Card Theft From Contact Center Payments is About to Rocket
In 2014, the Aite Group published a report on the way in which Card Not Present (CNP) fraud is expected to change over 2015 and beyond.
Their basic premise is this: as the US market adopts EMV payments, criminals will move to easier targets, and the obvious place to attack is CNP payments. It's a sound argument, as it's something the market has seen in the UK and other markets, during EMV adoption there.
The projections for fraud losses in the US market, according to Aite, will climb steeply over the next 3 years
Here's My Problem With That.
"CNP Fraud" is a fraudulent transaction made through a CNP channel. In other words, somebody steals your card details (from somewhere) and uses it in a CNP channel to commit fraud (e.g. they go to a website and use your card data to buy something for them).
the US is concentrating on implementing EMV for card-present transactions, very
little attention is being paid to stopping the theft of card data through other
channels. The Aite report, as well as this one from the Smart Card Alliance,
focus on technologies like tokenization, 3D Secure and taking customer
passwords to help mitigate the impact of CNP fraud.
But that doesn't help with one really critical thing. If EMV (which, by the way, needs to be implemented in combination with P2PE and/or tokenization to be truly effective) will hugely limit a criminal's ability to steal card data, where will they turn next?
channels which are not secured in the same way as EMV/P2PE/card present
transactions - i.e. CNP channels.
And the weakest of them all is contact centers, as we'll see.
Relative Security of CNP Channels
Not Present is any transaction which is made by a cardholder who (d'uh) isn't
present. So that's:
• E-commerce transactions (you go online using a browser or app),
• Mail order (you post or fax an order form to somebody), and
• Contact center payments (you call a person) or automated phone payments (you call an automated IVR).
Let's take those one at a time.
Since the early days of very insecure shopping carts, e-commerce transactions have come a long way. Today, it's standard for new e-commerce implementations to use redirects, iframes and other technologies to divert card payment information away from a merchant, and directly to a PSP. Hey presto, the merchant has no card data flowing through their environment, and the opportunity for fraud is dramatically reduced (although, to be clear, they may still be in scope for PCI DSS under SAQ A-EP).
Technology for attacking potential fraud in e-commerce will continue to improve, and tokenization solutions from the major card brands, tokenization companies and standards like EMVCo's will help too.
What about mail/fax order?
Orders on paper have one unique advantage for keeping hackers away: they're on paper. It's hard to remotely steal a few million card numbers in this context. Granted, the boundaries are blurred when we start considering e-faxes, but there are a number of companies offering 'secure fax' functionality which allow processing in compliance with PCI DSS fax payment requirements.
So, to contact centers.
It's The Same Old, Same Old.
the main, contact centers continue to take payments in the same way they have
for the past 20 - 30 years. Either:
• People call and speak their card details to an agent, or
• People call and type their card data into an automated IVR inside the contact center.
In the main, call center payments as they have been done for the past 2 decades are fundamentally insecure, as the caller does not retain control of their card data. Callers have no idea about how their card data is being processed or secured. For agent-based payments, they also have no way of assuring themselves that contact center agents are not stealing their data.
It's just like standing up on a bus and reading out your card data to all the passengers. Who would do that, seriously? But contact centers give their customers little choice but to do exactly that.
So What's Changed?
Not much. Repeatedly, throughout my 15 years of working in the contact center industry, I have seen many (actually, most) companies who simply do not place adequate controls around their people, processes and technology in order to remove the threat of card theft.
are a few things which have remained constant, despite the introduction and
adoption of PCI DSS:
Being focused only on external attacks isn't good enough. People often forget that card data theft occurs from insiders too.
"I can use tokenization to remove card data from my contact center." Sure, and I love tokenization too. But in order to retrieve a token from your PSP, you have to supply them with the card data in the first place. In other words, tokens protect stored data, but not card data from a customer's initial payment. And as RAM scraping is the current tool of choice for hackers in the POS world, once P2PE takes care of that, we are definitely going to see much more RAM scraping from agents' PCs.
"I have implemented pause and resume to make sure my call recordings don't contain card data". Good; you're doing something. But is it working? Today, right now? Pause and resume tends to be very fiddly to configure, and then difficult to maintain. It does not fail gracefully (you end up storing card data in recordings). Regardless, it has two major flaws: the agent still hears/sees card data, and your agent PCs are exposed to that data. Hence we have the same internal fraud and RAM scraping concerns as above.
"We are PCI DSS compliant". Great! But we're not talking about compliance. We are talking about whether criminals can find and steal card data from your environment. That's security, and it's quite different. Compliance is making sure you have a working lock on the front door of your house on the day you have a security assessment. Security is ensuring that you always (no really: always) lock it. Much better is de-scoping, where you leave no valuable data inside your house, so that even if criminals should break in, they find nothing.
In my view, contact centers simply need to do a better job of protecting their customers' card data from potential theft. They are going to be targeted, explicitly, in 2015 as EMV adoption increases.
makes it tough to steal card data in the card present environment.
Redirects/iframes have improved e-commerce security, and continue to do so. For
criminals to gain useful amounts of card data, they are going to need to move
to the next weakest area (and it's one which isn't very secure).
Which all leads me to one inescapable conclusion.
Contact center data breaches are about to rocket...I hope I'm wrong.
Imagine getting a burglar alarm fitted to your home. The company does a great…
Can you remember what you were doing a decade ago? A lot can happen in 10 years.