Card Not Present Fraud has seen a dramatic rise in the past few years. In the U.S., it is predicted to see losses exceed $7 Billion by 2020. In this slideshare we explore merchant weaknesses which allow this crime to take place, and potential ways of preventing this type of crime.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
The Rise of Card Not Present Crime in Contact Centers
1. Rise of CNP Crime in Contact Centers
Rise of CNP Crime in
Contact Centers
2. Rise of CNP Crime in Contact Centers
Dramatic Rise
Card-Not-Present Fraud Losses
to Exceed $7 Billion by 2020
3. Rise of CNP Crime in Contact Centers
Some Areas Can Be Challenging
- Some e-commerce operations, where CHD
is used today as part of the operation of
the business itself (orders processing,
tracking customers using their PAN, etc)
- Where merchants have an agent-to-customer
direct conversation. Complex environment (pause
and resume, screen recording, integration with
payment/ordering systems). The most
uncontrolled environment for CHD.
4. Rise of CNP Crime in Contact Centers
Saks & Company - September 2014
A small scale breach with high
consequence.
1 employee
Stole 22 card numbers
$400,000 fraudulent purchases
Security breach hit the headlines
Huge reputational damage to Saks
Surely One Employee Can’t Cause Much Harm?
5. Rise of CNP Crime in Contact Centers
Another “Small Scale” Contact Center Breach
6. Rise of CNP Crime in Contact Centers
Impact of a Larger Breach
AT&T - April 2015
AT&T been fined $25m (£17m) over
data breaches at call centres in Mexico,
Colombia and the Philippines.
Names, social security numbers and
customer account details were taken in
the series of data thefts that took place
in 2013 and 2014.
The details of about 280,000 people
were taken during the data breaches.
• Call centre staff involved in the breaches
used the data to work with criminals
peddling stolen phones who needed to
unlock handsets.
7. Rise of CNP Crime in Contact Centers
Impact of a Wide-Scale Cyber Attack
TalkTalk - October 2015
Confidential customer data hacked:
Email addresses, names, phone numbers
Bank account numbers and sort codes.
The company lost 101,000 customers in the third
quarter.
TalkTalk suggested that the cyber attack
accounted for 95,000 of those lost customers.
February 2016
The cost of the disruption was about $18m, it
said in a trading statement. There were also
exceptional costs of $50m-$56m, taking the total
bill for the attack to around $76m.
8. Rise of CNP Crime in Contact Centers
Target - The Most Significant Breach in History
Data containing the names, mailing addresses,
phone numbers, email addresses and payment
card information for up to 70 million people.
Thieves targeted a VPN of an A/C company
where technicians used to remotely connect to
Target’s network.
Attackers infiltrated Target's point-of-sale (POS)
systems and spent more than two weeks scraping
and dumping credit card data to sell on the black
market.
9. Rise of CNP Crime in Contact Centers
Thousands of Credit Cards Numbers Leaked
VICI Marketing LLC – Florida-based Telemarketing
firm leaks 17,000 recorded calls, many containing
credit card details
• 17,649 audio recordings of telemarketing calls
during which customers gave out their names,
physical addresses, phone number, credit card
number, CV numbers, and more.
• Recordings were sitting on unsecured database
online.
• Previously paid $350,000 fine in 2009 for data
breach, which stipulated possibility of $1million
fine if it happened again.
10. Rise of CNP Crime in Contact Centers
EMV is Driving Criminals Elsewhere
EMV (Chip & Pin) technology brings greater
security to brick-and-mortar payments and
consumer behavior continues to drive the
omnichannel trend
Fraudsters are turning their attention to the
online “card-not-present” commerce channel
11. Rise of CNP Crime in Contact Centers
The Payment Card Industry Data Security Standard (PCI DSS)
A proprietary information security standard for
organizations that handle branded credit cards
PCI DSS rules stipulate that companies should have
systems in place to put the credit or debit card details
of customers out of reach of call center staff, either by
masking the sound of their voice as they read the card
numbers or by providing an input method that is
shielded from the call center operative.
