What Level of Security Questions Need to be Asked?

We were asked…

I work as a quality manager for a telecoms company and I’m looking into DPA when monitoring agent/advisor calls.

Is there certain information an agent has to confirm to ensure they are speaking to the customer? Does this differ on Inbound calls and outbound calls?

Is there certain information an agent cannot give out over the telephone i.e. customer telephone number, customers address?

Questions that are Personal to the Account

I work as a Trainer for a contact centre in Financial Services. We avoid questions such as DOB, Add and Name as proof of identity as that information is now so readily available in the public domain. Once you get a name and do a google search you can obtain their address and DOB very quickly. We tend to stick to questions that are more personal about the account held with us. Does anyone else share this view?
We also wouldn’t share any account information via email as email accounts can be created so easily and be fake its very hard to prove your interacting with the genuine client. I think some companies can but only through a secure password protected network addressed to a verified email address.

Thanks to Lucy

FCC Guidelines Need to be Followed

FCC Guidelines need to be followed. A caller needs to verify their name and last four of the primary acct holders social. If there is a password, then the password is the primary security method. If the caller is not the billing name, or listed as an authorized user, it doesn’t matter what info they verify. They get no access.

As far as acct info that is provided to a fully qualified caller, is also very limited. We will not release any acct info, but we can verify it. We will release information such as balance, payments, usage, rate plans, features, and so on. But absolutely no personal data will be provided. This includes specific phone numbers that were called or received, date and time of calls, and so on.

The very worse that can happen is someone might be able to slip in and change a plan or service. That can easily be fixed. But by releasing specific data, it could actually aid someone with bad intentions of locating a person to do possible harm.

Thanks to Jeff

Set Their own Security Password

Some organisations allow their customers to set their own security password. This can be very effective as it can be something personal to the customer and something that is not as easy to guess such as post code, date of birth or Landline telephone number.

Thanks to Neil

Confirm 3 Pieces of Information

Our agents will always ask the caller to confirm 3 pieces of information on both inbound/outbound calls – usually the name address and date of birth.

Thanks to Mark

Critical to have Security Questions

It is critical to have security questions confirmed to ensure the account related details are being shared with the subscriber only.However,the security check may not be needed for general queries like,what are the new offers etc, as they dont involve account details.

The mandate can be at least two good checks like:

• Billing address
• Landline telephone number
• Last recharge done
• Last bill paid

Thanks to Pinaz

No Set Questions Within the Data Protection Act

There are no set questions within the data protection act, it advises that a company must take reasonable steps to ensure they have checked and confirmed the identity of the person calling. Most companies I have called myself and worked for generally ask for a postcode and date of birth after taking the callers name and agreement/reference/account number.

As long as you have asked some relevant ‘security’ questions your responsibility has been covered and anyone calling and ‘pretending’ to by your customer is then the one breaking the law.

Thanks to Carl

Was DPA breached Question

I called a phone company on Saturday an agent I called completed DPA with me. I then went on to ask for manager. The manager then asked the agent was security complete and the agent informed him that it was, which was correct. I then asked the manager to call me back on different number that was not on my account. When the manager called me he didn’t ask security… Was DPA breached?

thanks to Padraig

Breach of Data Protection Questions

If a customer calls in relation to their account, they give their account number then the operator can see their personal information and they start the conversation…

“Ok am I speaking to Steve Jones?”
customer answers “Yes”, then operator asks,

“For data protection reasons can you confirm your postcode, first line of your adress and your postcode?”

Because you have used the name before asking data questions (maybe just the first name)
is this a breach of data protection as it’s not a security type of question?

Thanks to Luke

2 DPA Fails Questions

I have recently been given 2 DPA fails on my call quality due to not confirming the customers middle name. They confirmed their first and last name along side full address and date of birth. I was under the impression that asking all the necessary questions and you are confident you are speaking with the account holder that a middle name would not be such an issue. Can somebody help?

thanks to Tania

Verify the Customer’s Identity

With reference to the second question relating to what information cannot be given to a customer, in short an agent cannot give any personal information or personal data about the customer, to the customer, without first verifying the customer’s identity through the DPA check.

thanks to Janette Coulthard

We have now written a new article on this subject
https://www.callcentrehelper.com/what-are-the-best-security-questions-for-call-centres-13520.htm