Card payment fraud in the news
- British Airways was fined £20m by the UK data protection authority over data security failings which enabled unauthorised access to personal and payment card information for more than 400,000 of BA’s customers. (2019)
- One of the largest hotel chains in the world, Marriott suffered a data breach of its main reservations database in 2018, initially estimating that up to 500 million of its customers head been impacted (later confirmed as 383 million). (2018)
- One of the largest credit reporting agencies in the US, Equifax, was the victim of a breach lasting over 78 days in total and caused by a vulnerability for which a patch had been issued but that Equifax had failed to apply in time. (2017)
- One of the world’s largest marketplaces, eBay, suffered an attack that impacted 145 million customers in 2014, the source of which was traced back to the compromise of a small number of employee login credentials. (2014)
- The BBC reported that Sony Computer Entertainment Europe Limited received a monetary penalty of £250,000 from the Information Commissioner’s Office (ICO) after compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk (2013).
- The New York Times reported breaches at Target, confirming that payment data was stolen from customers who shopped in its stores in the United States (2013)
- The Sunday Times exposed the trade in stolen personal data from Indian contact centres, data entry services, IT support helpdesks and hosting services (2012)
Cross-industry security, regulations and directives
The schemes recognise the need for a cross-industry, joined-up card payment security system. They also realise that PCI does not exist in a vacuum; there are other measures, regulations and directives with corresponding impacts including the Information Commissioner’s Office (ICO), Financial Ombudsman Service (FOS), International Standards Organisation (ISO), Financial Conduct Authority (FCA), Dodd-Frank reforms, Sarbanes-Oxley, the UK Data Protection Act and EU Data Protection Regulations. The take up of PCI DSS compliance is only as fast or slow as the largest and smallest merchants and agents adopting it. Merchants
include any organisations taking card payments using inhouse call centres, homeworkers, outsourced call centres or outsourced IT providers. More and more merchants have been asking what needs to be done to become PCI.
PCI DSS recommendations
- It is a violation to store sensitive card data after authentication without proper protection including in call recordings, and in particular it is prohibited to store/record the CVV/CV2 number under any circumstances.
- Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology must be introduced to prevent the recording of sensitive elements.
- Personal Account Numbers (PANs, or the long card number) must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
- Encryption/Tokenisation should be used when storing or transmitting sensitive data. Unencrypted VoIP telephone systems must be avoided.
- Homeworkers should be tightly supervised to ensure that they are not receiving or storing sensitive client data in a manner which breaches the requirements – including writing client card details and authentication numbers down, or storing them on unencrypted or removable media such as USB sticks.
Is your contact centre struggling with the burden of PCI compliance?
Confusion over the requirements and future direction of the Payment Card Industry Data Security Standard (PCI DSS) has caused some U.K. organisations to shelve their efforts while they seek clarification.
Since all call centres record their transactions, the recordings present a potential security vulnerability if they include the customer reading out full credit card details over the phone, including the security code.
There are a variety of methods that companies could use to avoid problems. The most basic would be a ‘Pause and Resume’ solution that’s stops the recording while the customer reads out his or her three-digit security code, but this can be unreliable as most recording systems are out of the control of the individual agents.
A much more feasible approach would be to get the customer to key in their details on the telephone keypad, with the tones disguised on the recording. In this example, the agent just hears a flat tone, and also the customer can avoid reading out their card details in what might be a public place. This way, the merchant can remove this part of their business from the scope of PCI DSS.