Latest News

Semafone: Top U.S. Insurers Still Require Customers to Read Card Numbers Out Loud, Compromising Security and PCI DSS Compliance

New survey finds that 10 top U.S. insurers ask for verbal confirmation of payment card details

Guildford, U.K. – April 27, 2017 – Semafone, a provider of secure payment software for contact centers, announced today findings from a new “secret shopper” survey of leading insurance companies. Ten of the top insurance companies in the U.S. were anonymously surveyed and all responded that they still require customers to read their card numbers out loud when paying for insurance services over the phone, which means that they risk compromising security and Payment Card Industry Data Security Standard (PCI DSS) compliance.

“Nobody would dream of reading out their PIN at an ATM, but in the insurance industry it’s still commonplace to be asked to provide card details out loud over the phone,” said Tim Critchley, CEO, Semafone. “I’m sure most of us have overheard someone doing this in a public space; it’s not secure and it should not be happening.”

Call Recording Presents Additional Risks

The research also showed that eight of the U.S. top insurers record calls. This creates another challenge, as the PCI DSS, which governs all card payments, specifically prohibits the recording of full card numbers and card security codes. If a payment takes place over the phone, and the call is being recorded, the insurer needs to find a way to avoid capturing these details. Some insurers surveyed stated that they transfer customers to a voice recognition system which automatically blanks out card numbers on a recording, or use a start and stop method to avoid recording. Both methods have been proven to have drawbacks.

Critchley continued, “In the financial sector, it’s important to record calls in case you need to provide a legal record during any disputes. But if contact center agents are pausing the calls to remove card details, the recording can’t be deemed ‘complete’ and, therefore, no longer fits this purpose.

The ‘pause’ system also often depends on the service agent pressing the button at exactly the right moment. This means that it is far too easy to make a mistake and accidentally capture the card details on the recording. In some cases, we have even known agents to deliberately pause the recording at the wrong moment to blank out part of the conversation with the customer. It’s just not possible to guarantee that it will work.”

U.S. Insurers Lag in Security of Call Center Data

To make matters worse, four out of the 10 top insurers in the U.S. admitted to reading card numbers back to customers; a practice that makes compliance with PCI DSS even more taxing. Additionally, most agents in the U.S. were completely unsure as to whether numbers were recorded.

“All contact centers in the U.S. need to do more. The insurance sector has been charging higher premiums for corporate policyholders who fail to take cybersecurity seriously; now it’s time for insurers to get their own house in order,” stated Critchley. “We’re very pleased to be working with an increasing number of insurance companies who are addressing the problem, but there is still work to be done. Asking customers to read credit and debit card numbers aloud over the phone must become a thing of the past.”

For more information about Semafone, please visit:

About Semafone

Semafone provides software to contact centers so they can take personal data securely over the telephone. Semafone’s patented data capture method collects sensitive information such as payment card or bank details and social security numbers directly from the customer’s telephone keypad for processing. This prevents personal data from entering the contact center, which protects against the risk of fraud and the associated reputational damage, ensuring compliance with industry regulations such as PCI DSS.

The company was founded in 2009 and now supports customers in 22 countries on five continents. Semafone is vertically agnostic and its extensive customer base includes companies such as Aviva Canada, Amica Mutual Insurance, British Sky Broadcasting, Pethealth, Rogers Communications and TVG.

BT offers a hosted version of Semafone’s technology – Cloud Contact PCI. Major investors of Semafone include Octopus Investments and BGF (Business Growth Fund).

Semafone has achieved the four-leading security and payment accreditations: ISO 27001:2013, PA-DSS certification for Cardprotect its payment solution, PCI DSS Level 1 Service Provider and is a registered Visa Level 1 Merchant Agent. To learn more, visit and follow us on LinkedIn, Twitter and Facebook.