Friday 17 January 2014

Target breach highlights the importance of PCI DSS compliance

While the US retail industry is reeling from what has been declared by some as the ‘worst breach in history’, the payment breach at retail giant Target has put a very real perspective on the importance of PCI DSS compliance within large organisations.

Up to 70 million customers had payment card and personal data stolen from the company's databases in December 2013 (30 million more than first thought). Target reported that hackers took credit card numbers, names, postal addresses, phone numbers and email addresses, implying that Target stored credit card details against PCI regulations. 

With increased scrutiny expected by the payment card brands on POS and payment application security as a result of more stringent standards written into PCI DSS 3.0 and PA DSS 3.0, Target's breach serves as further reminder for why POS systems need to be on US retailers' immediate radar. The US still uses a signature and a magnetic strip to secure transactions rather than an encrypted chip. The introduction of the EMV standard Chip and PIN has radically reduced fraud in many of the countries that have adopted it.

It seems evident that for a hacker to infiltrate Target's network and access the POS application, several PCI DSS and PA-DSS controls were ineffectively implemented. But several Target insiders, who commend Target’s security practices, suggest that it goes further than the POS systems and that some interception must have happened elsewhere in the processing chain. Owing to the sheer scale of the attack during the busiest holiday period, they believe that multiple insiders may have been involved.

Regardless of the intricacies of the Target breach cause, the ultimate lesson is that organisations need to pay greater attention, not only to the POS-related changes put forward by the PCI Security Standards Council, but all areas of security that involves data storage and its access controls.

The overarching theme from the PCI SSC Version 3.0 of PCI DSS is to take a proactive stance when implementing security controls to guard these systems. This will cause merchants to decide that they need to readdress security for their transaction points (POS, online, and contact centres), plus their network, data storage and human access. In the time being, Target is unlikely to be the last breach we see this year.

Thursday 9 January 2014

What’s in a number? Tokenization

Recently, Visa Europe launched its Private BIN (Bank Identification Numbers) range for organisations that want to create internal identifiers. These have the same format as Visa Primary Account Numbers (PANs) but will never be used in the ‘real world’. There are two main reasons to do this:
  1. For test purposes – to test a payment system for instance
  2. To create tokens which can be used in place of a PAN within internal systems
  3. Companies can therefore use these two 6-digit numbers internally, knowing that Visa will never issue them to real entities. The numbers are:
  • 468738
  • 468739
These 6-digit numbers are important. They represent something quite special in the world of PCI DSS, tokens, and PCI audit de-scoping. It means that when service providers issue tokens (like Eckoh’s OneProx system) we can be confident that by starting the tokens with 468738 or 468739, our clients will know the difference between a payment card number and a token. Even when tokens are Luhn-compliant, they can still be detected as tokens, and not be mistaken for real PANs.

So why is this such a big deal?

Like many applications which use tokens, both OneProx and our CallGuard DataShield software have always been able to issue Luhn-compliant tokens which plug straight into our clients’ existing websites, CRM systems, payment gateways and applications. Luhn-compliant tokens are great, because they can be used in exactly the same systems or processes as card data without requiring any changes to them. And after all, Luhn-compliant tokens will pass any existing client-side Luhn checking functions. However, it’s always been very difficult (or impossible) to determine whether a given number residing in a database field is a token, or a real PAN. So how does a merchant know whether all the card data has truly been flushed out after implementing a token system?

By starting a token with a Visa Private BIN number, Luhn-compliant tokens are easily differentiable from card data. And yet these tokens are NOT cardholder data, so merchants’ systems can be removed from PCI DSS scope.

The Visa Private BIN range also has another important benefit for companies already using data discovery tools. Once the cardholder data discovery companies (such as Ground Labs and Foregenix) ‘lock’ these two magic numbers into their detection systems, companies will be able to run tokens and ‘actual’ cardholder data on the same databases, networks etc. and easily be able to determine which is which. This is great for companies transitioning from ‘live’ cardholder data to tokens over a period of time (not instantly). Of course, there are two important caveats here:
  1. Token providers will need to start their tokens with 468738 or 468739. This isn’t always possible, particularly if ‘first 6’ formatting is being preserved.
  2. Merchants will need to make sure that the Private BINs are not submitted for processing. (They aren’t the beginning of real card numbers, so they won’t work!)
However, at least the payments industry now has one sensible way of detecting token needles in a haystack of PANs.

Thursday 5 December 2013

Give your business and your customers the best Christmas present this year – PCI compliance!

As we all hit the streets, the web and our phones to buy Christmas gifts, we’re possibly treating our payment card purchases with a little more concern and care than we gave them this time last year, and with good reason. According to the Financial Fraud Action UK, types of fraud where the card holder is not present (phone, online or by mail order purchases) have seen a 23 per cent year-on-year rise.  And a staggering total of £185 million of fraud losses were recorded on UK cards between January and June 2012.

