FINANCIAL ORGANISATIONS NEED TO PROTECT CUSTOMERS FROM THEMSELVES

With so much sophisticated security technology about, you might think that credit card details couldn’t be safer. Customers know how to use chip and pin, Verified by Visa and 3D Secure. PCI DSS regulations ensure that businesses are controlled and checked to the last PAN number and encryption and multi-factor authentication help to keep the fraudsters out. Yet there is a significant hole in the system and if we don’t fix it, the price will be paid not by the customer, but by business.

Tim Critchley

The problem is people. To be more specific, people on the telephone, who forget that they may be overheard as they read out their name, address and card details without so much as a glance over their shoulder. This is particularly true in spaces where people feel comfortable, such as open plan offices, where we are used to holding telephone conversations in front of colleagues.

Purchasing financial products over the telephone is understandably still extremely popular, despite the growth in online payments. We get to talk to a human being rather than a machine, we can ask about those bits of small print (automatic renewals, cancellation periods, etc) that are so hard to find online, and we can feel confident that we know what we are paying for. We also have a named person to refer to if it all goes wrong.

The problems only arise when it comes to paying. If we are switched to an automated system, we are back in the man-machine scenario. One error and we’re stuck with no alternative but to hang up and start again; so most of us prefer to talk to someone as we pay. We have generally established a relationship with the agent during the sales process and want to keep that support as we carry out the delicate task of communicating card numbers. Unfortunately this means that we frequently forget all that we’ve been told about privacy and card details and say them loudly and clearly, wishing to be helpful, but oblivious to the world around us.

There is also a psychological explanation for this behaviour. Most of us will be familiar with the phenomenon of the pedestrian talking on a mobile phone, weaving across the pavement as they walk. And anyone who regularly takes public transport at rush-hour is likely to know a great deal more about his or her fellow passengers’ private lives than is necessary. This is because we become single-minded once we are on the end of the phone. We shut out everything else and imagine that we are in a private conversation, away from the rest of the world.

Semafone

According to scientists, this is due to our limitations with regard to “cognitive load”; humans are not terribly good at multi-tasking despite what we, or others, may think! Aside from the fact that talking out loud in public is scientifically proven to be extremely annoying to other people, it is a real security issue. Only last week I overheard a man shouting his card details into his mobile phone as we both stood in the queue at a coffee shop. Evidently it was an urgent booking and a bad line, so he had to repeat some of the information several times, apparently unaware that he was sharing it with at least 12 other people. I can still remember his 3-digit security code.

Saying card details out loud also carries a risk at the other end of the line, where it is received by the merchant or the call centre agent. According to Strathclyde University, 22% of staff in contact centres believe that they work with people they consider ‘suspicious’ and that 11% had allowed customers to access their account without asking any security details. So, there too, you’re highly sensitive personal information can be unsecured and potentially subject to fraudsters. The measures necessary to secure data at this point can be draconian, from surveillance cameras to the “clean rooms,” in which agents are deprived of all objects that might be used to record numbers, from pen and paper to a mobile phone. In truth, none of these methods is truly secure. To be absolutely certain that details are safe, the customer must not be asked to speak their card details out loud.

Until recently, the only technologies that avoided the need for the customer to speak aloud their details were entirely automated, obliging customers to interact with a machine while they entered their details. Any problems that occurred during the process meant abandoning the call and starting again. Now, however, technology is available that means the customer can key in his or her own card details while continuing the conversation with the call centre agent. There is no need to read out the numbers, but the agent is on hand to resolve problems should they occur.

Any organisation accepting card payments today is not only responsible for the cost and effort of securing credit card information, but also runs the risk of terrible, irreversible damage to its reputation if anything goes wrong. Not to mention the significant fines that will be imposed if a security breach takes place. You should make it a priority to invest in technology that allows you to maintain the reassuring voice contact with the customer, but which does not require them to say any personal details out loud.

In the meantime, make sure that your customers are aware of the following points. These are pure common sense, but could potentially save us all both time and money.

• If you are asked to read your card numbers aloud, think about who might be listening. If you aren’t sure, go somewhere that you can’t be overheard.
• If you must speak in public, assume that someone will be listening. If you need to read out numbers, cover your mouth. You are likely to speak clearly when communicating numbers so will be easy to lip read.
• The person on the other end of the phone is a stranger.  Make sure you know their name before you tell them all your credit card information.
• If you are paying someone who telephoned you, be cautious – check the number and call them back.
• Before you read out your card numbers, ask the customer service agent how these will be protected.
• Ask if the organisation is fully compliant with Payment Card Industry (PCI) regulations? Ask the question or check on the website!
• Diligently check your statements and look out for malicious transactions, and report any immediately to your card issuer.

Tim Critchley is the CEO of Semafone, which provides secure voice payment software to contact centres. The Secured by Semafone Trustmark is used by Semafone’s clients and partners as a sign to customers that their card data is secure.