Semafone Executive Interview
Tim Critchley, CEO, Semafone
- Everyone has heard stories about breaches
in customer data, such as the recent one at Equifax. What are the
some of the most common types of cyber-attacks and what steps can
businesses take to prevent them?
Some of the most common types of cyberattacks
that contact centers experience involve social engineering. With these attacks,
cybercriminals and fraudsters manipulate
employees – particularly those on the front line such as agents and customer
service representatives (CSRs) – in order to steal sensitive customer data.
This could involve bribery, coercion, a fraudulent phone call or even a
phishing email containing malware that an agent opens, assuming it’s a note
from a customer or manager. Contact centers should train their employees to
recognize the many forms of social engineering and ensure their agents are
aware of the risks they represent.
In terms of
malware, trojans, which provide unauthorized, remote
access to a user's computer, are extremely common. They are difficult to
detect, so they are especially dangerous for
contact centers that house multitudes of sensitive customer data. For instance,
a tech-savvy third party who encounters an agent’s computer could easily and discretely
insert a thumb drive containing a trojan into the back of the desktop. Then, from a home computer, that third
party could access the agent’s computer, and therefore, the contact center’s
network to steal customer credit card numbers and other personally identifiable
While these are just a few examples of
cyberattacks, there is one highly effective method for reducing risks and
making a business far less attractive to hackers and fraudsters: remove all
unnecessary sensitive data from your business’ infrastructure. As we say at
Semafone, “They can’t hack the data you don’t hold.”
- Can you share some best practices for reducing
the risk of compromising data security in voice interactions?
According to Semafone’s new State of Data Security in Contact Centers report for
which we surveyed more than 500 agents across the globe, 72 percent of agents who collect payment card data and social
security numbers (SSNs) over the phone still require callers to read this PII aloud.
This creates numerous risks, as data is exposed to agents (who could, for
example, illicitly copy down card numbers to use them for fraudulent purposes),
as well as call recording systems and even nearby eavesdroppers.
To mitigate these risks, contact centers
should adopt dual-tone multi-frequency (DTMF) masking solutions. This technology
allows callers to enter their sensitive numerical data directly into their
telephone keypad and shield it from both the live agents and call recordings by
replacing the keypad tones with indecipherable flat tones. Once entered, the data
is sent straight to the appropriate third party (i.e. a payment processor),
completely bypassing the contact center’s IT environment.
Unlike interactive voice response (IVR)
systems, DTMF masking solutions allow agents to remain in full voice
communication with the caller. Yes, IVR systems prevent agent exposure to data,
but the PII still touches and transits across the contact center’s infrastructure,
where it is vulnerable in the event of a data breach.
- What are some of the top risk factors
prevalent in today’s contact center environments?
As discussed, the fact that a majority of
contact centers still require customers to read their sensitive data out loud
creates massive risks for agent fraud. And, if that PII is captured on a call recording
system, it is essentially waiting to be breached by hackers.
In addition to outdated data capture
to data also poses significant risks. Our survey found that 30 percent of
agents who collect customer data over the phone have access to that information
even when they aren’t on the line with that customer. Most agents are of course
good, honest people but it just takes one bad apple or one unwitting innocent to
open the flood gates for a brand-damaging data breach. For example, a temporary
employee with no loyalty to the company and little concern for risk could steal
thousands of customer payment card numbers stored in a CRM system and sell them
to third parties. Once the scheme is realized, the company makes the news for all
the wrong reasons, leading to the loss of customer trust, plummeting share
prices and a tarnished reputation.
Even more alarming is the fact that agents
are witnessing and experiencing breach attempts by people both inside and
outside of their organizations. Semafone’s survey showed that 7 percent of agents who
collect PII had been approached by someone inside their organization to illicitly share or access this information,
while 4 percent said the same about someone outside their organization. Also, 9
percent of agents said they personally knew someone who had unlawfully accessed
or shared customer data.
While these may seem like small
percentages, when applied to the larger contact center agent population, the
risk is substantial. Considering that there are more than 2.2 million call
center agents in the U.S. alone, it is quite possible that hundreds of
thousands of active agents have witnessed some form of a breach attempt. What’s
more, 42 percent of agents in our survey said they did not report these
attempts to either management or the police. So, many contact centers may not
even be aware that breach attempts are occurring, never mind actually
addressing the risks.
