Wednesday, April 13, 2011

Large, Occasional Data Breaches are really, really bad. The Small Daily Ones are even worse.

Another compromised data center is making the headlines. Epsilon, the online marketing company was hacked. This time, it appears only email addresses were obtained. With luck, the worst those affected will experience is an increase in email marketing spam.

Could more be done to protect company data centers? Yes, always. But it is worth asking if we should be spending more money to further lock down the back door to the data centers, especially when the call center "front door" is banging in the breeze.

Email lists were compromised at companies like HSN Inc, Scottrade, Marks and Spencer and many others. In addition to storing sensitive information, these companies have tens of thousands of call center agents around the world at their own centers and at outsourced locations that are taking credit cards and other sensitive information over the phone from their customers every day. In addition, there are thousands more coaches, team leads and call monitoring personnel that have access to recordings of calls where customers' personal information can be easily accessed. None of these people have access to the secure data center, but they have access to a blinding amount of identity and financial information.

In the thousands and thousands of call centers around the world, there are few controls consistently in place that prevent employees from recording sensitive information with a recording device or on a computerized or paper note pad. Even if safeguards existed, nothing can stop agents from simply memorizing the important details.

Not only can this information be stolen, it is stolen. Thousands of times a day, everyday sensitive customer information is recorded, copied, memorized and stolen. It can be used by the person who stole it or the information can be sold to individuals who in turn sell the information to others, with devastating consequences:
Overseas Credit Card Scam Exposed.

Despite the insidiousness and pervasiveness of the problem, companies do little to prevent it because the problems rarely come to light on a large scale and because the breaches are extremely difficult to trace back to the offending agents and the companies where they are employed.

Even more maddening is that simple solutions are on the market which allow agents to "collect" the private information without ever seeing or hearing it. For example, the customers can be transferred to an Interactive Voice Response (IVR) system, enter their information, and then get transferred back.

This IVR option has been around forever, but is rarely used. Part of the reason is lost sales. You are right on the edge of booking a customer’s order and you have to transfer them to the IVR to enter the credit card information. During that transfer time and with the agent not on the phone, it is easy for customers to rethink their purchases.

It is also not always the smoothest transition. The customer can be left waiting for the agent to pick up or the agent can be left waiting for a customer who has already decided not to go through with the purchase and has hung up.

Newer applications provide for a better customer experience and are easier to implement. SecureCall, our CRM plug-in, allows customers to enter their card information over the phone directly into the Customer Relationship Management system while the agents remain on the phone. The DTMF tones are converted to monotones so the agent cannot record or decipher the numbers.

As a side note, though the primary purpose for considering and implementing one of these solutions is to prevent agent fraud and credit card theft, these solutions also help to fight fraudulent chargebacks. In a fraudulent chargeback, the customer is claiming they never ordered the goods they were sent. When deploying solutions like these, part of a merchant’s argument is that their agents don’t have access to credit card numbers and don’t enter credit card numbers, so the customer must have provided this information. As a result of this argument and other features, these solutions have helped merchants overturn a higher percentage of fraudulent claims.

If the reduction of agent fraud and consumer fraud are areas you want to shore up, you should look for solutions that:

1) Provide a great customer experience

2) Don’t affect close rates and average order size

3) Are easy to implement, including the training of the agents

4) Are completely PCI Compliant

5) Are cost effective


The lack of front door security around the call center wreaks financial havoc on millions of unsuspecting consumers. With the simple solutions that exist out there, this is inexcusable. It is also just a matter of time before this glaring leak blows up some company's front porch.