Brian Pennington

A blog about Cyber Security & Compliance



Syntec Telecom and Davies Hickman Partners have produced a report on how contact centre leaders are meeting the challenges of PCI DSS and the concerns of consumers to credit card payments over the phone.

Extracts from the report are below.

Consumers demand better card payment security

  • 72% (68% in 2012) say “call centre managers should do more to prevent credit and debit card fraud” 
  • 74% (70% in 2012) say “the banks, credit card and payment companies should do more to prevent fraud

The report believes their research shows that despite years of compliance pressure call centres are adopting one of three methods to deal with the issues:

  1. ‘Head in the Sand’: These organisations are adopting a trust-based approach relying on existing systems and staff, including elements of ‘clean-rooming’, but are unaware of the seriousness of PCI requirements
  2. ‘Segmenting the Problem’: Here, organisations are setting up discrete payment teams to reduce the numbers of agents taking payments
  3. ‘De-scoping payments’: Organisations engaged in PCI compliance are using technology to shield crucial payment card data from the call centre

Key findings from the research showed:-

  • 1% (2013), 3% (2012) of consumers say payment over the phone to a call centre is the most secure method (compared to chip and pin, online and self-service/ATM payments)
  • 16% (2013), 14% (2012) of UK consumers say they are very confident that “Organisations I buy from over the phone will keep my personal and card payment details secure”
  • 80% (2013 & 2012) of consumers say that despite careful recruitment policies, some call centre agents may commit fraud, directly or indirectly, by stealing personal data and credit card payment details taken over the phone from customers
  • 72% (2013), 68% (2012) say call centre managers should do more to prevent credit and debit card fraud.
  • 68% (2013), 58% (2012) of UK consumers say “As a general rule, I don’t think companies should be allowed to keep my credit or debit card details on their databases”
  • 32% of UK consumers say they have seen news stories about credit & debit card fraud in call centres (39% of 18-34 year olds)
  • Twice as many consumers favour using their phone keypad* to enter their card details whilst the agent is still on the call, compared with the solution where the agent simply pauses the call recording. A higher majority of consumers say they would use, and be happy to use, their phone keypad – 58%, with only 27% favouring pausing the call recording.

Do you believe call centre agents may commit fraud directly or indirectly by stealing personal data and credit card details they take from customers over the phone?

  • Yes, often, 16%
  • Yes, sometimes 64%
  • No 6%
  • Don’t know 14%

When making card payments which is the most secure?

  • Chip and Pin 53%
  • Payments over a secure website 18%
  • Self-service Machines (e.g. train tickets) 11%
  • Telephone payments to call centre agents 1%
  • Don’t know 16%

Solving the compliance conundrum

  • Use technology to hide credit card details from call centre agent 45%
  • Only allow selected agents in ‘clean rooms’ 7%
  • Regular audits of calls to monitor fraud 14%

Has the risk of fraud when giving your credit/debit card details over the phone to a call centre made you reluctant to pay for a product or service?

  • Yes 59% (Yes, often 17%, Yes, sometimes 42%)
  • No 21%
  • Don’t make phone payments 19%

Tips for rebuilding trust through card payment delivery in call centres

  1. Build capability by educating your people about risk, fraud and the value of security to customers
  2. Develop processes and procedures so your people can report suspicions confidently
  3. Build relationships with internal and external fraud monitors
  4. Create a compliance strategy which suits your organisation
  5. Keep your eye on changing operational requirements to improve security programmes
  6. Delete basic operational failings such as storage of sensitive information
  7. Choose trusted secure partners
  8. Explore technologies which ‘shield’ the call centre from sensitive payment data.

Simon Beeching, director at Syntec Telecom, said: “There is no question that card payments over the phone to the call centre remain a weak link. Our research clearly shows that an increasing majority of consumers have serious concerns over card payments by phone. Consumers are now saying they will positively favour brands and call centres that can provide tangible reassurance over their card payment security.”

Outside of London Slough is the largest fraud centre but is still smaller that the Top 10 London zones

CIFAS, the UK’s Fraud Prevention Service have revealed emerging hotspots of fraud activity in the UK during the first six months of 2013. While fraud remains at its most concentrated within the area of densest population (the boroughs of Greater London), some other, perhaps more surprising, areas have been shown to be fraud epicentres during the first half of the year.

In particular, postal districts around Slough, Luton, St Albans, Leicester and Coventry are areas where fraudulent activity has been most prevalent, as opposed to larger urban centres such as Birmingham, Manchester, and Glasgow.

London: the capital of fraud

With the highest population levels of the UK, it is unsurprising that London is the area where the highest number of confirmed frauds has been committed during the first half of 2013. 

