On July 29, 2019 Capital One confirmed that they were recently the victims of one of the largest thefts of banking information ever. 106 million people and small businesses in the U.S. and Canada had information from credit card applications – including names, addresses, postal codes and zip codes, phone numbers, email addresses, dates of birth and income – made between 2005 & 2019 compromised. In addition, credit data was also compromised, including credit scores, limits, balances, payment history, contact information as well as some transactions made in the last three years. Perhaps most seriously, of the 6 million Canadians affected, 1 million had their Social Insurance Numbers (SINs) compromised, making them more vulnerable to identity theft.
In this latest incident, the breach was the handiwork of a hacker who has since been identified and arrested. However, whether the source of the breach is external or internal (as was the case in the recent breach at Desjardins where the perpetrator was an employee), the importance to businesses and their customers of implementing strong information security policies and procedures and monitoring them vigilantly cannot be overstated.
It’s not just financial services companies like Capital One and Desjardins that need to be vigilant in safeguarding sensitive customer information from hackers- be they internal or external. ANY company that handles client/customer personal information – like credit cards for example – is a potential target.
Where companies are struggling
Many organizations do a great job when it comes to securing their databases from the external cyber threats, however they tend to be more lax when it comes to implementing procedures that can protect them from internal threats (or even mistakes) by employees that can compromise their security and the security of their customers data.
For example, one of the more difficult challenges for businesses is securing credit card information when payments are taken by live staff over the telephone. A very common practice is for a customer to call in to the business to pay an invoice and a live agent captures (i.e. writes down, types) the credit card information and enters it into a virtual terminal for processing. PCI security standards mandate that businesses take the necessary steps to secure every payment channel and specifically the ones where their staff is involved. If you employ live staff to handle your payments, the work area needs to be locked down – i.e. no mobile phones, paper or writing material allowed, and a
closed platform at employees’ computer work stations (no USBs or ways to screen capture for example). Even then (and even with vigilant supervision), vulnerabilities exist that can still lead to security breaches and theft of data.
Consulting with a qualified Cybersecurity expert can help you be prepared to successfully navigate the ever-changing Cybersecurity and payment security landscape.
Addressing the Issue of Live Staff in the Payment Flow
If your business relies on the phone to conduct business and part of the transaction involves collecting your customers credit card information, then a more secure and PCI Compliant approach would involve the use of Automated IVR Payments / Pay-By-Phone technology. By automating the payment process, you not only are taking the listening to and collecting of credit card information out of the hands of live staff, you also make payment easier and more convenient for your customers by enabling it on a 24/7 basis. An IVR Pay-By-Phone solution is flexible in that allows for either a fully automated approach, or one can opt for a system whereby which your live staff assists customers up to the point where credit card information will be exchanged, at which point the call is transferred to the automated PBP.
Regardless of the approach taken, IVR Pay-By-Phone technology provides customers with a more convenient way of making payments over the phone that is also much more secure, thereby improving customer satisfaction and confidence that their credit card information has been secured. Businesses will realize benefits in the form of reduced operating costs (since even the approach described above that still utilizes live staff up to a certain point typically needs fewer people to operate), improved efficiency, and enhanced peace of mind from knowing that they have secured this payment channel in compliance with PCI standards.