Consumers are becoming more aware of fraud and how their personal data is stored and used, so the way in which you securely handle your customer’s payments over any payment method, is becoming increasingly important to them. Two of the main risk areas for data breaches are internal staff access and external phone or network hacking. When customer data falls into the wrong hands, it can potentially spell disaster for the reputation and success of your business. 

But help is at hand…

The Payment Card Industry Data Security Standards (PCI DSS) provides a set of security rules and practices that all businesses must adhere to if they want to continue accepting credit and debit cards from their customers. These rules help business to ensure their customers’ card information is handled securely and disposed of promptly. Following these rules minimises the risk of fraud and they are enforced by the card organisation via fines (up to £500,000 for holding sensitive payment card data) and potentially withdrawal of your transaction services.

So if your business is taking payments over the phone or website this Christmas or will be in the New Year, then PCI Compliance is an absolute must. As a starter, here are 12 PCI requirements - one for each day of Christmas:

The 12 PCI Requirements:
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Physically and logically protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors
And that’s just systems and processes… what about the people?

Your customer facing staff are both the most important asset to your organisation and the biggest risk when it comes to card information. They are also one of the toughest areas to secure without making their work life challenging.
Fortunately systems are now available that not only help eliminate card data from your IT systems but also allow staff to take payments over the phone without accessing card data.

By capturing payment via the touchtone keypad and blanking the tones heard by the staff member, payments can be handled simply without any significant changes how they interact with the customer. The staff member just adds the customer details and the amount to pay, and confirms the payment with the customer. The customers feel more at ease that they are not relaying their card details to a stranger at the other end of the phone, or anyone else in earshot…

Happy secure customers, protected productive business and peace of mind that your compliance needs for card payments are met without complex systems integration.

So have a great start to a happy and prosperous 2014.

Tuesday 26 November 2013

6 ways to get your IVR working better for your customers

With the explosion of smartphones, tablets and social media, it’s becoming ever more challenging to provide the kind of service your customers want. While many companies are now offering support through more channels, it’s a fact that customers still make enquiries through phone automation and contact centre agents. In addition, the majority of these phone calls are coming through IVRs from mobile phones. 

When developed poorly, IVRs can be extremely unpopular with customers. This usually happens when companies try and make IVRs super-efficient but end up making them over complicated - adding layer upon layer of options. Unfortunately this just creates unnecessary frustration and results in agents beginning conversations with highly irritated callers. 

So what can you do to make your IVR system good? It’s a hard question to answer without knowing your system, but here are a few tips from Eckoh to consider getting your current system the best it can be: 

1. Keep it simple. 
For the sanity of your customers, keep the menu options short. We now live in a world where we expect answers within seconds, so time-pressed customers don’t have the patience to navigate through complicated confusing menu systems.  Give your IVR a call to see what you think of it, and where you may be able to simplify it if necessary. Aim for short clearly worded menus with no more than three options at each interval. 

2. Don’t forget it.
Like any machine, an IVR needs attention at frequent intervals to ensure its running smoothly. A mature system probably needs reviewing every month and a new IVR will need daily or weekly attention (depending on call volumes) to ensure it’s working to its peak performance. Make sure your IVR is tuned up regularly to keep it effective and efficient for your customers. 

3. Don’t ignore customers’ requests to speak to an agent
If a customer wants to speak to an agent – connect them. Many companies make it extremely difficult for customers to speak to agents by putting in diversions and blockers to force customers through automation. In our experience, customers happily use a well-designed IVR system if one of the options includes speaking to an agent early on in the process. Don’t make it impossible for customers to talk to you as you’ll end up alienating them to your brand. Check your IVR and see how easy it is for your customers to get hold of an agent. It should be within the first two menu intervals. 

4. Give your customers some intellectual credit
It’s highly likely that your customers have seen your website or contacted you through social media, so you don’t need to tell them how to find you on the web by giving your website address.  Also, if you ask them to give you their phone number through speech or touchtone, you don’t need give them excessive guidance on how to do it. Usability tests show that people are well versed in providing this information over the phone and the various formats that are required, so save your customers time by trusting their intelligence. 

5. Save customers their precious time.
If a customer phones you wanting to track an order or pay a bill, they’re unlikely to want to hear about your latest promotional offer. So save marketing messages for a suitable time during the call – preferably at the end. Also, allow customers to anticipate options and interrupt the IVR dialogue rather than insisting that the caller listen to the whole message or option before they choose. Both these tips will help progress the call quicker and will help the customer resolve their query. 