CIFAS Communications Manager, Richard Hurley, comments: That fraud is at its most prevalent in London is not surprising. This has been the case for many years. A larger population means more individuals who may consider making fraudulent applications, but it also means that there are more potential victims for an organised identity criminal. The top ten postal areas, however, show a divergence of locations within the Greater London boroughs: from Wembley and Enfield to East Ham and Barking, and from Woolwich and Thamesmead to Croydon. This shows that any notion that fraud is concentrated solely within a specific area of London is not true and that fraud can, and will, take place anywhere 

Greater London  Break down of areas  
Postal area Name No. of confirmed frauds
E6 East Ham District 840
SE18 Woolwich District 751
IG11 Barking 740
EN3 Enfield 722
CR0 Croydon 691
SE1 South Eastern Head District 647
SE28 Thamesmead District 629
E7 Forest Gate District 575
E16 Victoria  Docks & North Woolwich District 570
HA0 Wembley 564

Other fraud hotspots are not the most populous UK centres

Outside the postal areas that fall within the Greater London boroughs, however, there are some notable clusters of activity – and these are not to be found in other large centres of population within the UK. Instead, the SL1 and LU1 postal areas (Slough and Luton) are the areas with the highest levels of fraud, while the Coventry and Leicester postcode areas both feature more than once in the top ten areas outside London (four times and twice respectively).

Richard Hurley concludes: What these figures prove is that fraud will take place anywhere. While Coventry and Leicester, for example, are populous cities, it is surprising to see these areas identified as having higher levels of fraud than other, much larger, cities. This demonstrates that fraud is no longer a crime that can simply be thought of as occurring in the largest cities. But it also presents a challenge to individuals and organisations based in these areas. It is vital that both work together with a view to diminishing the risks, not least to ensure that individuals understand what precisely constitutes fraud. For example, it is important that individuals and organisations share the responsibility of ensuring that personal data is protected from identity fraudsters who might be targeting these areas

Rest of the UK
Postal area Name No. of confirmed frauds
SL1 Slough 441
LU1 Luton 377
AL10 Hatfield 368
CV1 Coventry 334
LE2 Leicester 334
CV3 Coventry 314
NN1 Northampton 301
LE3 Leicester 299
CV2 Coventry 272
CV6 Coventry 242

2012 saw a 5% increase in fraud

CIFAS (Credit Industry Fraud Avoidance System) is a not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates two databases:

  1. National Fraud Database (NFD)
  2. Staff Fraud Database (SFD)

CIFAS’s analysis of fraud trends during 2012 reveals a 5% increase in the overall level of fraud, when compared with 2011. While the rate of the increase has slowed, further key findings present a more complex picture of the true state of the economic crime landscape in the UK:

  • Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
  • The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
  • The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
  • Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application. 

The 5% increase in fraud levels recorded during 2012 serves as a reminder of the economic trials currently facing UK businesses and consumers. Nearly 250,000 frauds were identified in 2012. This represents a smaller rate of increase from the 9% surge recorded in 2011, but still constitutes the largest number of confirmed frauds ever recorded in a single year by organisations participating in the CIFAS national fraud data sharing scheme.

CIFAS Head of Communications, Kate Beddington-Brown, comments:

 “Fraud is frequently described as a victimless crime, but this is far from the truth. Whether it is an individual being impersonated, or public and private organisations losing funds due to fraudulent applications and transactions, the net effect is that the economic squeeze gets worse. Fraud acts as an impediment to business recovery and damages cashflow for us all; as losses incurred inevitably get passed on to society at large. The increase in fraud levels, therefore, might be seen as organisations getting better at rooting out fraud, but the implications are clear: increased fraud levels mean that organisations and individuals face a bigger problem than ever before.”

Identity crime: the fraudster’s biggest weapon

The fraudulent use of identity details (either those of an innocent victim or completely fictitious ones) is the biggest and most perturbing fraud threat. 50% of all frauds identified during 2012 relate to the impersonation of an innocent victim or the use of completely false identities.

Furthermore, Facility (or Account) Takeover Fraud – where a fraudster gains access to and hijacks the running of an account (e.g. theft of security details through computer hacking, interception of post details, social engineering through popular websites etc) rocketed by 53% compared with the previous year. This means that those frauds where the criminal requires identity details accounted for almost 2 in 3 (65%) of all frauds in 2012. The number of victims of both types of fraud has when combined also risen by 24% from the levels in 2011; underlining the very real cost of these crimes.

Kate Beddington-Brown notes:

 “These increases serve as a warning and a challenge to organisations and consumers equally. Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing. In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously”

Frauds by account holders in decline

As problematic for organisations and the economy at large is fraud committed by the actual account holder. One piece of apparent good news, therefore, is that all frauds which come under this first party fraud heading declined in 2012: including misuse of facility fraud (where a legitimately obtained account is used fraudulently by the account holder) which decreased by 15% from the levels of 2011.