12. Rise of CNP Crime in Contact Centers
The Payment Card Industry Data Security Standard (PCI DSS)
The 2015 edition of the Verizon PCI report shows
enterprises are, on the whole, getting better at
achieving full PCI compliance. Unfortunately, few can
sustain it.
Being treated as a tick box exercise
13. Rise of CNP Crime in Contact Centers
Why Are So Few Businesses Securing Their Payments?
Less than 20% of retailers and call centres that
take payment by phone do so in an secure way,
exposing tens of millions of customers’ credit
and debit card details to potential fraud or sale
on the black market
14. Rise of CNP Crime in Contact Centers
What is it Costing?
US Losses
Card-Not-Present Fraud Losses to Exceed $7 Billion by 2020
Intelligence is that much of the increase is fraudsters using card details stolen
through data hacks and malware
Fraud attempts on digital retail sales rose 31% from Thanksgiving to December
31st over the previous year.
European Stats
European Central Bank reports show changes in the type of frauds committed
with 66% of the total value (€958 million) resulting from so-called card-not-
present (CNP) payments made via the internet, post or phone.
CNP fraud is the only type of fraud loss to record an increase compared to ATM
and PoS fraud which both fell. (Source: The European Central Bank (ECB)
15. Rise of CNP Crime in Contact Centers
What is it Costing?
U.S. credit card fraud had increased 100 percent from just seven
years ago.
As a contributing rising card-not-present fraud— now represents
45 percent of total U.S. card fraud.
As the number of chip cards and EMV terminals continues to grow,
analysts expect that CNP fraud will grow with it
The growth in CNP fraud is also a factor of the growth in e-
commerce shopping.
16. Rise of CNP Crime in Contact Centers
Verizon 2015 PCI Report - Key Points
Of all the companies investigated by our forensics team over the last 10
years following a breach, not one was found to have been fully
PCI DSS compliant at the time of the breach.
On PCI Requirement 3 (Protect Cardholder Data):
62% of companies are compliant at interim assessment
But just 38% of breached companies were compliant at the point of
the breach
As more organizations shift to encryption, tokenization, and/or not
storing CHD at all, we expect this requirement to further converge in the
years to come.
“
“
“
“
17. Rise of CNP Crime in Contact Centers
PCI DSS Compliance in
the Contact Center
18. Rise of CNP Crime in Contact Centers
The Future
Criminals will increasingly target call centers and e-commerce
Merchants need to prepare for oncoming hacking attempts
Removing card data entirely eliminates fraud risk
19. Rise of CNP Crime in Contact Centers
Denial – “Fraud Won’t Happen to Us!”
*17% of organizations only use basic security as their main fraud deterrent
Manual processes and training for correct payment handling.
Rely heavily on firewalls and other security related equipment to prevent
breaches
Encryption software for areas that store customers’ information.
Not fail-safe and often span generic systems without any specific focus on one
department’s activity or processes.
When breached, it often spells financial and reputational disaster for the
organization involved.
*Source: Resilient Commercial Survey 2012
20. Rise of CNP Crime in Contact Centers
Segmenting- Payment Areas, Clean Rooms, Pausing Recordings
*42% of contact centers segment the payment process within the contact center.
Includes creating
‘Clean room’ environments
Segregating credit card handlers from other contact center personnel.
Transferring calls from one agent to an unrecorded extension
‘pause/resume’ on calls at payment time
Still gaps. Call recordings and data collected on PCs and networks will be
exposed in a PCI audit.
Segmenting in isolation will not adequately address the full scale of PCI
requirements.
*Source: Resilient Commercial Survey 2012
21. Rise of CNP Crime in Contact Centers
Protecting- Outsourcing Risk to PCI Compliant Service Providers
*13% of Contact Centers use external vendor technology
Agents transfers calls to IVR platform and caller uses phone keypad to enter card
details.