6. Remove menus altogether.  
Highly departmentalised companies who have complex and multi-layered IVRs are reviewing the opportunity that natural language speech recognition provides and are opting for a speech recognition system. In some cases this removes the menu system altogether and after saying what they want the customer is directed to the correct destination within seconds and without lifting a finger. If relevant for the company, this alternative to IVR has a high take by customers given its more intuitive interface. 

Want more information? contact us here, or call 08000 630 730

Friday 11 October 2013

Will new fraud evidence make consumers fear contact centre payments?

Types of fraud where the card holder is not present, such as when purchases are made over the phone, online or by mail order, have seen a 23 per cent year-on-year rise. According to recent finding by Financial Fraud Action UK, which prevents crime on behalf of the financial services industry, £142m worth of losses were recorded. 

So what does this mean for the Contact Centre industry and in particular organisations that take customer payments over the phone?

Despite improvements in security technology, criminals are finding new ways to target consumers using deception crimes over the phone. These have increased overall fraud losses on UK cards by almost 20% in 2013 with £216.1 million worth of card frauds committed in the first 6 months. 

The most worrying statistic shows a sharp increase in Card-Not-Present (CNP) crimes, where the cardholder is not physically present at the merchant when making a purchase. Criminals obtain card details through methods such as skimming, hacking into retailer’s data connections, or through unsolicited emails or telephone calls. CNP crime accounts for 63% of all card fraud.

Phone fraud on the increase
A telephone scam called “vishing” is becoming a more widely used method by criminals to get card details. The conman pretending to be calling from a building society, bank or utility provider tries to get their victim to hand over personal information such as their card PIN and date of birth.

They’ll ask the victim to call the bank back immediately to check that the call is authentic. Once the caller hangs up the criminal stays on the line, hands the phone to another member of their gang and the victim believes that they are actually speaking to their bank.

Another scam asks the victim to key in their PIN on their phone keypad, after claiming that their card needs renewing, or has seen some fraudulent activity. This means the criminal can to decipher their personal number from the telephone audio tones.

Tackling fraud
The Citizens Advice Bureau and police provide some good advice, helping consumers to spot a scam. Advice such as:

  • Never give out contact details like your name, phone number or address to strangers or to people who should have this information already.
  • Never give financial information or details of your identity, bank accounts or credit card to strangers or to the businesses that should already hold your details.

But if this is the advice given to consumers to protect themselves better, in the situation of paying a bill or making a purchase, what do consumers do when they are asked identification questions by a call/contact centre agent before being asked for their card details?  How do they know whether they can trust the agent and organisation to keep their information safe? 

The Contact Centre Challenge
In a consumer survey commissioned by Eckoh in 2012, 86% of consumers did not trust contact centre workers to keep their card payment details secure, believing that some agents may commit fraud by stealing their data. With the increase in contact centres asking for certain security information over the phone, this increased awareness of security consciousness by consumers may hinder attempts at merchants to present a secure environment to their customers. 

To protect their customer details, many contact centres are applying technology that is compliant with the Payment Card Industry Data Security Standards (PCI DSS). This prevents card details from entering their environment and the agents from seeing or hearing the card information being relayed to them. Card details are provided over the phone using the customers’ telephone keypad and the audio tones are converted to monotones to avert encryption. Agent screens displaying a customer’s file also masks the card details from view so they are not seen.

Consumers need to know it’s Safe
Consumers will want the same security signature on their phone calls as they see on their web payments. Despite going to great lengths to implement PCI DSS compliant technology, contact centres are not promoting this level of security to their customers. With greater fraud awareness, customers will no doubt begin to question the integrity and security of the information they are asked to verbally provide over the phone. This was confirmed in our recent survey where 50.3% of consumers said that they would feel more secure if they knew a technology based solution was involved in the contact centre agent transaction process.

To give customers peace of mind at a time when criminals are using direct contact to commit fraud, merchants need to offer the reassurance that they have ALL customer contact channels, including their voice channels, securely covered.

Tuesday 27 August 2013

The phone isn’t a dead channel of customer communication

Since the rise of social media, advanced interactive websites, smartphone and tablets; organisations all over the world are adding more channels so customers can communicate with them. People can now do all their research on a product and service from the comfort of their own home or on their train journey to work, and even share their opinions once they’ve purchased.

These days, social media and mobile channels in particular are the driving forces behind customer contact. The new self-serving public now chooses to find out information themselves before making a decision and they’ll tend to do all this through the vast amount of information available to them on the world-wide web.

So what of the humble phone channel? Do people actually call to speak to a real human being anymore? The answer is a resounding yes, with most people still choosing the phone as their primary method of contact with self-service channels closely following. What has changed however, is the rationale for the call and the type of help needed. As customers find information to their general enquiries themselves through automation or other self-help channels like the web and mobile apps, they tend to make a phone call when they have complex enquiries that need a specific and detailed answer that isn’t available anywhere else but a specialist. And that’s how people now view customer service – a ‘trusted advisor’. No longer do they exist to answer mundane questions about bank balances or nearest store information. They are now asked technical questions about product operation, service support and issues they are experiencing that need resolving.

