When it comes to protecting sensitive payment data, call centers are often the forgotten operation, and card data leaks out unintentionally. Protected data spoken in one cubicle can be overheard by 20 nearby reps, along with any customers on the phone with those reps.
For this reason, Cam Ross, a longtime payments veteran who is currently the director of payment strategy at U.K. payments vendor Eckoh, sees the call center model as outdated.
Some call-recording systems attempt to automatically convert spoken numbers into data, but that can be problematic, given the many non-card-related numbers spoken in a typical call center conversation, whether it's a street address, the amount of a purchase or the date of a purchase.
Some executives want to retain the audio versions of PANs for later refunds, but Ross said in a recent LinkedIn article that it "takes a minimum of 5-10 minutes to locate the exact recording on which the customer made the purchase," a process he dubbed "madness."
Thieves are getting too good about using Internet-facilitated crowdsourcing, Ross said in an interview. They steal call recordings from various contact centers, split the recordings into short sessions and then "get other people to do the low-cost human-related work" of finding usable data, he said.
Ross sees companies trying a never-ending list of tactics to try and limit exposure, from noise-cancelling headphone mics (to theoretically block what other reps are saying) to simply putting a limit on how much sensitive data agents can access. But noise-cancelling headphones add expense to the system and limiting data-access usually undermines customer service efforts.
Even worse, these techniques do relatively little to actually reduce fraud risks.
"If the call recording systems contain card data" that can be accessed by merely listening to them, "they all can effectively have access to all of the card data at all times," Ross said. "Having this data traverse the telephony and data networks of companies is a risk for these contact centers."
Ross and Eckoh instead advocate a form of audio tokenization. Instead of the caller speaking the sensitive data, the customer types it into the phone's keypad and the data then "flows through a hosted platform, which tokenizes it into a different number. And it's that number that flows into the contact environment," he said, adding that it's really only the middle six digits that are changed in the token.
The rep can still ask for other pieces of information for authentication, including address, name and last four digits of the card account number (which is permitted by the Payment Card Industry data security standard). Theoretically, Ross argued, this system could sit atop any payment system a retailer might accept, including alternative and emerging payment methods such as PayPal, Apple Pay and Bitcoin.
One of the long-held concerns about this kind of approach is that it creates a centralized database of sensitive payments data, a highly attractive target for a cyberthief. One approach that Ross advocates is to have all tokens active for a very short amount of time.
"These are like session IDs in that they are only active and exist for a few minutes," he said. "We never store this stuff to disk so we're not building up a huge honeypot for these thieves."