PCI DSS Call Centres – "it’s all in the game"
A recent article in SC Magazine identified that over the past 3 years, there has been a 45% spike in Call Centre fraud using social engineering techniques – the art of manipulating people so that they give up confidential information. This is known as the Human Factor.
24 May 2016
Furthermore, in Verizon’s 2016 Data Breach Investigations Report (DBIR) they identified that a staggering 77% of the breaches were caused by the insider threat – be that someone carrying out a deliberate, negligent or accidental act. With that in mind, any businesses involved in taking card payments over the telephone will almost certainly rely on the need for some network-based technologies and people interaction. So while we can harden the systems to reduce the exploitable vulnerabilities) the question remains how do we harden the Human Factor?
With Rugby League’s Magic Weekend still fresh in my mind, it got me thinking: are there any lessons that can be learned from the disciplined (some might say robust) approach of the Rugby League?
Rugby Leave involves 13 players (all with differing skills and abilities) employing different tactics whilst working as one cohesive team to dodge, evade and successfully thwart the opposition. But the opposition is ever-vigilant - always looking, focusing and hunting down the opportunity to exploit a mistake; to breach the defences and score. The more tries scored by the opposition, the greater the impact on the club and it spectators. Morale fades, confidence ebbs, league position falters….the fan base wobbles. A lower fan base leads to less money coming through the gates. Relegation looms, with die-hard fans take to social media to blame the management.
So how does a club try to reduce the chance of relegation? It’s about simple things: find a good coach; secure the best players; invest in training, skills development and knowledge transfer. And it’s about practice, practice, practice.
Playing the PCI DSS Call Centre game
So in the game of PCI DSS, the Rugby League elements are replaced as follows:
Now, let’s imagine that each set of tackles represents a payment journey, but in the same way that the ball will not always make it over the line, not every call (carrying payment details) will make it across the line either. And that’s the danger that PCI DSS teams need to guard against. More simply, they need to ensure that no balls are dropped to avoid the opportunity for the opposition players to benefit from a poorly-executed pass, kick or wayward ball.
Step forward the Dream Team
Fortunately, help is at hand. Within the PCI DSS environment, businesses have a number of alternatives to spending time and resources developing (and hardening) their own league team. We could make it difficult for opposition players to identify the rugby ball! We could reduce the number of players needed to handle the rugby ball! We could gain a home team advantage by recruiting the Dream Team!
In the Call Centre environment, PCI DSS compliance can be expensive, resource intensive and difficult to maintain. However, there is an alternative approach - namely engage the Dream Team to do it for you! In the case of card payments made over the telephone, the Dream Team takes the form of fully-managed platform (a solution) with Dual-Tone Multi-Frequency (DTMF) capability; critical because it thwarts the opposition (the hackers, the bad guys or, indeed, the opposition). With such a solution, the home team are represented but instead of being akin to an amateur pub team (training and playing around existing commitments) they take the form of a professional, highly-skilled squad of 13 full-time players. The bottom line is that the DTMF masks the payment card numbers. And the old adage that you can’t hack what you can’t see makes it a winning solution (sorry, I mean a winning team!).
Going for gold
It goes something like this: the home team’s Call Centre agent receives the initial call (he walks onto the pitch) but at the point that the payment card data is required (kick off) the call is transferred to the DTMF platform (the Dream Team) where the payment card data (the rugby ball) is safely used to make the purchase (score a try)! Got that? The team continues to score and win, their league ranking soars, their fan base swells, season ticket sales hit record levels, business prospers… and life is good!