What solutions, approaches and business processes do UK contact centres use to reduce the risk of card fraud?
After being presented with a multitude of different methods, the results from a survey of over 200 UK businesses indicate that, on average, a call centre employs 3.6 techniques to reduce card fraud and thus support Payment Card Industry Data Security Standard (PCI DSS) compliance.
Some of the most common card fraud reduction solutions, approaches and business processes are summarised below.
That said, it is important to take into account that many of the below methods do not, by themselves, fully make a given contact centre’s operation PCI-compliant.
‘Pause and resume’ or ‘stop-start’ recording (used by 59% of UK contact centres)
With ‘pause and resume’ or ‘stop-start’ recording, contact centre agents can prevent sensitive authentication data and other information from entering the call recording environment.
‘Pause and resume’ can be agent-initiated or be fully automated; however, the PCI DSS standard is interpreted as preferring automation over manual intervention, in order to avoid human error.
Improving manual processes and agent training (43%)
Training is provided to call centre agents to help reduce the risk of social engineering fraud, and to educate them on how they can best handle sensitive information.
Dedicated payment teams (12%)
A dedicated payment team will be completely separate from the customer service agents, and are the only agents authorised to handle any payments. That said, this can cause an increase in wait time due to queueing.
Third-party cloud-based payment solutions (40%)
A third-party payment solution means that no card data is ever passed through the contact centre itself – be it the infrastructure, agents, or data storage alike. This also mitigates the legislative risks involved, as it allows card payments to be taken without having to invest heavily in the necessary internal technology or processes to be PCI DSS compliant.
IVR payments – post-call (5%) and mid-call (18%)
Payments can be taken using automated Interactive Voice Response (IVR), again eradicating the human risk element. The most popular option is to do this mid-call (otherwise known as agent-assisted IVR), as it allows the customer to ask further questions to the agent post-payment.
DTMF suppression (43%)
If a caller submits card details via their keypad, in theory, the Dual Tone Multi-Frequency (DTMF) tones – and therefore the cardholder details – could be identified, and thus copied. DTMF suppression, however, alters the tones to mask the card details, effectively neutralising the risk.
Tokenisation (19%)
With tokenisation, cardholder data is collected using DTMF. The tones are replaced with a neutral or silent tone, yet the number is sent elsewhere to be replaced with non-sensitive data. The tokenised DTMF is sent to the payment process, where it is then decoded back to the original data, which is then forwarded to the payment service provider (PSP).
Secure payment link (10%)
This is known as a self-service card fraud reduction method, as all the organisation needs to do is send a secure link via SMS, email, or WhatsApp. It’s then down to the customer to ensure it is a legitimate link and fill out their own card details.
This is simply a top-level overview of the findings surrounding UK PCI DSS methods. For more information and detail, please download the “Inner Circle Guide to Fraud Reduction and PCI Compliance” report from the ContactBabel website.