- Can you give us examples of risky call
recording practices in contact centers? How can companies gain the
insights they need to improve the quality of transactions without putting
sensitive information at risk?
Many companies, especially those in highly regulated
industries, record customer calls for legal, regulatory or quality assurance
reasons. However, when they require their customers to say their PII out loud,
this complicates the situation because the Payment Card Industry Data Security
Standards (PCI DSS) states that they should not capture payment card data on
recordings. So, many contact centers use a practice called “pause and resume”
or “stop/start,” by which recording systems are paused (either manually or
automatically) when customers are reading out their sensitive information. However,
these practices leave gaps in an organization’s data security and compliance
strategies, and create further risks.
For example, if an agent forgets to pause the recording, PII
may be inadvertently captured, leaving the information vulnerable in the case
of a breach. On the other hand, if an agent neglects to resume the recording,
vital information from the call needed to solve transaction disputes or support
quality control may be excluded. Also, without a complete call recording, a company
may not be able to demonstrate compliance with industry, state or government
By using DTMF masking technology, contact centers can abandon risky
pause and resume practices and record entire calls without worrying about recording
PII. They can still review recordings for quality assurance and training
purposes, while ensuring a smooth, safe and secure transaction.
- How can contact centers reduce AHT while
keeping customers’ payment data secure and helping to improve the overall
Sometimes, phone payment transactions
can be time consuming, especially if customers have to read card numbers,
expiry dates and security codes aloud. If an agent mishears or mistypes the
numbers, he or she must spend extra time correcting errors. And, if the mistake
is not identified, the Payment Service Provider (PSP) may reject the
transaction, leading to repeat calls, customer aggravation and even failed
transaction charges. Furthermore, poor connections, regional dialects and
accents can complicate the information exchange and therefore increase the
average handling time (AHT).
contact centers use IVR systems that remove agents from the equation, these
technologies can increase customer frustration and AHT. If a customer miskeys
their payment card numbers, they often don’t know how to correct it and end up
hanging up the phone. This scenario can negatively impact both customer
satisfaction, first contact resolution (FCR) metrics and the bottom line (if
customer hangs up, you may have lost a sale).
To reduce AHT while securing payment data anddelivering a positive customer experience, contact centers should, again,
adopt DTMF masking solutions – allowing agents to remain on the line in full
voice communication with the customer as they enter their payment card numbers
into their phone. With such solutions, customers have complete control over
inputting their data, while agents are free to handle wrap-up tasks and assist
if any issues arise. The result is much more efficient transactions and a streamlined
- What can businesses do to ensure that agents
are not in a position to compromise customer data and can also report
those who might be misusing it without fear of retribution?
Some contact centers require their agents to
work in “clean rooms,” which prohibit writing utensils, paper, cell phones and
any personal items that may facilitate fraud. In response to our survey, 26
percent of agents who collect customer data over the phone operate in such
environments. However, clean rooms should no longer be considered a best practice,
as they contribute to low employee morale and high staff turnover. Even with
this draconian security measure, customer data is still entered into desktop
applications and stored in business IT infrastructures – leaving it vulnerable
to rogue agents, hackers and fraudsters.
When companies keep sensitive data out of the
contact center environment altogether, clean rooms become unnecessary and thus,
employees are happier and more productive. Also, if agents do not have access
to the data in the first place, there is no need for them to worry about how to
report instances of misuse; it becomes a non-issue.
- Please tell our readers how Semafone can help
make customer data more secure across a variety of verticals.
Semafone provides DTMF masking technology.
Our award-winning, patented solution, Cardprotect, is used by enterprises around the world and across different
verticals – insurance, retail, banking, BPO, hospitality, utilities,
telecommunications and many more – to mitigate risk, strengthen security and
maintain PCI DSS compliance by keeping PII out of the business infrastructure.
Cardprotect allows customers to
directly input their data, including credit/debit card numbers, via their
telephone keypad, shielding the numbers from agents, call recordings and
eavesdroppers by replacing the DTMF tones with flat tones. Unlike IVR systems,
agents remain in full voice communication with the caller the entire time,
ensuring a positive customer experience and even reducing AHT. Our clients
frequently report that their own customers appreciate the ease-of-use of our
solution and how it helps secure their most sensitive information. In the end,
data is more secure, customers are satisfied, agents are happier (no clean
rooms!), calls can be recorded without risk, reputations are protected,
compliance is simplified, and contact centers can continue business as usual.