security to stay one step ahead of the bad guys or hand your card data in its entirety over to payment specialists. The choice is yours!