Cloud-based solutions enable agents to stay on phone with caller while processing
payment. System hides card entries on the agent screen and blocks DTMF tones
from being recorded.
Call recordings can continue without interruption.
Popular approach with contact centers aiming to increase home based/remote
agents. Same security systems can be used remotely as their premise based
colleagues.
Most resilient form of PCI compliance available to contact centers
*Source: Resilient Commercial Survey 2012
22. Rise of CNP Crime in Contact Centers
There Is New Technology Making This Easier
23. Rise of CNP Crime in Contact Centers
Card data
through merchant
Card data in Card data out
Typical Merchant Environment
24. Rise of CNP Crime in Contact Centers
Removing The Merchant From Scope
Card data bypasses merchant
Card data in Card data out
Placeholders
flow through
merchant
25. Rise of CNP Crime in Contact Centers
With DTMF Masking Technology
Step 1
Caller rings the contact center to inquire about a product or
service. Call recording can continue throughout the entire
conversation, including taking a payment.
Step 2
The caller enters their card details using their
telephone keypad. DTMF tones are intercepted and
changed to monotones. The web screen masks the
digits from the agent as the customer presses buttons.
Step 3
Card details are checked directly with PSP. The agent is
notified of payment approval or rejection.
26. Rise of CNP Crime in Contact Centers
Using Hosted DTMF Masking
Hosted
All contact center incoming calls travel through a hosted, secure platform. When the agent needs to take a
payment, the agent’s phone and web sessions are linked. Cardholder data remains isolated from the contact
center environment, the agent and caller can continue dialogue, providing a seamless customer experience.
The entire contact center is removed from scope:
• Call Recording and Screen Recording
• Agents and Desktops
• IT Systems
• Data LAN
• Physical Environment
• Internet access restrictions
• Building (CCTV, etc.)
• PBX/ACD/CTI
• Telephony Network (Digital or VoiceLAN)
27. Rise of CNP Crime in Contact Centers
Conferencing/ Plug-In DTMF Masking
Mid-Call
At the point of payment, the contact center agent connects via
conference to a hosted web panel which masks DTMF tones. For call
recordings, it uses an on-site component to filter the DTMF tones
from audio traffic. Removes the following from PCI DSS scope:
• Call Recording and Screen Recording • Agents and Desktops • IT
Systems • Data LAN • Physical Environment • Internet access
restrictions • Building (CCTV, etc.)
On-Site
With on-site components to block DTMF tones, this tends to remove
only the following from PCI DSS scope:
• Call Recording • Screen Recording • Agents
28. Rise of CNP Crime in Contact Centers
With Tokenization…
PAN Token
Complete De-Scoping
29. Rise of CNP Crime in Contact Centers
The Trouble Is, It’s Now Not All About Card Data
The EU's General Data Protection Regulation
(GDPR) intended to strengthen data protection
comes into force in May 2018
30. Rise of CNP Crime in Contact Centers
GDPR
It’s Not Just Card Data – It’s Data
• For years, contact centers have been focused on the security of card
payments, and ensuring that customers’ sensitive card data is not stored,
transmitted or processed in an insecure manner.
• With GDPR, companies need to expand that thinking to all personal data,
often referred to as Personally Identifiable Information (PII). PII includes
names, email addresses, account balances, passwords and anything which
is specific to an individual.
