Why Your Agents May Be Putting Customer Data at Risk
By Tim Critchley
Despite the rise in automated, self-servicing technologies in contact centers, many customers still prefer to pay bills and receive support by speaking with a live agent or customer service representative (CSR). Live agents continue to play a significant role in the customer experience, as they provide more personalized service and help streamline payment transactions. However, agents can also pose threats to contact center security, especially when they handle and process sensitive customer data.
To determine how personally identifiable information (PII) such as payment card numbers are captured, Semafone surveyed five hundred global contact center agents across a multitude of industries. The survey confirmed that contact centers still rely on outdated data collection practices, making organizations vulnerable to security threats and putting customer PII at risk for brand-damaging data breaches. Here are the most common ways callers share their PII with agents, along with the security challenges that accompany them.
Reading PII Aloud
According to the survey, 72 percent of agents who collect credit and debit card information or social security numbers (SSNs) require customers to read their information out loud over the phone. This creates several risks, as the information is exposed to the agent on the line, call recordings, and even nearby eavesdroppers.
While most agents are honest, hardworking people, it is possible that a rogue agent could copy down a customer’s credit card number for fraudulent use. Or numbers may be stored on a call recording system that could be breached. Some contact centers rely on “pause and resume” or “stop/start” systems to pause recordings while PII is read aloud, but these systems are prone to failure—especially since an agent must manually stop and start the recording at the right point in time. If an agent forgets to pause the recording, PII may inadvertently be logged and thus vulnerable to a breach.
Using Interactive Voice Response (IVR) Systems
Used by 11 percent of agents surveyed, these automated telephony systems interact with callers to shield PII from agents and recordings. However, without an agent on the line, customers often don’t know how to correct miskeyed information, which can result in ended calls before the transaction is complete (perhaps meaning a lost sale). Plus, a poor customer experience can impact contact center metrics such as first contact resolution (FCR) and average handling time (AHT).
However, the data still touches various IT systems, so it is still susceptible to a breach by either rogue employees (30 percent of agents have access to customer PII when they aren’t on the phone with them) or an outside hacker.
Sharing Data Through an Online Chat Window
Ten percent of agents said they capture customer information through an online chat window. Although data is not verbalized, basic chat functionality is merely a glorified “instant messenger,” not designed with encryption capabilities. Also, the agent is still exposed to PII, unless the contact center implements an appropriate method of encrypting the payment session within the chat engagement.
Phone Keypad Entry (DTMF)
A fourth method of capturing data, mentioned by only 8 percent of agents in the survey, is customers entering their data by their phone keypad. This approach may involve dual-tone multi-frequency (DTMF) masking technologies, which shields data from agents and keep it out of business IT infrastructures. As customers enter PII, such as payment card numbers, DTMF (keypad) tones are masked with flat ones so agents and eavesdroppers cannot decipher the numbers. In addition, numbers are not stored on call recordings that could be breached. PII is sent directly to the appropriate third party (such as a payment processor) so it never touches the contact center’s environment. Unlike IVR systems, DTMF masking solutions allow agents to remain in full voice communication with the customer, assisting with any issues, completing wrap-up tasks, and providing a better overall customer experience.
With these survey results in mind, think about how your agents collect customer PII, as well as how your contact center stores this sensitive information. In a time when a single data breach can cost more than $3.6 million and jeopardize your reputation and customers’ trust, there is no room for taking risks. The bottom line is to explore technologies that replace outdated data capture practices and remove as much PII as possible from your infrastructures.
No one can hack the data you don’t hold.
Tim Critchley has been the CEO of Semafone since 2009 and has led the company from a UK start-up to an international business spanning five continents. Under his leadership the company has secured global partnerships and won clients across a range of industry sectors, including major brands such as AXA, BT, Capita, Harley-Davidson, Next, Rogers Communications, Santander, and Sky. Prior to joining Semafone, Tim was COO at Knowledgepool Group