The Rise of Card Not Present Crime in Contact Centers

Rise of CNP Crime in Contact Centers
Rise of CNP Crime in
Contact Centers

Dramatic Rise
Card-Not-Present Fraud Losses
to Exceed $7 Billion by 2020

Some Areas Can Be Challenging
- Some e-commerce operations, where CHD
is used today as part of the operation of
the business itself (orders processing,
tracking customers using their PAN, etc)
- Where merchants have an agent-to-customer
direct conversation. Complex environment (pause
and resume, screen recording, integration with
payment/ordering systems). The most
uncontrolled environment for CHD.

Saks & Company - September 2014
A small scale breach with high
consequence.
 1 employee
 Stole 22 card numbers
 $400,000 fraudulent purchases
 Security breach hit the headlines
 Huge reputational damage to Saks
Surely One Employee Can’t Cause Much Harm?

Another “Small Scale” Contact Center Breach

Impact of a Larger Breach
AT&T - April 2015
 AT&T been fined $25m (£17m) over
data breaches at call centres in Mexico,
Colombia and the Philippines.
 Names, social security numbers and
customer account details were taken in
the series of data thefts that took place
in 2013 and 2014.
 The details of about 280,000 people
were taken during the data breaches.
• Call centre staff involved in the breaches
used the data to work with criminals
peddling stolen phones who needed to
unlock handsets.

Impact of a Wide-Scale Cyber Attack
TalkTalk - October 2015
Confidential customer data hacked:
 Email addresses, names, phone numbers
 Bank account numbers and sort codes.
 The company lost 101,000 customers in the third
quarter.
 TalkTalk suggested that the cyber attack
accounted for 95,000 of those lost customers.
February 2016
 The cost of the disruption was about $18m, it
said in a trading statement. There were also
exceptional costs of $50m-$56m, taking the total
bill for the attack to around $76m.

Target - The Most Significant Breach in History
 Data containing the names, mailing addresses,
phone numbers, email addresses and payment
card information for up to 70 million people.
 Thieves targeted a VPN of an A/C company
where technicians used to remotely connect to
Target’s network.
 Attackers infiltrated Target's point-of-sale (POS)
systems and spent more than two weeks scraping
and dumping credit card data to sell on the black
market.

Thousands of Credit Cards Numbers Leaked
VICI Marketing LLC – Florida-based Telemarketing
firm leaks 17,000 recorded calls, many containing
credit card details
• 17,649 audio recordings of telemarketing calls
during which customers gave out their names,
physical addresses, phone number, credit card
number, CV numbers, and more.
• Recordings were sitting on unsecured database
online.
• Previously paid $350,000 fine in 2009 for data
breach, which stipulated possibility of $1million
fine if it happened again.

EMV is Driving Criminals Elsewhere
 EMV (Chip & Pin) technology brings greater
security to brick-and-mortar payments and
consumer behavior continues to drive the
omnichannel trend
 Fraudsters are turning their attention to the
online “card-not-present” commerce channel

The Payment Card Industry Data Security Standard (PCI DSS)
 A proprietary information security standard for
organizations that handle branded credit cards
 PCI DSS rules stipulate that companies should have
systems in place to put the credit or debit card details
of customers out of reach of call center staff, either by
masking the sound of their voice as they read the card
numbers or by providing an input method that is
shielded from the call center operative.

The Payment Card Industry Data Security Standard (PCI DSS)
 The 2015 edition of the Verizon PCI report shows
enterprises are, on the whole, getting better at
achieving full PCI compliance. Unfortunately, few can
sustain it.
 Being treated as a tick box exercise

Why Are So Few Businesses Securing Their Payments?
Less than 20% of retailers and call centres that
take payment by phone do so in an secure way,
exposing tens of millions of customers’ credit
and debit card details to potential fraud or sale
on the black market

What is it Costing?
US Losses
 Card-Not-Present Fraud Losses to Exceed $7 Billion by 2020
 Intelligence is that much of the increase is fraudsters using card details stolen
through data hacks and malware
 Fraud attempts on digital retail sales rose 31% from Thanksgiving to December
31st over the previous year.
European Stats
 European Central Bank reports show changes in the type of frauds committed
with 66% of the total value (€958 million) resulting from so-called card-not-
present (CNP) payments made via the internet, post or phone.
 CNP fraud is the only type of fraud loss to record an increase compared to ATM
and PoS fraud which both fell. (Source: The European Central Bank (ECB)

What is it Costing?
 U.S. credit card fraud had increased 100 percent from just seven
years ago.
 As a contributing rising card-not-present fraud— now represents
45 percent of total U.S. card fraud.
 As the number of chip cards and EMV terminals continues to grow,
analysts expect that CNP fraud will grow with it
 The growth in CNP fraud is also a factor of the growth in e-
commerce shopping.