• Your company probably holds a large amount of this data, because it’s
vital to your business. Imagine running a hotel without a customer’s
name, address and room preference. In many circumstances, you need to
retain and use this information. & Clean Rooms
31. Rise of CNP Crime in Contact Centers
Short Guide to GDPR
Tougher Penalties for Breaches
Fines of up to 4% or € 20 million
Extends to third party providers
It applies to anyone regardless of where
they are based that is doing business in
Europe
Deployment of a DPO will be mandatory for
companies with high volumes
Controllers to report a breach within 72
hours
32. Rise of CNP Crime in Contact Centers
The Future
Criminals will increasingly target call
centers and e-commerce
Business need to prepare for oncoming
hacking attempts
Get ready for GDPR now
Solutions exist to remove card data to
eliminate fraud risk
33. Rise of CNP Crime in Contact Centers
Don’t Be The Next Headline
34. Rise of CNP Crime in Contact Centers
The Future
Criminals will increasingly target call centers and e-commerce
Merchants need to prepare for oncoming hacking attempts
Removing card data entirely eliminates fraud risk
Tokenization, using a proxied approach, is a flexible method
35. Rise of CNP Crime in Contact Centers
Call: 1-866-258-9297| Click: tellmemoreUS@eckoh.com | Visit: www.eckoh.com
Editor's Notes
This area we’re gathered to talk about today is what we do. It’s our marketplace, worked in it taking telephone payments for more than a decade
Specialists
This area we’re gathered to talk about today is what we do. It’s our marketplace, worked in it taking telephone payments for more than a decade
Specialists
While validation of compliance for attestation purposes (passing the annual assessment) is a “point in time” activity, PCI Security regulation requires full compliance to be actively maintained on a daily basis.
It’s not enough to just implement controls and think that this makes you safe. Without a well-designed and maintained risk measurement program, there’s no way to reliably prove the effectiveness of your controls and the actual level of risk that remains in your business.
There is a real danger in doing the minimum possible to comply. Knowing you ‘ticked the boxes’ provides little comfort in the aftermath of a breach.
It should be clear that no standard provides absolute coverage or protection, and that no type of validation will be infallible.
Denial – “Fraud won’t happen to us”
Of the contact centers surveyed, 17% only use basic security as their main fraud deterrent, using manual processes and training to ensure correct handling of payment information. These contact centers also rely heavily on firewalls and other security related equipment to prevent breaches to systems and use encryption software for areas that store customers’ information. Although these are good practice measures and form part of basic systems security, they are not fail-safe and often span generic systems without any specific focus on one department’s activity or processes.
When breached, it often spells financial and reputational disaster for the organization involved.
Segmenting – separate payments areas, clean rooms, pausing recordings
In addition to the security processes listed above, 42% of contact centers use additional security to segment the payment process within the contact center. This includes creating ‘clean room’ environments or segregating credit card handlers from other contact center personnel. Although this is generally good practice, there are still gaps in in these systems and processes. Call recordings and data collected on PCs and networks will be exposed in a PCI audit, so segmenting in isolation will not adequately address the full scale of PCI requirements.
As an additional step, some contact centers are transferring calls from one agent to an unrecorded extension where a second agent takes the customer’s payment card details (such as the CVV number) for bank verification. Other systems (used by 30% of our contact center sample) enable agents to manually pause and resume recording using buttons on their screen or handset.
Protecting – outsourcing the risk to PCI compliant service providers
More contact centers are realising the benefits of outsourcing security requirements to PCI DSS Level One service providers, as it reduces the scope of the lengthy and time consuming audit. Of our sample, 13% of contact centers use external vendor technology, where agents can transfer calls to an IVR platform at the point in a conversation when they need to take payments. The caller uses their telephone keypad to enter their card details.
Third party cloud-based solutions can also be applied to the whole contact center. This method works by asking the caller to enter their card details manually through their telephone keypad. The agent is never exposed to cardholder data and enables the customer to stay on the phone with the caller while they are processing their payment. Minimal agent intervention is needed and the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. It also enables call recordings to continue without interruption.
This approach is proving to be popular with contact centers that are aiming to increase the volume of home based and remote agents to their workforce as they can use the same security systems as their premise based colleagues.
Cloud-based solutions are proving to be the most resilient form of PCI compliance available to contact centers. Of our sample, 9% of contact centers had adopted such solutions with a further 13% considering this approach as part of their future compliance programme.