Home > Columns > Executive Interviews

Semafone Executive Interview

Tim Critchley, CEO, Semafone

  • Everyone has heard stories about breaches in customer data, such as the recent one at Equifax. What are the some of the most common types of cyber-attacks and what steps can businesses take to prevent them?

Some of the most common types of cyberattacks that contact centers experience involve social engineering. With these attacks, cybercriminals and fraudsters manipulate employees – particularly those on the front line such as agents and customer service representatives (CSRs) – in order to steal sensitive customer data. This could involve bribery, coercion, a fraudulent phone call or even a phishing email containing malware that an agent opens, assuming it’s a note from a customer or manager. Contact centers should train their employees to recognize the many forms of social engineering and ensure their agents are aware of the risks they represent. 

In terms of malware, trojans, which provide unauthorized, remote access to a user's computer, are extremely common. They are difficult to detect, so they are especially dangerous for contact centers that house multitudes of sensitive customer data. For instance, a tech-savvy third party who encounters an agent’s computer could easily and discretely insert a thumb drive containing a trojan into the back of the desktop. Then, from a home computer, that third party could access the agent’s computer, and therefore, the contact center’s network to steal customer credit card numbers and other personally identifiable information (PII). 

While these are just a few examples of cyberattacks, there is one highly effective method for reducing risks and making a business far less attractive to hackers and fraudsters: remove all unnecessary sensitive data from your business’ infrastructure. As we say at Semafone, “They can’t hack the data you don’t hold.”


  • Can you share some best practices for reducing the risk of compromising data security in voice interactions?

According to Semafone’s new State of Data Security in Contact Centers report for which we surveyed more than 500 agents across the globe, 72 percent of agents who collect payment card data and social security numbers (SSNs) over the phone still require callers to read this PII aloud. This creates numerous risks, as data is exposed to agents (who could, for example, illicitly copy down card numbers to use them for fraudulent purposes), as well as call recording systems and even nearby eavesdroppers. 

To mitigate these risks, contact centers should adopt dual-tone multi-frequency (DTMF) masking solutions. This technology allows callers to enter their sensitive numerical data directly into their telephone keypad and shield it from both the live agents and call recordings by replacing the keypad tones with indecipherable flat tones. Once entered, the data is sent straight to the appropriate third party (i.e. a payment processor), completely bypassing the contact center’s IT environment. 

Unlike interactive voice response (IVR) systems, DTMF masking solutions allow agents to remain in full voice communication with the caller. Yes, IVR systems prevent agent exposure to data, but the PII still touches and transits across the contact center’s infrastructure, where it is vulnerable in the event of a data breach.


  • What are some of the top risk factors prevalent in today’s contact center environments?

As discussed, the fact that a majority of contact centers still require customers to read their sensitive data out loud creates massive risks for agent fraud. And, if that PII is captured on a call recording system, it is essentially waiting to be breached by hackers. 

In addition to outdated data capture processes, over-access to data also poses significant risks. Our survey found that 30 percent of agents who collect customer data over the phone have access to that information even when they aren’t on the line with that customer. Most agents are of course good, honest people but it just takes one bad apple or one unwitting innocent to open the flood gates for a brand-damaging data breach. For example, a temporary employee with no loyalty to the company and little concern for risk could steal thousands of customer payment card numbers stored in a CRM system and sell them to third parties. Once the scheme is realized, the company makes the news for all the wrong reasons, leading to the loss of customer trust, plummeting share prices and a tarnished reputation. 

Even more alarming is the fact that agents are witnessing and experiencing breach attempts by people both inside and outside of their organizations. Semafone’s survey showed that 7 percent of agents who collect PII had been approached by someone inside their organization to illicitly share or access this information, while 4 percent said the same about someone outside their organization. Also, 9 percent of agents said they personally knew someone who had unlawfully accessed or shared customer data. 

While these may seem like small percentages, when applied to the larger contact center agent population, the risk is substantial. Considering that there are more than 2.2 million call center agents in the U.S. alone, it is quite possible that hundreds of thousands of active agents have witnessed some form of a breach attempt. What’s more, 42 percent of agents in our survey said they did not report these attempts to either management or the police. So, many contact centers may not even be aware that breach attempts are occurring, never mind actually addressing the risks.


