Taking or making payment over the phone comes with inherent risk of fraud in a variety of ways. The number one problem, however, is people. To be more specific, people on the telephone, who forget that what they say (their name, address and card details) may be overheard, and regrettably don’t comprehend the risk in voicing this type of information out loud. This is particularly true in spaces where people feel comfortable or hold telephone conversations in front of a group, such as open plan offices.
Purchasing over the telephone is great and is still in huge demand, despite the growth in online payments. We get to talk to a human being rather than a machine, we can ask about those bits of small print (automatic renewals, cancellation periods, etc) that are so hard to find online, and we can feel confident that we know what we are paying for. We also have a named person to refer to if it all goes wrong.
But if the customer hasn’t taken the precaution of isolating themselves during the transaction, who could be listening? Could the contact centre agent taking the payment be passing on the credit card numbers? And if the sensitive card information is passing through your computer systems, how can you be sure that it is completely secure from hackers, who have developed clever and sophisticated ways of obtaining sensitive data over company networks without being detected. Addressing so many security questions can be difficult and sometimes confusing. With huge advances being made to ensure telephone payments are more secure than ever, it is worth doing some research into the technologies on offer as each will differ when it comes to level of security as well as customer service and convenience.
So, what technologies can be used to tackle telephone payment fraud?
1. Pause and resume
You may need to record calls to comply with customer service guidelines or financial services regulations, particularly those issued by the Financial Conduct Authority (FCA). The problem with this is if customers are saying their card details out loud, these numbers will be recorded in your telephone system. This violates PCI regulations, which strictly prohibit the storage of any sensitive card numbers on call recordings.
Pausing the recording while the payment information is being entered is one way around this problem, with the pause function either automated or controlled by the agent. The danger here is that human error can result in the recording being paused at the wrong moment, causing accidental or incorrect recording of the numbers. It also means that the recording no longer constitutes a complete record of the call, which can contravene the regulations.
2. Interactive Voice Response (IVR)
IVR is an automated telephony system that interacts with callers, gathers information and routes calls as needed. When the customer calls up to make a payment the process will be handled by a series of recorded instructions instead of a live person (“Press 1 for yes…”). Having an automated system instead of a real human being has security benefits as it eliminates the danger of an agent over-hearing and stealing or sharing the credit card details.
However, customer service suffers – most people would much rather speak to a person than a machine, and if anything goes wrong during the call there will be no one there to rectify the situation. Additionally, automated calls are more likely to be hung up on by the customer, which often comes down to the frustration of speaking to a machine, mis-keying details or not having the right options.
3. Dual-Tone Multi-Frequency (DTMF) tone masking
Unlike making a payment using an IVR, DTMF tone masking requires the customer to type their debit or credit card numbers into the telephone keypad whilst in continual voice communication with the contact centre agent. When different numbers are pressed on the keypad, each is masked by a flat tone, making it impossible to identify the number just from its sound. Not only are numbers unheard, they are also unseen – when typed into the telephone keypad, the numbers appear as asterisks (*) on the call centre agents computer screen, so they are completely disguised. The payment details do not appear on the call recording system and with certain secure solutions they do not enter the call centre infrastructure at all but go directly to the bank. By allowing the agent to remain on the call while the customer is entering their card numbers, it helps improve the customer experience and reduces the risk of them ending the call due to keying errors.
If you are a company that takes customers’ credit or debit card payments – over the phone or by another method – you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This applies to any business that stores, transmits or processes sensitive credit and debit card information, to help reduce the risk of fraud and therefore protect the consumer. Whatever telephone payment technology you choose make sure that you check that it is PCI certified.
Telephone payment fraud will continue to present a challenge for businesses worldwide, and is a threat that must be taken seriously. A security breach can cause irreparable damage to a brand, destroying customer trust and loyalty. The bottom line is that the failure to protect data will see customers take their business elsewhere.
Tim Critchley is the CEO of Semafone, which provides secure voice payment software to contact centres. The Secured by Semafone trustmark is used by Semafone’s clients and partners as a sign to customers that their card data is secure when making a payment over the phone.