In this Opinion piece, Tim Critchley, CEO of Semafone takes a look at new guidance on telephone payments and calls on insurers to re-think security measures.
The insurance industry: a servant of two masters
Insurance companies are on the front line when it comes to customer data. Customers frequently want to pick up the phone when initiating or renewing policies, which means payment card data is often shared with call centre agents. These “Telephone Order” payments can bring their own set of problems when it comes to security and compliance if not managed very carefully. Insurers are bound by legal regulations which requires calls to be recorded in their entirety in case of later disputes over matters such as misunderstandings or mis-selling.
Meanwhile, another global industry regulation, the Payment Card Industry Data Security Standard (PCI DSS), which governs the protection of customers’ credit and debit card information, specifically prohibits the recording of any sensitive card data. This places insurers in a tricky situation. On the one hand they must record complete conversations, but on the other, they must not record someone reading out their payment card security code.
Until now, a common work-around has been to pause the call recording during the payment process but new guidance from the Payment Card Industry Security Standards Council (PCI SSC) means that insurers using this system will have to re-think or drastically increase their security measures.
New guidance: more reasons not to pause recordings
The updated guidance for telephone payment security is the first since 2011 and addresses the fact that contact centre technology has developed significantly in that time. It takes into account the increased use of VOIP and “soft phones” which can merge the voice and data networks, expanding the area of potential attack by fraudsters. All organisations that take payments over the phone will be in for a simpler audit if they fully segment these channels, as they will then have a smaller attack surface. For insurers, however, it’s the new guidance on call recording that stands out.
In a survey conducted last year, it emerged that 19 out of the top 20 insurance firms in the UK and USA were still using the “pause and resume” method to avoid capturing payment card numbers on recordings. However, the new guidelines assert that both manual and automatic pause systems run a high risk of accidentally recording this highly sensitive information. Qualified Security Assessors (QSAs), who monitor PCI DSS compliance, will demand increased and extensive evidence of measures to protect sensitive data – insurers will have to prove that they have systems in place to check that every single recording is free of card data.
They will also have to prove that there is no chance an agent could have written down any card numbers they heard, and those same card details haven’t entered the agent’s own desktop computing environment. QSAs will now, aided by the updated guidance identifying recommended best practice and tests, conduct much more invasive auditing, which involves delving deeper into the insurers’ systems to ensure that additional security controls have been put in place.
Essentially, for security teams, compliance programmes that attempt to undertake the Pause and Resume approach will involve much more work, taking longer and costing more.
The new guidance also brings into question another common solution to the call recording problem, redirecting a call to a secured line for the payment process itself. This is now deemed to run the risk of interception or diversion by hackers and is therefore also subject to the full range of security controls.
Don’t pause the recording – don’t hold the data
All is not lost. The guidance recommends techniques and technologies that minimise card data, rather than trying to manage it, such as dual-tone multi-frequency (DTMF) masking solutions. These solutions entirely remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information from coming into contact with the agent, call recording technology and any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.
Time to change
Data security is currently running high on the news agenda and insurers are an obvious target for hackers; cases such as BUPA’s data breach in 2017, where 547,000 customers had their personal and financial data stolen are only going to become more commonplace. Insider fraud is still on the increase so eliminating any possible contact between employees and sensitive customer data is a logical precaution.
The new guidance could be the trigger for insurers to take that step – if you don’t hold the data, nobody can hack it. The result isn’t just a lower cost of compliance – the benefits will be felt in terms of security, trust and, ultimately customer loyalty.