A substantial proportion of these frauds still bear the hallmarks of ‘money mule’ activity (where a criminal recruits another party to use his or her account on the fraudster’s behalf), but the decrease is encouraging in terms of consumer behaviour.

Kate Beddington-Brown notes:

“Organisations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard. Any requests to receive and transfer funds on behalf of a person or organisation should be viewed with suspicion and reported, ultimately, to Action Fraud.”

Misuse of an account, however, is still the second largest type of fraud identified in 2012 and therefore increased attention must also be paid to ensuring that individuals are aware of this.

Kate Beddington-Brown explains:

“In these difficult economic times, the motivation to attempt fraud or the vulnerability to being duped into doing so – is perhaps understandable. Organisations, however, must do all that they can, to ensure that consumers are aware that committing fraud can have very serious consequences: from withdrawal of services to criminal charges. If organisations and consumers alike can stamp out this kind of fraud, extra effort can then be dedicated to preventing those criminals who are responsible for the rise in identity crime.”

CIFAS Chief Executive, Peter Hurst, concludes: “With the cost of living increasing, pay levels frozen for many, benefit changes taking effect and a sluggish economy, it is unsurprising that fraud has increased. Prevention remains better than cure, however, and it is time for all organisations and consumers to start reviewing their approaches to preventing fraud rather than just dealing with its effects. Investment in proper fraud prevention systems and approaches, from online security to data sharing, and education are the cornerstones of such an approach and without them the only thing that is guaranteed is an ever increasing fraud losses to organisations and society at large.”

CIFAS’s summary of  identified fraud cases in 2011 and 2012:

  2011 2012 % Change
Fraud cases identified 236,516 248,325 +5.0%

CIFAS’s summary of the types of fraud undertaken is below:

Fraud Type 2011 2012 % Change
Identity Fraud – Total 113,259 123,589 +9.1%
Application Fraud – Total 43,263 39,868 -7.8%
False Insurance Claim 396 279 -29.5%
Facility Takeover Fraud 25,070 38,428 +53.3%
Asset Conversion 532 337 -36.7%
Misuse of Facility 53,996 45,824 -15.1%
Victims of Impersonation 96,611 112,179 +16.1%
Victims of Takeover 25,250 38,686 +53.2%

You might also want to read


Big increase in communications fraud

CIFAS, a UK’s Fraud Prevention Service, has reported on frauds recorded by its 260 member organisations during the 9 nine months of 2011.

The report reveals a 34% increase in fraud related to communications products, when compared with the same period in 2010.

CIFAS conclude that some “communications” products, for example smartphones like the iPhone handsets are viewed as essential items rather a luxury items which infers an entitlement to commit fraud.

CIFAS have also seen:

  • 93% increase in impersonation of the victim at their current address, also known as current address fraud
  • 85% increase in the use of completely fictitious
  • 64% surge in identity fraud individuals trying to gain a obtain products or services
  • 20% increase in misuse of facility cases

CIFAS Communications Manager, Richard Hurley, notes:

“The rise in current address fraud alarms because it signifies either that fraudsters are becoming increasingly sophisticated (as it is more difficult to impersonate someone at their address and then try to intercept goods or paperwork), or it demonstrates that friends, family and co-habitees are involved. Allied to the similarly enormous increase in the use of completely false identities, this surely indicates that communications products have become so essential that fraudsters not only obtain goods or handsets to sell on but will also attempt to use any identity in order to avoid becoming liable for bills.”

“nearly 100% of this increase can be accounted for by regular payment fraud, where fraudulent direct debit instructions are given in an attempt to evade the payment of bills. The reality of the situation is that the communications product, device or service has become so embedded in our lives that many of us seem unable to do without them. With sacrifices having to be made by most individuals and households, these figures depressingly indicate that many people feel that, economically, they have no choice but to attempt fraud in order to continue receiving such services.”


  1. CIFAS is the UK’s Fraud Prevention Service, a not for profit Membership organisation with over 260 cross sector Members including banking, credit cards, asset finance, retail credit, mail order, insurance, telecommunications and the public sector. Members lawfully share information on frauds in the fight to prevent further fraud.
  2. The following tables show a summary of communications fraud cases recorded by CIFAS Members, broken down by the type of fraud identified. Definitions are given below the table.
Jan to Sept 2010 Jan to Sept 2011 % Change
Application Fraud 3,679 4,347 18%
Facility Takeover Fraud 5,292 4,330 -18%
Identity Fraud 12,673 20,842 64%
Misuse of Facility Fraud 3,430 4,125 20%
Total 25,074 33,644 34%

Blog at

Up ↑

<span>%d</span> bloggers like this: