Credit card fraud and PCI compliance is impacting businesses around the world. It is no longer the banks or the credit card companies that bear the risk or responsibility for security.
In Canada, 2011 financial losses to Canadians for CNP fraudulent transactions totaled $259 Million with the average dollar loss per transaction $644. Moreover, the one year rate of growth of these losses over 2010 losses was a stunning 47%.
According to a U.S. Payments Forum report, CNP fraud is currently the most prevalent type of fraud reported in countries that have migrated to EMV chip, and it continues to increase. With the exponential growth of e-commerce, many are struggling to keep up with security standards in place to prevent CNP fraud.
Here are a few of the many myths and misconceptions we've heard over the years, when it comes to credit card fraud.
Myth #1: I can't take credit card payments over the phone securely.
Card not present (CNP) fraud is a huge problem, and taking payments over the phone is one of the most common ways that private credit card information can get out. CNP includes over the phone payments, internet and e-commerce transactions, and mail-order transactions where the cardholder does not physically present the card to the merchant.
CNP transactions pose a serious risk for businesses and individuals, but there are technologies that can help ensure your business can still offer secure, over the phone payments. Read more about Ivrnet Safepay>>
Myth #2: All call centers are equal.
We work with Call Centers regularly to help ensure they are compliant, and there are many good Call Centers who do follow security guidelines and use solutions like Ivrnet to maintain PCI compliance. Be sure to use reputable, compliant Call Centers who can demonstrate secure over the phone payments processes and technologies.
In one case involving an overseas call center, employees were selling information from thousands of credit card and bank accounts for small amounts of money. A sting operation conducted by The Sun shows just how easy it was to buy sensitive PCI data:
The Sun's team bought the details of 1,000 British customers from the dealer for 250 pounds.
The report said: "We were given bank account details, personal data and credit card numbers with the three-digit CVV security code needed for use on the phone or web. There were even online account passwords".
Myth #3: Credit card fraud is a high-tech business.
Telephone-based credit card transactions present two opportunities for fraudsters. They are a source from which to harvest sensitive data and a target where these stolen cards can be used. Both of these risks are increasing as criminals target telephone-based systems as the weak link in the payment chain.
And it's often through low-tech means that data is stolen.
The very fact that an agent has access to sensitive credit card data by hearing it spoken by the customer in order to enter it into their CRM or ERP system (which then also stores this data), puts you at risk from someone else overhearing the data, whether it's another employee or customer. Employees are also able to take the data they gather over the phone to use however they want.
While you may trust your employees, best practice is to eliminate opportunity for data to be stolen by using encrypted technologies.
Myth #4: We can just delete or shred the data.
Did you know that if your customer service agents are recording calls and asking customers to give payment card information over the phone during the call, then your risk extends to these recordings?
As mentioned before, CNP data is not encrypted and so there is opportunity for bad actors to take the data at some stage—even if you eventually delete recordings, paper or other electronic records.
Myth #5: We only have to focus on the right technology to eliminate risk.
While having the right encrypted technologies is critical, your human resources and processes must be closely examined as well. There is a lot of risk of human error when taking payments over the phone, or in person:
- Untrained employees
- Unethical behavior
- Accidental privacy breaches - losing data, computer left unattended
- Unethical behavior of people in proximity to your employees/customers
Employees at Ivrnet offered up a few of their own stories of over the phone credit card fraud that had happened to them. In one case, it was a hotel and card information was spoken over the phone. The credit card information was stolen and used, but traced back to the hotel as the source of the breach.
Another example was from an employee who could no longer use a particular food delivery service. The service was known for breaches, hacked accounts, and fraudsters ordering deliveries on other people’s accounts and getting free meals. Now her credit card company won’t allow transactions for this service.Want to learn more about Over the Phone Credit Card Fraud and PCI Compliance? Read our guide at the link below. In this guide, we explore security issues specific to over the phone credit card payments, to help your company
- combat the risk of credit card data breaches
- decrease costs and responsibility of securing this data
- gain greater customer service agent efficiencies
- earn greater consumer confidence
- protect your reputation
- continue to offer the convenience and immediacy of taking credit card payments over the phone
Ready to get started?
If you need online and telephone payment as part of your business, Ivrnet is your solution. If you simply need the transaction to happen off your systems so you are PCI compliant, Ivrnet has your solution. Simple, elegant and easy.