Sinclair Voicenet

slideshow image slideshow image

Sinclair Voicenet have provided friendly and professional advice to enable us to install a robust and user friendly Nice call recording and screen capture quality assurance system. This allows us to monitor and improve our service to the public.

Lyle Carleton

Telecoms Manager

Northern Ireland Civil Service

Partners

PCI DSS

26 October 2009

As recent as March 2009 a call centre worker stole the details of a customer after having his contract ended and plundered thousands of pounds from his credit card account.

Kevin Robertson took a contacts book with him when he was asked to clear his desk for poor time-keeping at the Barclaycard office in Stockton, a court heard. He later rang the call centre, pretended to be a customer by using confidential details he took days earlier, and transferred £11,275 to his own bank account. In another incident in April 2008 Call Centre worker Asman Alyas, passed on confidential bank account details - acquired through his role as customer service advisor at a RBS call centre - to fraudsters. Alyas worked at the RBS centre for 10 months where his role involved taking calls from customers checking statements, carrying out balance transfers and changing personal details. The total amounted to the theft of £33,585 from seven customer accounts.

For many organisations the most challenging element of the PCI Data Security Standard is ensuring that call recordings of customer calls do not record specific sensitive cardholder data, such as the CVC number.

Non-compliance with the latest PCI Data Security Standard could be a costly oversight. Fines can be imposed by the PCI; and merchant service arrangements could be withdrawn preventing you from accepting card payments. Deloitte's estimates the costs of non-compliance could run to millions of Euros for an average call centre.

Lisa White, PCI DSS Expert, Deloitte's stated "Take a quite modest compromise of 10,000 cards at a merchant, you could expect to have compromise fees of 5 euros per card; investigation costs of about 30,000 euros; an average fraud of 1,000 euros per card, card replacement costs of 20 euros per card; and 30 euros per card in chargeback fees. That comes to around 11 million euros".

PCI DSS 1.2 presents a set of specific challenges to the call centre operator, in particular the issues of call recording and the threat from within presented by rogue agents.

Call recordings represent digital data that in a transactional environment will include sensitive payment card data. PCI DSS 1.2 specifically forbids the storage of this data after the transaction has been processed. Furthermore the standards require that the call centre operator meet standards of care in respect of the recruitment, vetting and management of the agent so as to minimize the risk of a security breach.

Any call centre involved in payment card processing must therefore address these challenges in addition to the more familiar data protection obligations that they face as merchants or as outsourcers. Operators have addressed these issues using a number of compensating controls but these are point solutions that fail to deliver a comprehensive solution. These may include some combination of the following:

  • If sensitive data appears on the call recording you might apply one of the following:
  • Pause/mask call recording during transaction. The disadvantage of this is that it is technically challenging and expensive and fails to meet other compliance requirements such as those imposed by FSA
  • Delete sensitive data post call. The disadvantage of this is that the deployment of call analysis software to detect card data can also be used to extract card data. PCI have invalidated this approach
  • Encryption of the call recording. The disadvantage of this is that Encryption requires extensive key management that provides other challenges and PCI do not recognize encryption as an adequate compensating control for sensitive data storage
  • Staff recruitment: CRB referral, background checks and referencing. Expensive and time consuming to manage and still prone to error and inaccuracy
  • Physical controls: Physical area security, no personal items at the workstation, no pen (only pencil) and numbered sheets of paper, no internet and email access. These physical controls can create a problematic cultural dynamic leading to increased attrition and recruitment challenges
  • Home working: Processing payment card data in the home environment is unlikely to meet PCI DSS 1.2 obligations
  • Off-shore transaction processing

Eliciting and controlling payment card information cross border is problematic from a cardholder confidence perspective. Additionally some off-shore locations have higher compromise rates than on-shore equivalents.

Sinclair Voicenet have undertaken extensive research with our technology partners to ensure we can provide a complete set of solutions that will comply with all of the above stated issues ensuring that your call centre runs in line with all current legislative directives protecting your business and your customers money. If you would like to discuss the available options please contact our sales office.

< Back to Latest News