27/08/2014

By Tim Critchley, CEO, Semafone


If you are taking or making payments over the phone you are at risk of fraud in a number of ways. If the customer says their card details out loud when in the office, on public transport or while in the street, who could be listening? Could the contact centre agent taking the payment be passing on the credit card numbers? And if the sensitive card information is passing through your computer systems, how can you be sure that it is completely secure from hackers, who have developed clever and sophisticated ways of obtaining sensitive data over company networks without being detected.

Addressing so many security questions can be difficult and sometimes confusing. With huge advances being made to ensure telephone payments are more secure than ever, it is worth doing some research into the different technologies on offer as each will differ in terms of the level of security as well as customer service and convenience. Below are the main technologies available for tackling telephone payment fraud, with an outline of how you can use them to protect customers’ sensitive information.

1. Pause and resume

You may need to record calls in in order to comply with customer service guidelines or financial services regulations, particularly those issued by the Financial Conduct Authority (FCA). The problem with this is that if customers are saying their card details out loud, you will be recording these numbers onto your telephone system. This contravenes industry regulations which strictly prohibit you from storing any sensitive card numbers on call recordings.

Some organisations have tried to get round this problem by pausing the recording while the payment information is being entered. The pause function can either be automated or controlled by the agent. The danger here is that human error can result in the recording being paused at the wrong moment, causing accidental recording of the numbers. It also means that the recording no longer constitutes a complete record of the call.

2. Interactive Voice Response (IVR)

IVR is an automated telephony system that interacts with callers, gathers information and routes calls as needed. When the customer calls up to make a payment the process will be handled by a series of recorded instructions instead of a live person (“Press 1 for yes…”). Having an automated system instead of a real human being has security benefits as it eliminates the danger of an agent over-hearing and stealing or sharing the credit card details.

However, it has disadvantages in terms of customer service - most people would much rather speak to a person than a machine and if anything goes wrong during the call there will be no one there to rectify the situation. Additionally calls are often dropped or abandoned by the customer due to frustration of speaking to a machine, mis-keying or not having the right options.

3. Dual-Tone Multi-Frequency (DTMF) tone masking

Unlike making a payment using an IVR, DTMF tone masking requires the customer to type their debit or credit card numbers onto the telephone keypad whilst in continual voice communication with the contact centre agent. When different numbers are pressed on the keypad, each is masked by a flat tone, making it impossible to identify the number just from its sound. Not only are numbers unheard, they are also unseen — when typed into the telephone keypad, the numbers appear as asterisks (*) on the call centre agents computer screen, so they are completely disguised. The payment details do not appear on the call recording system and with certain secure solutions they do not enter the call centre infrastructure at all but go directly to the bank — avoiding any possible contact with the call centre at all. By allowing the agent to remain on the call even when the customer is entering their card numbers the customer experience is improved and the risk of the call being abandoned because of keying errors is reduced.

And remember certifications

If you are a business that takes customers credit or debit card payments — over the phone or by another method, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This applies to any businesses that stores, transmits or processes sensitive credit and debit card information in order to help reduce the risk of fraud and to therefore protect the consumer. Whatever telephone payment technology you choose make sure that you check that it is PCI certified.

If you are a business looking for a company to help you secure your telephone payments, you need to make sure you are engaging with a secure and trusted organisation, it is recommended that you check Visa’s official list of approved agents to ensure they are legitimate. Payment security is an on-going challenge and telephone payment fraud is a danger that must be taken seriously. A recent survey commissioned from OnePoll discovered that a massive 86% of people would completely shun a brand that had suffered a security breach. This is not a figure to ignore - if you fail to treat customers’ personal data with respect and put their information at risk they will simply take their business elsewhere.


Tim Critchley is the CEO of Semafone, which provides secure voice payment software to contact centres. The Secured by Semafone trustmark is used by Semafone’s clients and partners as a sign to customers that their card data is secure when making a payment over the phone.