By Aaron Lumnah, Senior Manager Marketing Demand Generation
Protecting customer data is a persistent and ongoing challenge for merchants of all sizes, across every industry sector.
The introduction of EMV ‘chip and PIN’ payment cards in recent years saw that it became significantly harder for fraudsters to commit point-of-sale (POS) terminal fraud or to counterfeit physical cards. This is backed up in Verizon’s 2020 Data Breach Investigations Report, which states that payment card skimming now accounts for just 0.7% of all data breaches, with POS fraud down to just 0.8%.
As a result, criminals have switched their attention to contact centres. Their objective – to steal the personally identifiable information (PII) and payment data of customers paying for goods and services over the phone. This channel is often viewed by fraudsters, as an easier way to commit identity theft and gain illicit access to funds, conduct card-not-present (CNP) fraud, and other malicious deeds.
This comes as no surprise when you consider how today’s call centres are now a key customer touchpoint that typically handle all kinds of sensitive customer data: contact details, dates of birth, payment card data, social security details and so on.
It’s a situation made worse by the surge in e-commerce and phone transactions triggered by the COVID-19 pandemic. Needless to say, cybercriminals have been quick to take advantage of this shift in payment behaviours. In March 2020, the number of malicious data breach attempts experienced by organisations jumped by a massive 475%.
Let’s take a look at five ways merchants of all sizes can boost their fraud prevention capabilities.
1. Address Insider Threats
No business is immune from the risk of insider threat, so it is vital that merchants take steps to ensure that employees are appropriately vetted, and all hiring references are checked. A disgruntled or malicious employee who has insider knowledge of customer identification and security process flaws can inflict damage that will be difficult for organisations to recover from. But that isn’t the only challenge.
Criminal gangs aren’t beyond trying to infiltrate contact centres, putting their own members inside a company, or finding ways to coerce and threaten current employees to pass on sensitive customer information.
Fraud can encompass anything from someone overhearing private information, to using a customer’s details to access their records without authorisation and selling this information to other parties. For this reason, applying tight controls over what systems and records agents can access and having full visibility of agent activity is key for mitigating insider threat risk.
2. Keep Sensitive Payment Data Outside of Business Systems
The best way of protecting against contact centre data breaches is to not store any customer data related to a payment in any form at all. Instead, routing customer payments via a secure payment platform will ensure that this sensitive data is never taken, processed, or stored on site.
As well as significantly reducing a contact centre’s obligations with regard to PCI DSS compliance, utilising a secure payment system also eliminates any need for agents to have visibility of a customer’s sensitive payment information. This means organisations can protect their employees from the risk of potential coercion by criminals.
3. Only Work with Trusted Partners
It is critical to know who your service providers are and what security questions to ask them. It will be essential to ensure that the payment service providers (PSPs) you work with are PCI DSS compliant Level 1 Service providers at a minimum and certified to the highest standard, including being listed on the Visa Global Registry of Service Providers and the Mastercard Registry of SDP Compliant Service Providers. That especially includes the PSP that manages your payment process.
Organisations can find they are liable for a data breach if their partners don’t take security as seriously as they do. So conducting business with any third party means you need to ask tough questions around how they treat sensitive data and the precautions they take to secure it. Ask for industry accreditations and security credentials, because at the end of the day, keeping customer data safe doesn’t just depend on following best practices in-house.
4. Secure and Test the IT Infrastructure
Today’s criminals are adept at exploiting flaws and vulnerabilities in unpatched systems, so ensuring your e-commerce website, internet-facing systems, network, and all business applications are regularly updated and patched is business-critical. That includes ensuring that firewalls are correctly configured and that all appropriate authentication and strong remote access credentials are in place.
Putting in place antivirus software is a must have. Similarly, conducting frequent vulnerability tests on systems and network devices will be key to identifying where a potential breach could occur so that mitigation actions can be taken. It also enables organisations to test their compliance with security policies and determine how effectively they can respond to security threats.
5. Educate Employees on How to Stay Secure
Employees still pose one of the biggest risks to a company’s cybersecurity, so regular security awareness training will be vital for equipping personnel with the knowledge they will need to combat potential threats.
In a world ransacked by the COVID pandemic, new exploitation threats are arising as organisations adopt long term remote working strategies that add further additional complexity into the security landscape. Ensuring everyone is up-to-date and alert to the latest phishing attacks and other social engineering methods criminals are using is vital. If employees know how to identify and avoid phishing emails, and why they should not randomly click on links, they’re less likely to unwittingly expose confidential data or download covert malware that compromises cybersecurity.
The COVID-19 crisis has changed consumer behaviours for the long term. With more and more of us now transacting online and over the telephone, merchants will need to reassess the fraud prevention measures they have in place and ensure these are appropriate for today’s fast-evolving threat landscape. Utilising the right technologies, protocols and training, and working with the right partners, will ensure that merchants keep customers, staff and their reputations safe.