  • Can you give us examples of risky call recording practices in contact centers? How can companies gain the insights they need to improve the quality of transactions without putting sensitive information at risk?

Many companies, especially those in highly regulated industries, record customer calls for legal, regulatory or quality assurance reasons. However, when they require their customers to say their PII out loud, this complicates the situation because the Payment Card Industry Data Security Standards (PCI DSS) states that they should not capture payment card data on recordings. So, many contact centers use a practice called “pause and resume” or “stop/start,” by which recording systems are paused (either manually or automatically) when customers are reading out their sensitive information. However, these practices leave gaps in an organization’s data security and compliance strategies, and create further risks. 

For example, if an agent forgets to pause the recording, PII may be inadvertently captured, leaving the information vulnerable in the case of a breach. On the other hand, if an agent neglects to resume the recording, vital information from the call needed to solve transaction disputes or support quality control may be excluded. Also, without a complete call recording, a company may not be able to demonstrate compliance with industry, state or government regulations.  

By using DTMF masking technology, contact centers can abandon risky pause and resume practices and record entire calls without worrying about recording PII. They can still review recordings for quality assurance and training purposes, while ensuring a smooth, safe and secure transaction.


  • How can contact centers reduce AHT while keeping customers’ payment data secure and helping to improve the overall customer experience?

Sometimes, phone payment transactions can be time consuming, especially if customers have to read card numbers, expiry dates and security codes aloud. If an agent mishears or mistypes the numbers, he or she must spend extra time correcting errors. And, if the mistake is not identified, the Payment Service Provider (PSP) may reject the transaction, leading to repeat calls, customer aggravation and even failed transaction charges. Furthermore, poor connections, regional dialects and accents can complicate the information exchange and therefore increase the average handling time (AHT). 

While some contact centers use IVR systems that remove agents from the equation, these technologies can increase customer frustration and AHT. If a customer miskeys their payment card numbers, they often don’t know how to correct it and end up hanging up the phone. This scenario can negatively impact both customer satisfaction, first contact resolution (FCR) metrics and the bottom line (if customer hangs up, you may have lost a sale).   

To reduce AHT while securing payment data anddelivering a positive customer experience, contact centers should, again, adopt DTMF masking solutions – allowing agents to remain on the line in full voice communication with the customer as they enter their payment card numbers into their phone. With such solutions, customers have complete control over inputting their data, while agents are free to handle wrap-up tasks and assist if any issues arise. The result is much more efficient transactions and a streamlined customer journey.


  • What can businesses do to ensure that agents are not in a position to compromise customer data and can also report those who might be misusing it without fear of retribution?

Some contact centers require their agents to work in “clean rooms,” which prohibit writing utensils, paper, cell phones and any personal items that may facilitate fraud. In response to our survey, 26 percent of agents who collect customer data over the phone operate in such environments. However, clean rooms should no longer be considered a best practice, as they contribute to low employee morale and high staff turnover. Even with this draconian security measure, customer data is still entered into desktop applications and stored in business IT infrastructures – leaving it vulnerable to rogue agents, hackers and fraudsters. 

When companies keep sensitive data out of the contact center environment altogether, clean rooms become unnecessary and thus, employees are happier and more productive. Also, if agents do not have access to the data in the first place, there is no need for them to worry about how to report instances of misuse; it becomes a non-issue.


  • Please tell our readers how Semafone can help make customer data more secure across a variety of verticals.

Semafone provides DTMF masking technology. Our award-winning, patented solution, Cardprotect, is used by enterprises around the world and across different verticals – insurance, retail, banking, BPO, hospitality, utilities, telecommunications and many more – to mitigate risk, strengthen security and maintain PCI DSS compliance by keeping PII out of the business infrastructure. 

Cardprotect allows customers to directly input their data, including credit/debit card numbers, via their telephone keypad, shielding the numbers from agents, call recordings and eavesdroppers by replacing the DTMF tones with flat tones. Unlike IVR systems, agents remain in full voice communication with the caller the entire time, ensuring a positive customer experience and even reducing AHT. Our clients frequently report that their own customers appreciate the ease-of-use of our solution and how it helps secure their most sensitive information. In the end, data is more secure, customers are satisfied, agents are happier (no clean rooms!), calls can be recorded without risk, reputations are protected, compliance is simplified, and contact centers can continue business as usual.