Who would have thought that in such a short time most organisations could be working from home as they are today?
While many companies have looked at remote working over the past few years and made changes to implement it, recent events have forced businesses to adopt homeworking at breakneck speed, and in doing so gaping vulnerabilities have been exposed.
A key concern is around those organisations that are taking card payments over the phone or for that matter via webchat or social media as well.
There seem to be more questions at this point than answers. What exactly are the vulnerabilities? How can they affect business? What are my organisations contractual and regulatory responsibilities?
In this article, we look to answer these questions and shed some light on taking a card payment over the phone (these answers apply to web chat and social media payments too).
Should I be taking card payments over the phone?
Any organisation taking a card payment over the phone from their customers needs to ensure their employees, their customers, their directors and their businesses are protected.
First, we consider the protection of your most important asset, your employees. Unfortunately, there is a significant rise in employees having access to card data, and therefore an increase in staff being incentivised, and worse, coerced, into providing this sensitive financial data to criminals. This isn’t far-fetched, a whopping 9% of contact centre (staff reported personally knowing someone who has unlawfully accessed or shared customers’ payment card data. Fraud racked up a value of £1.2bn in 2018 in the UK alone.
Customers also need to be protected and don’t look kindly on organisations that do not secure their financial information. A study from Vision Soft showed a single data breach can cost a business up to 20% of its customer base.
“A study from Vision Soft showed a single data breach can cost a business up to 20% of its customer base.”
There is a regulatory responsibility for companies taking card payments over the phone to secure their customer’s data when, and these days it has teeth. The Data Protection Act, re-issued in May 2018 and encompassing the GDPR, makes it clear that Company Directors are personally liable for up to £500,000 if they neglect to do so.
Then there is the Data Security Standard. Issued by the Payment Card Industry’s Security Standards Council (PCI SSC), the DSS is a requirement that all merchants in the UK, and worldwide, sign up to comply with when contracting merchant card services. If you take card payments, you must meet the Standard. Non-compliance with the Standard has some pretty painful results should a breach occur, such as eye-watering audit fees, fines and reputational damage. In fact, just over 60% of businesses with less than 250 employees’ close doors within 6 months of a breach, and there were on average 633 attempts every day to breach EVERY small to medium sized company in the UK, in 2018.
So why does homeworking leave an organisation more exposed?
Taking credit card payments over the phone regulations still need to be met, home networks are typically run by a router provided by one of the large telco’s, are typically installed in most households with the default settings, username and passwords. Firewall controls are typically lower, and many other non-secure devices burden the network such as the home TV and family or friends’ mobile devices.
When employees are taking a credit card payment over the phone from customers in their home it is worth noting that should the customer read out their card information to the employee, their home phone network is also ‘in scope’.
Of course, while we all trust our staff, it is worth noting that a study showed that human negligence alone accounts for 25% of breaches.
It’s okay … I don’t record calls!
This is the most common misconception that businesses have when it comes to payment security. The call recording obsession began in 2011 when the PCI SSC released guidance on Mail Order and Telephone Order (MOTO) payments, which focussed on ensuring those call recordings did not contain card information, and hence every business went to town to ensure their calls either were not recorded or were paused when card information was readout. Still, today companies believe this is their only responsibility. The latest guidance from the PCI SSC (version 3 released in Nov 2018) not only moves the focus on to securing our employees but also brings digital phone systems into scope too.
The Move to Online Payments
The new Payment Services Directive (PSD2) mandates Strong Customer Authentication (SCA) is used for online transactions. This means that when you pay for something online these days you will go through stronger security to make sure it’s you, such as receiving a text on your phone with a code or smiling into your face camera. This additional security leaves MOTO transactions as the last bastion for criminals to gather and seriously exploit the cracks in the system. Already Cardholder Not Present (CNP) transactions come at a much higher cost for all organisations that take card payments, and this could go up as we see online card fraud migrate to payments made over the phone.
Some businesses (are moving to online payment only, removing real-time, assisted payments from their operation to ensure they are protecting their employees, their customers, their directors and their businesses.
Of-course this comes at a cost. The online journey now is a little trickier because of Strong Customer Authentication, which in turn drives up the abandon rate. Also, it doesn’t provide for those organisations that want to offer a more personal service or capture the sale in the moment the customer is willing to make the purchase. In other cases, the customer prefers to be assisted through the order, and isn’t the customer king?
Using Technology – A Possible Solution
So how can organisations protect themselves when taking card payments over the phone or other real-time, assisted payments whether via web chat, social media direct message channels, when home working?
Fortunately, just as many online video platforms like Microsoft Teams and Zoom have come to aid each of us in our effort to work remotely today, technology has also come at the right time to allow us to protect our businesses, and ensure that our employees aren’t put at further risk, our customers’ data is secure, our directors are not neglecting their duties and our businesses are safe from card criminals.
Dynamic Paylink and DTMF technologies are two such examples of taking card payments over the phone safely.
Applications that have embedded the ability to set up payments, then create dynamic links that are sent to customers via SMS, or pasted into a web chat, social media platform or an email, can allow customers, in real-time and whilst still on the phone with the merchant, to complete a transaction securely without divulging their sensitive financial information.
DTMF (Dual Tone Modulated Frequency – the tones you hear when you press a number on your phone keypad) capture also removes organisations infrastructure and staff from scope of the PCI DSS, by capturing the card payment data entered by the customer using their telephone keypad, and preventing those tones (the DTMF tones) from transiting further along the line or being recorded.
In both cases the employee never hears the card data, it doesn’t transit the employee or company’s phone system or the employee’s home network.
Only last year in early 2019 these technologies were either flaky, or just too expensive, for the vast majority of companies in the UK to deploy. Good news. It’s a new decade, and prices have come down to such an extent, that deploying these technologies is now more cost effective, in terms of risk, than most other insurance policies taken out by businesses as a matter of course, such as Professional Indemnity or Directors and Officers Liability insurance.
Ultimately if your staff never hear the card information, they are not at risk. If their phone system and local home network never ‘see’ the sensitive financial data, they are not in scope of the PCI DSS, and should a breach occur no sensitive data will be stolen.
Deploying technology such as those above clearly demonstrates a company director has not neglected to secure sensitive data, and their personal liability dissolves.
I have been pleasantly surprised at the ingenuity of businesses and organisations across the spectrum to adapt to these unprecedented times, and fortunately, technology has played a significant role in allowing us to communicate and share knowledge in a way that keeps many of us productive.
However, we need to be aware of the pitfalls of such a way of working, and ensure we are protecting our employees, our customers and our organisations so we don’t end up closing the door on one problem, only to open up another.