PRESS RELEASE: Semafone, a provider of secure payment software for contact centers, announced findings from a new “secret shopper” survey of leading insurance companies. Ten of the top insurance companies in the U.S. were anonymously surveyed and all responded that they still require customers to read their card numbers out loud when paying for insurance services over the phone, which means that they risk compromising security and Payment Card Industry Data Security Standard (PCI DSS) compliance.
“Nobody would dream of reading out their PIN at an ATM, but in the insurance industry it’s still commonplace to be asked to provide card details out loud over the phone,” said Tim Critchley, CEO, Semafone. “I’m sure most of us have overheard someone doing this in a public space; it’s not secure and it should not be happening.”
Call Recording Presents Additional Risks
The research also showed that eight of the U.S. top insurers record calls. This creates another challenge, as the PCI DSS, which governs all card payments, specifically prohibits the recording of full card numbers and card security codes. If a payment takes place over the phone, and the call is being recorded, the insurer needs to find a way to avoid capturing these details. Some insurers surveyed stated that they transfer customers to a voice recognition system which automatically blanks out card numbers on a recording, or use a start and stop method to avoid recording. Both methods have been proven to have drawbacks.
Critchley continued, “In the financial sector, it’s important to record calls in case you need to provide a legal record during any disputes. But if contact center agents are pausing the calls to remove card details, the recording can’t be deemed ‘complete’ and, therefore, no longer fits this purpose.
The ‘pause’ system also often depends on the service agent pressing the button at exactly the right moment. This means that it is far too easy to make a mistake and accidentally capture the card details on the recording. In some cases, we have even known agents to deliberately pause the recording at the wrong moment to blank out part of the conversation with the customer. It’s just not possible to guarantee that it will work.”
U.S. Insurers Lag in Security of Call Center Data
To make matters worse, four out of the 10 top insurers in the U.S. admitted to reading card numbers back to customers; a practice that makes compliance with PCI DSS even more taxing. Additionally, most agents in the U.S. were completely unsure as to whether numbers were recorded.
“All contact centers in the U.S. need to do more. The insurance sector has been charging higher premiums for corporate policyholders who fail to take cybersecurity seriously; now it’s time for insurers to get their own house in order,” stated Critchley. “We’re very pleased to be working with an increasing number of insurance companies who are addressing the problem, but there is still work to be done. Asking customers to read credit and debit card numbers aloud over the phone must become a thing of the past.”