By Mandy Pattenden, Marketing Communications Director
It’s a tumultuous, yet exciting time in the contact center industry. Despite the growth of e-commerce and online shopping, phone transactions continue to rise, with 61 percent of mobile users calling a company when they come to make a purchase. At the same time, securing these transactions has never been more important. With the shift to EMV chip card technology, fraudsters and cybercriminals are now targeting card not present (CNP) channels, like contact centers, putting customer information at risk from brand-damaging data breaches. These industry trends led Semafone to investigate what is really going on inside today’s contact centers.
While we work closely with our customers’ security personnel, compliance officers and C-level executives on a daily basis, we thought it would be interesting to gather some unique insight directly from those staff members on the front line – contact center agents and customer service representatives (CSRs). After all, they are the ones speaking with customers on the phone and capturing their payment card data and other sensitive information. But, how are they collecting, storing and protecting personally identifiable information (PII)? Are they regularly witnessing breach attempts? How much access to sensitive customer information do they have? We decided to conduct an anonymous survey of contact center agents from across the globe to get some answers.
Over the past few months, we’ve polled more than 500 contact center agents from around the world to learn about their everyday experiences with data security. We are excited to finally unveil the findings of our survey in our first-ever “State of Data Security in the Contact Center” report – and with it comes both good news and bad news.
First, the bad news: data security in contact centers is in a dire state. We confirmed that agents are still using outdated, risky practices for capturing customer data. In fact, more than 70 percent of agents who collect PII via the phone require customers to read this data out loud. While many customers (or agents) may not think twice about verbalizing payment card data or social security numbers (SSNs), this system for capturing caller data exposes information to the agent, call recording systems and even nearby eavesdroppers. Moreover, 30 percent of agents who collect this data have the freedom to access it even when they are not on the phone with the customer. Now, not all agents are out to copy down payment information for fraudulent use or steal someone’s identity; but, in a time when a single breach can cost a company an average of $3.62 million, there is no time to wait to address security and compliance issues.
Additionally, a disconcerting number of agents have been approached by insiders (seven percent) and outsiders (four percent) to illicitly share or access customer data. Although these are generally small percentages, they raise big concerns. If we extrapolate these percentages to the greater agent population, it could mean that hundreds of thousands of agents have experienced a breach attempt. It is estimated that there are 2.2 million contact center agents in the U.S. alone, meaning that it is possible that 150,000 have been approached by others within their own company to share customer data. If just one of these breach attempts were successful and made headlines, the organization could face catastrophic consequences – plummeting stock prices, lost customer trust, litigation costs, noncompliance fees and more. Even more alarming is that 42 percent of agents in our survey who were approached to share data did not report the situation. Therefore, it is possible that many data breach attempts go completely unnoticed by contact center managers and security personnel.
We also found some interesting geographic and industry nuances. For instance, North America had the highest percentage of agents whose customers provide payment card information and SSNs over the phone (70 percent), and the third-highest percentage of agents who have access to customer information when they are not on the phone with them (31 percent). In contrast, 16 percent of European agents said they have access to PII when they aren’t on the phone with the custome, while zero reported instances of outsiders approaching agents to share information. As for industry-related findings, the BPO sector consistently reported higher than average numbers in several areas of risk, including the number of breach attempts by outsiders. Nevertheless, contact center data security issues span all vertical industries and geographic regions. Protecting sensitive information should be everyone’s priority, no matter where in the world you operate.
Now, the good news: there is a valuable lesson to be learned from our survey findings. Clearly, data breach attempts are occurring; it’s just a matter of when one will be successful. While not every data breach, cyberattack or fraud attempt is predictable, companies must act now to secure sensitive information in their contact centers and beyond. Those who delay addressing gaps in security and compliance initiatives – like the all-too-common use of outdated data collection practices in contact centers—are at high risk of a cybersecurity incident. In addition to the aforementioned millions of dollars in associated costs, a data breach can lead to long-term reputational damage, diminished customer trust, plummeting stock price, loss of jobs and much more. For a prime example of these repercussions, look no further than Equifax, high-profile data breach.
However, security strategies such as educating employees to defend themselves against social engineering tactics, preparing a detailed incident response plan and tokenizing data, only go so far. They can also leave much of the contact center environment in scope with the complex and ever-changing Payment Card Industry Data Security Standard (PCI DSS).
At Semafone we recommend supplementing these efforts by turning to technologies that help descope the contact center by completely removing sensitive data from the business’ infrastructure. For instance, solutions like Cardprotect allow callers to discretely enter payment card data directly into their phone’s keypad. The dual-tone multi-frequency (DTMF) sounds are masked with flat tones so the agent on the line, call recordings and nearby listeners cannot decipher the numbers. Unlike interactive voice response (IVR) systems, Cardprotect enables the agent to remain in full voice communication with the customer as the data is entered, then sent directly to the appropriate third party for processing. As we always say, “They can’t hack the data you don’t hold.”
Although our survey generated some harrowing statistics, we hope that our findings will help create a greater sense of urgency among the contact center community for securing and safeguarding customer data. Remember: it takes just one agent falling victim to a social engineering scam, taking a bribe or simply acting carelessly to set an entire company into a downward spiral. So, why wait to be breached?