By Daniel Doherty, Global Insurance Executive
The recent 371% increase in data breaches in the insurance industry and 40% increase in card-not-present (CNP) fraud should put insurance call centers on high alert for protecting customers’ sensitive data. Nonetheless, many insurers continue to rely on the inadequate practice of pause and resume call recording solutions to shield payment card data from call recordings.
With this practice, recordings are stopped, paused or muted when the customer reads credit card numbers and other personally identifiable information (PII) out loud. The recording is started, resumed or unmuted after this information is captured. Although pause and resume is a legally accepted practice, it leaves holes in the call center’s security strategy.
Despite blocking the PII from call recordings, pause and resume still exposes the customer service representative (CSR) on the line to the caller’s information. The CSR could copy down card numbers for potential fraudulent use, or partake in illicit activity like social engineering or high-pressure sales tactics while the recording is stopped. Another concern is that the CSR may accidentally forget to stop the recording, thereby inadvertently logging sensitive information that may end up breached. Or, the CSR may forget to resume the recording, leaving out important information that may be required to handle a transactional dispute. Also, without a complete call recording, the insurer may be in violation of local or state laws and regulations.
Recording Sensitive Authentication Data (SAD), like three-digit security codes is also strictly prohibited by the Payment Card Industry Data Security Standard (PCI DSS). So, if information is accidentally recorded, the call recording system, call center hardware and software, are back in scope. The PCI DSS prohibits the manual intervention of staff for removing data from recordings, making many advocates of pause and resume noncompliant. Yes, pause and resume systems that use computer telephony integration (CTI) to automatically block PII can alleviate this challenge, but they still expose the CSR to the sensitive data and leave the rest of the call center infrastructure in scope.
Semafone recently surveyed CSRs at 10 of the largest U.S. insurance firms to see how they shield payment card data from their call recordings. While most firms seemed to use a form of pause and resume, there were a variety of methods in play. Some said they rely on a program that automatically blocks out card details from the recording as the caller speaks. Others said PII is removed from the recordings after the fact. Another said that all recordings are kept for 30 days before being deleted. Despite the various tactics, the consensus was that many CSRs were unaware or uninformed of how they protect customer data from recordings, which emphasizes the need for an alternative solution to pause and resume.
To eliminate pause and resume, keep customer data safe from brand-damaging data breaches and comply with the PCI DSS, Semafone advises insurers and other merchants to prevent payment card information and other PII from ever entering the call center infrastructure in the first place – or, more simply, they should de-scope the call center. Semafone’s solution does just that, blocking payment information from recordings and CSRs by allowing customers to directly and discretely enter their data via the telephone keypad. Touch tones are replaced with flat tones through DTMF masking, preventing the CSR and anyone listening to the recording from deciphering the numbers. However, the CSR is able to remain in full conversation with the customer to streamline the entire experience and efficiently carry out the transaction.
To learn more about why insurance companies should abandon pause and resume, read my article in Insurance Business Magazine.