× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site


The latest thinking from Eckoh

Who are the culprits?
Monday, 10 September 2018

Cardholder data can be exposed during agent-to-customer interactions, captured by call recordings, and stored within computer systems. But who’s at the heart of the fraud taking place?

Who are the culprits 900

Rogue agents acting alone

Saks & Company experienced a small-scale breach with high consequences in 2014. A single employee stole 22 card numbers and made more than £310,000 worth of fraudulent purchases.The security breach hit the headlines with huge damage to Saks’ reputation.

Access via a 3rd party supplier

The most significant breach in history affected the discount retailer, Target Corporation. Data containing the names, mailing addresses, phone numbers, email addresses and payment card information for up to 70 million people were accessed. Thieves spent some weeks scraping and dumping credit card data to sell on the black market. They gained access via the VPN of an air conditioning company which technicians used to remotely connect to Target’s network

External infiltration

The payday loan firm Wonga suffered a data breach in April 2017 by external infiltration which may have affected up to 245,000 customers in the UK. The information stolen included names, addresses, phone numbers, bank account numbers, sort codes and may also include the last four digits of customers’ bank cards information used by some banks as part of the login process for online accounts. Its magnitude is also apparently greater than the TalkTalk hack, which triggered the greatest fine ever issued by the Information Commissioner’s Office (ICO).


The telephone and broadband company TalkTalk was hacked - with the breach affecting over 100,000 customers. Stolen data included email addresses, names, phone numbers, but also bank account numbers and sort codes. In February 2016, TalkTalk estimated the total bill for the attack at around £76m.

Even the best rules are not enough on their own

The Payment Card Industry Data Security Standard (PCI DSS) stipulates that companies should have systems in place to safeguard the credit and debit card details of customers. The 2015 edition of the Verizon PCI report shows that enterprises are generally getting better at achieving full PCI compliance.

Unfortunately, few can sustain it. And PCI DSS isn’t enough on its own either. PCI DSS compliance is not a ‘get and forget’ exercise. It needs to be embedded into every aspect of a business to make sure that you’re always compliant every minute of every day.

Phew! I ticked the boxes, so I’m safe for another year!

PCI DSS compliance is mandatory if you are processing credit card data. This means that if you handle or store credit card information, you are required, by the card schemes and acquirers, to be compliant. If you do not meet the PCI DSS requirements for compliance and you are compromised, you could be facing, possibly hefty, penalties and fines.

One of the real major dangers we see at Eckoh is that, PCI DSS is viewed as an annual tick-box exercise, like renewing your annual household insurance. But beware, because in its security report, Verizon noted that 62% of companies were compliant at the interim assessment stage. However, just 38% of breached companies were compliant at the point of the breach.

Because proof of compliance is a point-in time activity, companies tend to switch off for the rest of the year. Effective security requires full compliance to be actively maintained on a daily basis. And that takes focus, planning and resources.

Hey, where’s my shield of invulnerability?

There’s also a risk that people imagine PCI DSS will make them invulnerable. Smart organisations recognise that no standard provides absolute coverage or protection, and that no type of validation will be infallible. The contact centre environment, the demands of the marketplace, and the emergence of new threats mean that companies need flexible, watertight solutions not just sets of rules, however good they happen to be.

What can you do?

Eckoh have long held the belief that de-scoping an entire contact centre is by far the most effective and sustainable way to achieve and maintain PCI DSS compliance every minute of every day. Having no card data for the criminals to steal practically eliminates your risk and responsibility, so you can focus on what your business does best. De-scoping solutions from Eckoh are the most secure way to take card data in your contact centre.

For deeper insight into CNP crime in contact centres take a look at our eGuide. Or, if you’d like to talk about the solutions that can help you address this problem then give us a call on 08000 630 730 or drop us an email at This email address is being protected from spambots. You need JavaScript enabled to view it..

About the Author

Mark Holmes

Mark Holmes

Head of Sales

Mark has over 20 years’ experience in business, commercial and technical roles across many sectors including retail, public sector, telecommunications and outsourcing. His knowledge means that he can quickly get to the crux of any client challenge and address it via a consultative approach. Mark head up Eckoh’s sales team, proactively and reactively addressing viable commercial opportunities and ensuring that the customer is offered, and receives, the very best solution for them.  

View our LinkedIn

Latest Blog Items

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Extend the life of your trusty legacy #Aspect® systems with expert third-party support from Eckoh. bit.ly/2YqhzMp
Eckoh (@Eckoh)

Eckoh (@Eckoh)

The Eckoh team are set-up and ready to meet you at the PCI North America Community Meeting. Come and say hello to the team at Booth #6. We would love to share insights and knowledge with you around secure payment solutions for your contact center. #PCISSC
Eckoh (@Eckoh)

Eckoh (@Eckoh)

We are looking for a qualified Senior Software Engineer to lead a team of developers in Hemel Hempstead. You need to have expert knowledge of Linux server systems, web development, and famiarity with HTML, PHP, JavaScript, jQuery and more. Apply: bit.ly/2YOFq89 #careers

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube