9 Ways to Avoid a Credit Card Data Breach

With data breaches making headline news, Simon Beeching explains how to maintain customer trust and protect your brand.

Data breaches are headline news at the moment, reminding us all that it’s not just about boring old regulations and security policies, but may go right to the core of what customers think of your brand.

As the old saying goes, ‘it takes years to build a reputation and only seconds to lose it’. Evidenced by the chief executives of some large organisations in the news recently squirming as they explain that they’re not sure exactly what sensitive data has been stolen or whether it was encrypted.

Here are 9 tips to help maintain security of credit card data in contact centres:

1. Never store the long card number

Never store the long card number (PAN) unencrypted or the 3-digit security number (CV2) at all. The latter is not only against the PCI DSS regulations (Payment Card Data Security Standards), but would get you into deep trouble if there is a breach – to the point where you may face fines /lose your merchant account and no longer be able to take card payments.

2. Don’t give staff unsupervised access

Don’t let staff have access to customers’ credit card numbers unsupervised.

3. Tokenise the long card number for future use

If your payment gateway supports it, ask them to tokenise the long card number for future use.

This way, any member of staff can only see the last four digits to quote to the customer to reauthorise next time – and you don’t store the rest at all.

4. Do not use unencrypted VoIP connections

Do not use unencrypted VoIP connections for calls where card numbers are being read out by the customer, as it’s a wide-open channel to hack into.

5. Audit where you may have stored credit card data in the past

Make sure you audit where you may have stored credit card data in the past. Get rid of this data where possible, encrypt it/tokenise it where not.

Call recordings in particular are a hazard as you may have thousands of calls for quality control or audit purposes, containing recordings of customers reading out their card numbers. These numbers can be blanked out and the rest of the recordings retained.

6. Avoid ‘pause and resume’ call recording systems

Avoid ‘pause and resume’ call recording systems as this method does not solve the fact that your agents, their PCs and your network are still exposed to the card data when it’s read out (and remain ‘in scope’ of the PCI DSS regulations as a result).

Consumers are also increasingly wary about reading their card numbers out anyway, as they’ve seen the recent media stories about data theft too.

7. Avoid ‘clean rooming’ supervision of your agents

Similarly, avoid ‘clean rooming’ supervision of your agents to protect the data. It does not resolve the customer having to read out their card numbers over the phone, or your PCI DSS scope and annual assessment.

It can lead to a pretty dehumanising workplace too, if agents cannot have pens, paper, mobile phones and email access ‘because they might compromise the data’ – hardly a trusting environment for your staff.

8. Take responsibility for security of the sensitive card data

Make sure you take responsibility for security of the sensitive card data wherever it is taken or resides on your behalf.

This should include home and remote workers and any outsourcers too, whether you use them just for disaster recovery or for business-as-normal.

9. Consider a DTMF system for card payments by phone

Consider using a new DTMF system for card payments by phone, where the agent asks the customer to key in their PAN and CV2 in the middle of the live conversation (and/or an IVR automated system can be used).

Some of these solutions can also integrate with your payment services provider and existing hardware, and stop the card numbers entering your contact centre environment at all.

For more information about avoiding a credit card data breach, watch this free webinar replay.