Telephone-based credit card transactions present two opportunities for fraudsters. They are a source from which to harvest sensitive data and a target where these stolen cards can be used. Both of these risks are increasing as criminals target telephone-based systems as the weak link in the payment chain: While chip and pin protect brickand-mortar establishments and online transactions can be secured using 3D Secure (e.g., Verify by Visa and MasterCard Securecode), phone payments remain vulnerable. The very fact that an agent has access to sensitive credit card data by hearing it spoken by the customer in order to enter it into their CRM or ERP system (which then also stores this data), puts you at risk from fraud. This risk is extended if customer service calls are being recorded (e.g., for quality assurance).
These fraud risks should not be underestimated. PCI-DSS standards are meant to assess, prevent and manage these risks at the cost and responsibility of organizations. Examples of fraud can be found in any industry sector. In a case that caught public attention, a customer service agent was convicted of stealing credit card data and plundered thousands from their credit card accounts. Another case involves call center employees selling information from thousands of credit card and bank accounts for small amounts of money. In another occurrence In October 2011, a merchant’s server was hacked and infected with a virus which was undetected for 2 ½ months during which sensitive data was emailed to the hacker as it was processed, enabling duplicate credit cards to be produced.
Risks of Human Error When Taking Payments Over the Phone
• Untrained employees
• Unethical behaviour
• Accidental privacy breaches – losing data, computer left unattended
• Unethical behaviour of people in proximity to your employees/customers
In putting together this blog post, employees at Ivrnet offered up their own stories of over the phone credit card fraud that had happened to them. In one case, it was a hotel and card information was spoken over the phone. The credit card information was stolen and used, but traced back to the hotel as the source of the breach. Another example was from an employee who could no longer use a particular food delivery service. The service was known for breaches, hacked accounts, and fraudsters ordering deliveries on other people’s accounts and getting free meals. Now her credit card company won’t allow transactions for this service. What’s the solution? For brick and mortar businesses, there are approved PTS Devices that provide strong protection for payment data and take advantage of EMV chip, mobile and contactless technologies.
How can you identify a secure technology solution for processing payments over the phone? The most secure method of taking payments over the phone is simply not to manually enter, store or manage sensitive data at all. The best way to comply with PCI Data Security Standard is to remove the payment element from the call entirely. Technology solutions, like Ivrnet Telepay, obtain real-time authorizations securely using a simple automated service, transmitting via traditional telephone lines over the Publicly Switched Telephone Network (PSTN).
A leader in payment security, Ivrnet is a Level 1 PCI DSS certified Service Provider.