Verizon 2015 PCI Report - Key Points
Of all the companies investigated by our forensics team over the last 10
years following a breach, not one was found to have been fully
PCI DSS compliant at the time of the breach.
On PCI Requirement 3 (Protect Cardholder Data):
 62% of companies are compliant at interim assessment
 But just 38% of breached companies were compliant at the point of
the breach
As more organizations shift to encryption, tokenization, and/or not
storing CHD at all, we expect this requirement to further converge in the
years to come.
“
“
“
“

PCI DSS Compliance in
the Contact Center

The Future
 Criminals will increasingly target call centers and e-commerce
 Merchants need to prepare for oncoming hacking attempts
 Removing card data entirely eliminates fraud risk

Denial – “Fraud Won’t Happen to Us!”
 *17% of organizations only use basic security as their main fraud deterrent
 Manual processes and training for correct payment handling.
 Rely heavily on firewalls and other security related equipment to prevent
breaches
 Encryption software for areas that store customers’ information.
 Not fail-safe and often span generic systems without any specific focus on one
department’s activity or processes.
 When breached, it often spells financial and reputational disaster for the
organization involved.
*Source: Resilient Commercial Survey 2012

Segmenting- Payment Areas, Clean Rooms, Pausing Recordings
 *42% of contact centers segment the payment process within the contact center.
 Includes creating
 ‘Clean room’ environments
 Segregating credit card handlers from other contact center personnel.
 Transferring calls from one agent to an unrecorded extension
 ‘pause/resume’ on calls at payment time
 Still gaps. Call recordings and data collected on PCs and networks will be
exposed in a PCI audit.
 Segmenting in isolation will not adequately address the full scale of PCI
requirements.

Protecting- Outsourcing Risk to PCI Compliant Service Providers
 *13% of Contact Centers use external vendor technology
 Agents transfers calls to IVR platform and caller uses phone keypad to enter card
details.
 Cloud-based solutions enable agents to stay on phone with caller while processing
payment. System hides card entries on the agent screen and blocks DTMF tones
from being recorded.
 Call recordings can continue without interruption.
 Popular approach with contact centers aiming to increase home based/remote
agents. Same security systems can be used remotely as their premise based
colleagues.
 Most resilient form of PCI compliance available to contact centers

There Is New Technology Making This Easier

Card data
through merchant
Card data in Card data out
Typical Merchant Environment

Removing The Merchant From Scope
Card data bypasses merchant
Card data in Card data out
Placeholders
flow through
merchant

With DTMF Masking Technology
Step 1
Caller rings the contact center to inquire about a product or
service. Call recording can continue throughout the entire
conversation, including taking a payment.
Step 2
The caller enters their card details using their
telephone keypad. DTMF tones are intercepted and
changed to monotones. The web screen masks the
digits from the agent as the customer presses buttons.
Step 3
Card details are checked directly with PSP. The agent is
notified of payment approval or rejection.

Using Hosted DTMF Masking
Hosted
All contact center incoming calls travel through a hosted, secure platform. When the agent needs to take a
payment, the agent’s phone and web sessions are linked. Cardholder data remains isolated from the contact
center environment, the agent and caller can continue dialogue, providing a seamless customer experience.
The entire contact center is removed from scope:
• Call Recording and Screen Recording
• Agents and Desktops
• IT Systems
• Data LAN
• Physical Environment
• Internet access restrictions
• Building (CCTV, etc.)
• PBX/ACD/CTI
• Telephony Network (Digital or VoiceLAN)

Conferencing/ Plug-In DTMF Masking
Mid-Call
At the point of payment, the contact center agent connects via
conference to a hosted web panel which masks DTMF tones. For call
recordings, it uses an on-site component to filter the DTMF tones
from audio traffic. Removes the following from PCI DSS scope:
• Call Recording and Screen Recording • Agents and Desktops • IT
Systems • Data LAN • Physical Environment • Internet access
restrictions • Building (CCTV, etc.)
On-Site
With on-site components to block DTMF tones, this tends to remove
only the following from PCI DSS scope:
• Call Recording • Screen Recording • Agents

With Tokenization…
PAN Token
Complete De-Scoping

The Trouble Is, It’s Now Not All About Card Data
The EU's General Data Protection Regulation
(GDPR) intended to strengthen data protection
comes into force in May 2018

GDPR
It’s Not Just Card Data – It’s Data
• For years, contact centers have been focused on the security of card
payments, and ensuring that customers’ sensitive card data is not stored,
transmitted or processed in an insecure manner.
• With GDPR, companies need to expand that thinking to all personal data,
often referred to as Personally Identifiable Information (PII). PII includes
names, email addresses, account balances, passwords and anything which
is specific to an individual.
• Your company probably holds a large amount of this data, because it’s
vital to your business. Imagine running a hotel without a customer’s
name, address and room preference. In many circumstances, you need to
retain and use this information. & Clean Rooms

Short Guide to GDPR
 Tougher Penalties for Breaches
 Fines of up to 4% or € 20 million
 Extends to third party providers
 It applies to anyone regardless of where
they are based that is doing business in
Europe
 Deployment of a DPO will be mandatory for
companies with high volumes
 Controllers to report a breach within 72
hours

The Future
 Criminals will increasingly target call
centers and e-commerce
 Business need to prepare for oncoming
hacking attempts
 Get ready for GDPR now
 Solutions exist to remove card data to
eliminate fraud risk

Don’t Be The Next Headline

The Future
 Criminals will increasingly target call centers and e-commerce
 Merchants need to prepare for oncoming hacking attempts
 Removing card data entirely eliminates fraud risk
 Tokenization, using a proxied approach, is a flexible method

Call: 1-866-258-9297| Click: tellmemoreUS@eckoh.com | Visit: www.eckoh.com

The Rise of Card Not Present Crime in Contact Centers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Rise of Card Not Present Crime in Contact Centers

Similar to The Rise of Card Not Present Crime in Contact Centers (20)

Recently uploaded

Recently uploaded (20)

The Rise of Card Not Present Crime in Contact Centers

Editor's Notes