Who are the culprits?

Cardholder data can be exposed during agent-to-customer interactions, captured by call recordings, and stored within computer systems. But who’s at the heart of the fraud taking place?

Rogue agents acting alone

Saks & Company experienced a small-scale breach with high consequences in 2014. A single employee stole 22 card numbers and made more than £310,000 worth of fraudulent purchases.The security breach hit the headlines with huge damage to Saks’ reputation.

Access via a 3rd party supplier

The most significant breach in history affected the discount retailer, Target Corporation. Data containing the names, mailing addresses, phone numbers, email addresses and payment card information for up to 70 million people were accessed. Thieves spent some weeks scraping and dumping credit card data to sell on the black market. They gained access via the VPN of an air conditioning company which technicians used to remotely connect to Target’s network.

External infiltration

The payday loan firm Wonga suffered a data breach in April 2017 by external infiltration which may have affected up to 245,000 customers in the UK. The information stolen included names, addresses, phone numbers, bank account numbers, sort codes and may also include the last four digits of customers’ bank cards information used by some banks as part of the login process for online accounts. Its magnitude is also apparently greater than the TalkTalk hack, which triggered the greatest fine ever issued by the Information Commissioner’s Office (ICO).


The telephone and broadband company TalkTalk was hacked - with the breach affecting over 100,000 customers. Stolen data included email addresses, names, phone numbers, but also bank account numbers and sort codes. In February 2016, TalkTalk estimated the total bill for the attack at around £76m.

Even the best rules are not enough on their own

The Payment Card Industry Data Security Standard (PCI DSS) stipulates that companies should have systems in place to safeguard the credit and debit card details of customers. The 2015 edition of the Verizon PCI report shows that enterprises are generally getting better at achieving full PCI compliance.

Unfortunately, few can sustain it. And PCI DSS isn’t enough on its own either. PCI DSS compliance is not a ‘get and forget’ exercise. It needs to be embedded into every aspect of a business to make sure that you’re always compliant every minute of every day.

Phew! I ticked the boxes, so I’m safe for another year!

PCI DSS compliance is mandatory if you are processing credit card data. This means that if you handle or store credit card information, you are required, by the card schemes and acquirers, to be compliant. If you do not meet the PCI DSS requirements for compliance and you are compromised, you could be facing, possibly hefty, penalties and fines.

One of the real major dangers we see at Eckoh is that, PCI DSS is viewed as an annual tick-box exercise, like renewing your annual household insurance. But beware, because in its security report, Verizon noted that 62% of companies were compliant at the interim assessment stage. However, just 38% of breached companies were compliant at the point of the breach.

Because proof of compliance is a point-in time activity, companies tend to switch off for the rest of the year. Effective security requires full compliance to be actively maintained on a daily basis. And that takes focus, planning and resources.

Hey, where’s my shield of invulnerability?

here’s also a risk that people imagine PCI DSS will make them invulnerable. Smart organisations recognise that no standard provides absolute coverage or protection, and that no type of validation will be infallible. The contact centre environment, the demands of the marketplace, and the emergence of new threats mean that companies need flexible, watertight solutions not just sets of rules, however good they happen to be.

What can you do?

Eckoh have long held the belief that de-scoping an entire contact centre is by far the most effective and sustainable way to achieve and maintain PCI DSS compliance every minute of every day. Having no card data for the criminals to steal practically eliminates your risk and responsibility, so you can focus on what your business does best. De-scoping solutions from Eckoh are the most secure way to take card data in your contact centre.

For deeper insight into CNP crime in contact centres take a look at our eGuide. Or, if you’d like to talk about the solutions that can help you address this problem then give us a call on 08000 630 730 or drop us an email at tellmemore@eckoh.com.

Posted by eckoh at 12:44 PM on Sep 10, 2018


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


Are customers mysteriously falling out of love with your business — despite your…


Social Media is the customer’s voice and your agents’ ears. But are you able to…