Brian Pennington

A blog about Cyber Security & Compliance


Call Centre Security

Syntec Telecom and Davies Hickman Partners have produced a report on how contact centre leaders are meeting the challenges of PCI DSS and the concerns of consumers to credit card payments over the phone.

Extracts from the report are below.

Consumers demand better card payment security

  • 72% (68% in 2012) say “call centre managers should do more to prevent credit and debit card fraud” 
  • 74% (70% in 2012) say “the banks, credit card and payment companies should do more to prevent fraud

The report believes their research shows that despite years of compliance pressure call centres are adopting one of three methods to deal with the issues:

  1. ‘Head in the Sand’: These organisations are adopting a trust-based approach relying on existing systems and staff, including elements of ‘clean-rooming’, but are unaware of the seriousness of PCI requirements
  2. ‘Segmenting the Problem’: Here, organisations are setting up discrete payment teams to reduce the numbers of agents taking payments
  3. ‘De-scoping payments’: Organisations engaged in PCI compliance are using technology to shield crucial payment card data from the call centre

Key findings from the research showed:-

  • 1% (2013), 3% (2012) of consumers say payment over the phone to a call centre is the most secure method (compared to chip and pin, online and self-service/ATM payments)
  • 16% (2013), 14% (2012) of UK consumers say they are very confident that “Organisations I buy from over the phone will keep my personal and card payment details secure”
  • 80% (2013 & 2012) of consumers say that despite careful recruitment policies, some call centre agents may commit fraud, directly or indirectly, by stealing personal data and credit card payment details taken over the phone from customers
  • 72% (2013), 68% (2012) say call centre managers should do more to prevent credit and debit card fraud.
  • 68% (2013), 58% (2012) of UK consumers say “As a general rule, I don’t think companies should be allowed to keep my credit or debit card details on their databases”
  • 32% of UK consumers say they have seen news stories about credit & debit card fraud in call centres (39% of 18-34 year olds)
  • Twice as many consumers favour using their phone keypad* to enter their card details whilst the agent is still on the call, compared with the solution where the agent simply pauses the call recording. A higher majority of consumers say they would use, and be happy to use, their phone keypad – 58%, with only 27% favouring pausing the call recording.

Do you believe call centre agents may commit fraud directly or indirectly by stealing personal data and credit card details they take from customers over the phone?

  • Yes, often, 16%
  • Yes, sometimes 64%
  • No 6%
  • Don’t know 14%

When making card payments which is the most secure?

  • Chip and Pin 53%
  • Payments over a secure website 18%
  • Self-service Machines (e.g. train tickets) 11%
  • Telephone payments to call centre agents 1%
  • Don’t know 16%

Solving the compliance conundrum

  • Use technology to hide credit card details from call centre agent 45%
  • Only allow selected agents in ‘clean rooms’ 7%
  • Regular audits of calls to monitor fraud 14%

Has the risk of fraud when giving your credit/debit card details over the phone to a call centre made you reluctant to pay for a product or service?

  • Yes 59% (Yes, often 17%, Yes, sometimes 42%)
  • No 21%
  • Don’t make phone payments 19%

Tips for rebuilding trust through card payment delivery in call centres

  1. Build capability by educating your people about risk, fraud and the value of security to customers
  2. Develop processes and procedures so your people can report suspicions confidently
  3. Build relationships with internal and external fraud monitors
  4. Create a compliance strategy which suits your organisation
  5. Keep your eye on changing operational requirements to improve security programmes
  6. Delete basic operational failings such as storage of sensitive information
  7. Choose trusted secure partners
  8. Explore technologies which ‘shield’ the call centre from sensitive payment data.

Simon Beeching, director at Syntec Telecom, said: “There is no question that card payments over the phone to the call centre remain a weak link. Our research clearly shows that an increasing majority of consumers have serious concerns over card payments by phone. Consumers are now saying they will positively favour brands and call centres that can provide tangible reassurance over their card payment security.”

Fortnum and Mason fail PCI DSS requirements after a phone call…

It was reported that Fortnum and Mason’s had a Payment Card Industry Data Security Standard (PCI DSS) issue resulting from an employee asking a customer to email their credit card details so that a dispute could be resolved.

Fortnum & Mason

“We have now fully investigated the claim that a customer was asked for their credit card details via email and we can confirm that

“We apologise for causing concern for this genuine, human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again.”

Fortnum & Mason said in a statement

Human error whether it is trying to help a customer or trying to finish on time is often the weakest link in the security chain.

If the credit card details had been emailed or the phone call recorded it could have a huge impact on an organisation’s compliance posture because all those systems involved and the connected systems will fall into the scope of PCI DSS.

For example:  The email could potentially put many systems into the scope of PCI DSS that were previously out-of-scope,

  • the customer service person’s desktop maybe storing emails locally
  • the email server
  • the email back-ups and other back-up systems is the data is shared across tapes/drives/SANs/etc.
  • the CRM solution if the email systems is integrated e.g.
  • etc.

Education and technology can reduce the chances of this happening but it requires constant management and monitoring.

An older post of mine contains a lot of advice for organisations that wish to address the non-IT issues facing organisations that operate a call centre or deal with customers over the phone orders or disputes.

The post “Call Centre Security and PCI Compliance” is here.


Call Centre Security and PCI Compliance

An Indian call center
Image via Wikipedia

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.

The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.

However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.

By considering the following points and reviewing the documents on the PCI Resource page  you can go a long way towards achieving a PCI compliant Call Centre.

  • Employee vetting is the first step in ensuring a secure Call Centre.
  • There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
  • Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
  • The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
  • Do employees regularly receive training on the Policy and its importance? They should do.
  • Are employees made aware of their IT Security responsibilities?
  • Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
  • Security Awareness has to be promoted, for example, on posters and in newsletters.
  • Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
  • Access to photocopiers and scanners needs to be restricted.
  • Restricting physical access to the Call Centre should be considered.
  • Call Centres should be restricted to employees only and visitors need to be escorted.
  • All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
  • Consideration should be made to CCTV
  • Do all employees have unique logon identities?
  • Are strong passwords enforced?
  • Are passwords changes enforced every 30 days, or less?
  • Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
  • Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
  • Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
  • Are logs taken and stored for system and networks where data is stored?
  • Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
  • Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
  • Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
  • Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.

In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.


Create a free website or blog at

Up ↑

%d bloggers like this: