Small Daily Security Breaches Worse than Large High-Profile Ones

Dennis AdsitAnother compromised data center is making headlines.  Epsilon, a Dallas-based online marketing company, was the victim of a massive breach in early April.  This time, it appears only email addresses were obtained. With luck, the worst those affected will experience is an increase in email marketing spam.

Could more be done to protect companies’ backend data centers?  Yes, always.  But it is worth asking if we should be spending more money to further lock down the back door to the data centers, especially when the "front door" phone transactions are banging in the breeze.

The Epsilon breach meant that email lists were compromised at companies like HSN Inc, Scottrade, Marks and Spencer and many others.  The companies affected have tens of thousands of call center agents around the world at their own centers and at outsourced locations that are taking credit card numbers and other sensitive information over the phone from their customers every day.  In addition, there are thousands more coaches, team leads and call monitoring personnel that have access to recordings of calls where customers' personal information can be easily accessed.   None of these people have access to the secure data center, but they all have access to a blinding amount of personal identity and financial information.

In the thousands and thousands of call centers around the world, there are few controls consistently in place that prevent employees from recording sensitive information with a recording device or on a computerized or paper note pad. Even if safeguards existed, nothing can stop agents from simply memorizing the important details.

Not only can this information be stolen, it is being stolen.  Thousands of times each day, sensitive customer information is recorded, copied, memorized and stolen.  It can be used by the person who stole it or the information can be sold to individuals who in turn sell the information to others, with devastating consequences  (see Overseas Credit Card Scam Exposed and watch below).

Despite the insidiousness and pervasiveness of the problem, companies do little to prevent it because the problems rarely come to light on a large scale and because the breaches are extremely difficult to trace back to the offending agents and the companies where they are employed.

Even more maddening is that simple solutions are currently available that allow agents to "collect" the private information without ever seeing or hearing it.  For example, the customers can be transferred to an Interactive Voice Response (IVR) system, enter their information and then get transferred back to the sales agent to complete the order.

This IVR option has been around forever, but rarely is used.  Part of the reason is lost sales.  You are right on the edge of booking a customer’s order and you have to transfer them to the IVR to enter the credit card information.  During that transfer time with the agent not on the phone, it is easy for customers to rethink their purchases and cancel.

It’s also not always the smoothest transition.  The customer can be left waiting for the agent to pick up or the agent can be left waiting for a customer who has already decided not to go through with the purchase and has hung up.

Newer applications provide a better customer experience and are easier to implement.  CRM plug-ins are available that allow customers to enter their card information over the phone directly into the CRM system while the sales rep remains on the phone. The DTMF tones are converted to monotones so the agent cannot record or decipher the numbers.

And, though the primary purpose for considering and implementing one of these solutions is to prevent agent fraud and credit card theft, these solutions also help to fight fraudulent chargebacks.

In a fraudulent chargeback, the customer is claiming they never ordered the goods they were sent.  When deploying solutions like these, part of a merchant’s argument is that their agents don’t have access to credit card numbers and don’t enter credit card numbers, so the customer must have provided this information.  As a result of this argument and other features, these solutions have helped merchants overturn a higher percentage of fraudulent claims.

So here is how you should think about this challenge:
Do I know/trust everyone in my company who is taking credit card information over the phone?  If your operation is small enough that you know and trust everyone handling credit card information over the phone, then you probably don’t need to do anything unless you feel that offering a service like this would differentiate you from the competition or make your customers more comfortable.

If your operation is large enough that you don’t know everyone taking credit cards, then you need to realize there is a risk that your employees could be stealing this information.  You need to decide if the risk of this theft getting traced back to you is one you are willing to take or whether you want to go the extra step to protect your customers.

You also need to think about investing in a system like this if you have a higher level of fraudulent chargebacks than you would like to have.  If your chargebacks are too high or if they are eating up too much valuable staff time fighting them, you need a different process for collecting credit cards that help you reduce those chargebacks and that help you get them overturned when you do get them.

If you want to better information security and if you want to reduce your chargebacks, your next decision is whether to use the IVR or the CRM plug-ins. If you don’t have an IVR, go the CRM plug-ins route.  They can be implemented for $10 per seat/per month. If you are already using an IVR to route calls, then you might want to explore using the IVR to take the credit card information.

The reasons to not use the IVR and to use the CRM plug-in route even though you have an IVR are: You are worried about losing sales when the agent is not on the line with the customer or you don’t have someone who can program/monitor the IVR to ensure a good customer experience.

The lack of front door security around phone-based credit card transactions wreaks financial havoc on millions of unsuspecting consumers.  With the simple, proven solutions that exist out there, this is inexcusable. 

Moreover, despite all the hand-wringing and money spent to secure the backend data center, it is just a matter of time before the neglect of this “leaking” around the front door blows up some company's front porch.

Dennis Adsit is the VP of Continuous Improvement Consulting with KomBea Corporation which provides software for call centers, including software that protects consumers and reduces merchant chargebacks. He has over 25 years of domestic and international experience in consulting and operations, most recently as a Senior Vice President with Intuit. His diverse experience includes Human Resources, Lean/Six Sigma consulting, and Call Center Operations. Contact him by email at

 Average 4 out of 5
 Your Rating:
Your Review:




Sign Up Today Free

Receive the twice weekly CNP Report and monthly feature articles providing in-depth examinations of global CNP issues.

Please take a moment and register.
* First Name:

* Last Name:

* Password:

* Confirm Pwd:

* Email: