Card Fraud Reduction in Contact Centres: Take Your Pick

Rob Crutchington at Encoded recommends asking three simple questions when deciding which fraud control method to use.

Many methods of taking card payments have emerged over the years as companies strive to be PCI DSS compliant. When the standard was first created the aim was to clarify and align various fraud prevention measures and regulations into a single agreed global framework. Therefore, it comes as a real surprise that in the latest UK Contact Centre Decision-Makers’ Guide (DMG) published by analyst ContactBabel, eleven different ways are listed as to how contact centres attempt to reduce card fraud.

The research outlined that respondents use on average 2.5 different fraud reduction methods from the following list (in descending order of popularity):

  • Pause and resume recording
  • Manual processes and training
  • Obscure the data entered on an agent’s screen
  • Clean desks/rooms – where pens, paper and mobiles are prohibited
  • Screen recording application (that does not capture card details on-screen)
  • Detect and block the phone’s DTMF tones
  • Cloud-based solution (card information does not enter the contact centre)
  • Specific internal team dedicated to taking card payments
  • Take payment via automated IVR at the end of the call
  • Take payment via automated IVR mid-call
  • Tokenisation

Time to take your pick – 3 questions to ask first

The ContactBabel survey showed that software and/or payment technology is the single biggest cost associated with fraud protection and PCI DSS compliance for almost three-quarters (70%) of survey respondents. Only one-third reported that they hadn’t had to increase their costs or change the way in which they operated for compliance. Therefore it is important to ask yourself these three questions before deciding which route to take:

1. What are we trying to achieve?

While understanding the importance of protecting customer data from fraud and cybercrime, not all contact centres realise that in the event of a security breach the buck stops with the merchant and it will be the organisation that is fined. However, there are ways to reduce the scope of the cardholder data environment. When choosing from the various fraud reduction methods it’s important to establish what you are trying to achieve? Typically the answer is to prevent lost data and to make PCI DSS compliance easier and less costly.

2. Is this good for the customers? How will customer service be impacted?

While there are many different glossy systems to choose from it is important to think about how your customers will react. Will partially sighted, elderly or disabled people be able to use the service? Sometimes simple is best for example “pause and resume” recording, which is still used by over 60% of survey respondents, caters for everyone, is typically cheaper to implement than other options and offers the highest level of customer service.

3. How much is it going to cost?

There is no such thing as a PCI DSS compliant technology solution. However technology can help achieve compliance. It is important to check that any third party payment service provider is able to prove it is PCI DSS compliant. While a third party cloud-based payment solution can remove cardholder data from the contact centre, the security processes and operational effectiveness of the provider must be checked. Remember compliance is ultimately the responsibility of the merchant. One of the most cost effective methods of dealing with payments is an automated IVR process to take card details from the customer while removing agent risk entirely. Often the simplest ways are also the least expensive, but just as effective.
Whatever method of card fraud reduction is chosen, by complying with PCI DSS merchants and their service providers meet their obligations to the payment eco-system. They also help to build a culture of security and confidence that benefits customers and contact centres alike. The key is to ask the right questions and choose carefully.