Card theft from contact centre payments is about to rocket

In 2014, the Aite Group published a report on the way in which Card Not Present (CNP) fraud is expected to change over 2015 and beyond.

Their basic premise is this: as the US market adopts EMV payments, criminals will move to easier targets, and the obvious place to attack is CNP payments. It's a sound argument, as it's something the market has seen in the UK and other markets, during EMV adoption there.

The projections for fraud losses in the US market, according to Aite, will climb steeply over the next 3 years

Here's my problem with that.

"CNP Fraud" is a fraudulent transaction made through a CNP channel. In other words, somebody steals your card details (from somewhere) and uses it in a CNP channel to commit fraud (e.g. they go to a website and use your card data to buy something for them).

While the US is concentrating on implementing EMV for card-present transactions, very little attention is being paid to stopping the theft of card data through other channels. The Aite report, as well as this one from the Smart Card Alliance, focus on technologies like tokenisation, 3D Secure and taking customer passwords to help mitigate the impact of CNP fraud.
But that doesn't help with one really critical thing. If EMV (which, by the way, needs to be implemented in combination with P2PE and/or tokenisation to be truly effective) will hugely limit a criminal's ability to steal card data, where will they turn next?

Answer: channels which are not secured in the same way as EMV/P2PE/card present transactions - i.e. CNP channels.

And the weakest of them all is contact centres, as we'll see.

Relative security of CNP channels.

Card Not Present is any transaction which is made by a cardholder who (d'uh) isn't present. So that's:

• E-commerce transactions (you go online using a browser or app),
• Mail order (you post or fax an order form to somebody), and
Contact centre payments (you call a person) or automated phone payments (you call an automated IVR).

Let's take those one at a time.

Since the early days of very insecure shopping carts, e-commerce transactions have come a long way. Today, it's standard for new e-commerce implementations to use redirects, iframes and other technologies to divert card payment information away from a merchant, and directly to a PSP. Hey presto, the merchant has no card data flowing through their environment, and the opportunity for fraud is dramatically reduced (although, to be clear, they may still be in scope for PCI DSS under SAQ A-EP).

Technology for attacking potential fraud in e-commerce will continue to improve, and tokenisation solutions from the major card brands, tokenisation companies and standards like EMVCo's will help too.

What about mail/fax order?

Orders on paper have one unique advantage for keeping hackers away: they're on paper. It's hard to remotely steal a few million card numbers in this context. Granted, the boundaries are blurred when we start considering e-faxes, but there are a number of companies offering 'secure fax' functionality which allow processing in compliance with PCI DSS fax payment requirements.

So, to contact centres.

It's the same old same old.

In the main, contact centres continue to take payments in the same way they have for the past 20 - 30 years. Either:

• People call and speak their card details to an agent, or
• People call and type their card data into an automated IVR inside the contact centre.

In the main, call centre payments as they have been done for the past 2 decades are fundamentally insecure, as the caller does not retain control of their card data. Callers have no idea about how their card data is being processed or secured. For agent-based payments, they also have no way of assuring themselves that contact centre agents are not stealing their data.

It's just like standing up on a bus and reading out your card data to all the passengers. Who would do that, seriously? But contact centres give their customers little choice but to do exactly that.

So what's changed?

Not much. Repeatedly, throughout my 15 years of working in the contact centre industry, I have seen many (actually, most) companies who simply do not place adequate controls around their people, processes and technology in order to remove the threat of card theft.

Here are a few things which have remained constant, despite the introduction and adoption of PCI DSS:

Being focused only on external attacks isn't good enough. People often forget that card data theft occurs from insiders too.

"I can use tokenisation to remove card data from my contact centre." Sure, and I love tokenisation too. But in order to retrieve a token from your PSP, you have to supply them with the card data in the first place. In other words, tokens protect stored data, but not card data from a customer's initial payment. And as RAM scraping is the current tool of choice for hackers in the POS world, once P2PE takes care of that, we are definitely going to see much more RAM scraping from agents' PCs.

"I have implemented pause and resume to make sure my call recordings don't contain card data". Good; you're doing something. But is it working? Today, right now? Pause and resume tends to be very fiddly to configure, and then difficult to maintain. It does not fail gracefully (you end up storing card data in recordings). Regardless, it has two major flaws: the agent still hears/sees card data, and your agent PCs are exposed to that data. Hence we have the same internal fraud and RAM scraping concerns as above.

"We are PCI DSS compliant". Great! But we're not talking about compliance. We are talking about whether criminals can find and steal card data from your environment. That's security, and it's quite different. Compliance is making sure you have a working lock on the front door of your house on the day you have a security assessment. Security is ensuring that you always (no really: always) lock it. Much better is de-scoping, where you leave no valuable data inside your house, so that even if criminals should break in, they find nothing.

In my view, contact centres simply need to do a better job of protecting their customers' card data from potential theft. They are going to be targeted, explicitly, in 2015 as EMV adoption increases.

To recap...

EMV/P2PE/tokenisation makes it tough to steal card data in the card present environment. Redirects/iframes have improved e-commerce security, and continue to do so. For criminals to gain useful amounts of card data, they are going to need to move to the next weakest area (and it's one which isn't very secure).
Which all leads me to one inescapable conclusion.

Contact centre data breaches are about to rocket.

I hope I'm wrong.

Loading Conversation

Posted by eckoh at 4:13 PM on Nov 2, 2015


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…