But as the phone is no longer the only communication channel – but one of many, the challenge currently facing organisations is the apparent disconnect between what the customer wants from their phone call and what the contact centre agent is able to give them. Companies are realising that joining channels to provide a seamless and effortless customer experience is essential to maintain the faith and trust of their customers.

Look at it from the way you buy things yourself for instance. You may start a search on the website using your smartphone or tablet, you want more technical information on a product or service so you click ‘call me back’ by giving your name and number. You then discuss the issue with an agent who you would ‘expect’ to know which product you have an interest in or a problem with, based on your actions on their website. Unfortunately, this isn’t always the case and customers are becoming increasing more demanding that their journey through the organisations various channels is followed.

An unbroken integration between automated and voice channels gives your customers a great brand experience. It shows that you are in touch with them, understand their needs and can offer helpful and accurate information to help them make a choice. The phone channel is still perceived by customers and organisations as an extremely important part of the channel mix and ‘the hub’ of all other channels, usually being the point of most complex information for the customer.

The phone is very much here to stay, with its use is evolving to make calls quicker and efficient. General enquiries are now answered by automated services and live agents are empowered to know much more detail about the products and services being sold.

Thursday 1 August 2013

What are contact centres doing to address PCI DSS compliance?


Many contact centres are changing their approach to how they deal with customer information to meet the pressure to comply with PCI DSS Standards. However, while most merchants are endeavouring to meet increasing customer security demands and protect their customers’ data, some do not see PCI compliance as a necessary step to achieve this.

In a recent Eckoh survey, 93% of contact centres either had a PCI Compliance programme underway or are planning one. All contact centres tended to adopt one of the following strategies that had varying degrees of achieving PCI DSS compliance:


Denial – “Fraud won’t happen to us”

17% only use basic security as their main fraud deterrent, using manual processes and training to ensure correct handling of payment information. These contact centres also rely heavily on firewalls and other security related equipment to prevent breaches to systems and use encryption software for areas that store customers’ information. Although these are good practice measures and form part of basic systems security, they are not fail-safe and often span generic systems without any specific focus on one department’s activity or processes. When breached, it often spells financial and reputational disaster for the organisation involved.

Segmenting – separate payments areas, clean rooms, pausing recordings
42% of contact centres use additional security to segment the payment process within the contact centre. This includes creating ‘clean room’ environments or segregating credit card handlers from other contact centre personnel. Although this is generally good practice, there are still gaps in these systems and processes. Call recordings and data collected on PCs and networks will be exposed in a PCI audit, so segmenting in isolation will not adequately address the full scale of PCI requirements.


As an additional step, some contact centres are transferring calls from one agent to an unrecorded extension where a second agent takes the customer’s payment card details (such as the CVV number) for bank verification. Other systems (used by 30% of our contact centre sample) enable agents to manually pause and resume recording using buttons on their screen or handset.


These methods may work and are used extensively. The downsides are that they are still open to human error; and standards and regulations are continually evolving making gaps to achieve compliance ever wider. It is also well known that the payment card council standards prefer solid, technology-based solutions.


Protecting – outsourcing the risk to PCI compliant service providers
More contact centres are realising the benefits of outsourcing security requirements to PCI DSS Level One service providers, as it reduces the scope of the lengthy and time consuming audit. Of our sample, 13% of contact centres use external vendor technology such as EckohPAY, where agents can transfer calls to an IVR platform such as at the point in a conversation when they need to take payments. The caller uses their telephone keypad to enter their card details. 


Third party cloud-based solutions such as EckohPROTECT can also be applied to the whole contact centre. This method works by the agent asking the caller to enter their card details manually through their telephone keypad. The agent is never exposed to cardholder data and enables the customer to stay on the phone with the caller while they are processing their payment. Minimal agent intervention is needed and the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. It also enables call recordings to continue without interruption. This approach is proving to be popular with contact centres that are aiming to increase the volume of home based and remote agents to their workforce as they can use the same security systems as their premise based colleagues.


Some businesses already have established IT network compliance methods for payment data through other means which means they only to address the telephony aspects of their IT infrastructure. Solutions like CallGuard which focuses purely on the call recordings, eliminates sensitive card data from telephone conversations before they are recorded. It can also prevent your agents from seeing any card data on screen, removing the potential for card data theft. 


Cloud-based solutions are proving to be the most resilient form of PCI compliance available to contact centres. Of our sample, 9% of contact centres had adopted such solutions with a further 13% considering this approach as part of their future compliance programme.