The following is an opinion article from Daniel J. Doherty, founding member of Viziulo Global Advisors, LLC, which provides know-how to commercial and consumer insurance enterprises and public sector organizations operating in global markets.
From credit card numbers and social security numbers (SSNs), to birthdates and passwords, your call center handles your customers’ most sensitive information. Given the recent 371% increase in data breaches in the insurance industry, protecting this personally identifiable information (PII) must take greater precedence.
At the same time, the nation’s move to chip-enabled EMV payment cards has led to a 40% increase in card-not-present (CNP) fraud, as criminals turn their attention to online and telephone channels where they can more easily conduct fraud. The rise in both data breaches and CNP fraud means that insurers must zero in on call center security. However, there’s one practice that is amplifying rather than preventing fraud in the call center: “stop/start” (also known as pause call/resume).
The problems with stop/start
Many insurance companies record customer calls for a number of reasons – regulatory, legal, training or quality control. So, when customers share their personal information over the phone when making a payment, checking on a claim or enrolling in a new plan, that sensitive information is often recorded as well. To block this information from recordings (which, if breached, could expose customer data and even damage a company’s reputation), insurers frequently use the practice of “stop/start.” Whether performed through an automated or manual system, stop/start is exactly what the name implies. Recordings are stopped when PII like credit card numbers are read aloud, and then started again after the customer has shared that data.
Stop/start has long been a preferred approach to compliance and security in the insurance sector, especially because regulations like the Payment Card Industry Data Security Standard (PCI DSS) prohibit capturing payment card data on recordings. Although stop/start is a legally accepted industry practice, it is increasingly inadequate and creates more issues than it solves. First, with manual stop/start systems, agents have the freedom to stop and start calls whenever they want. This means that illicit activity could occur while the call is stopped. The agent could be prying for personal details or copying down payment card numbers. Research on data breaches shows that company insiders account for approximately 50% of security incidents. Agents could even be engaging in high-pressure sales tactics when the recording is stopped, as we’ve famously seen with Wells Fargo.
Second, humans aren’t error proof, so agents may unintentionally forget to stop the recording and accidentally log sensitive customer data. This violates compliance regulations, including PCI DSS, if card numbers are recorded, and leaves PII susceptible to a breach. On the other hand, an agent could forget to resume the call recording, leaving out important information that may be required to handle transaction disputes or demonstrate quality assurance. Also, by stopping the call recorder, organizations lose the ability to provide evidence of a business transaction and compliance with regulatory procedures.
Even automated stop/start solutions still present problems. Yes, some “bleep” out card numbers from the recording, but the agent is still able to hear the information as the customer reads it out loud. Card numbers aren’t held on the recording, yet the agent could very well be jotting them down for potential fraudulent use. While other systems, like interactive voice response (IVR) technology, shield information from both the agent and the recording, sensitive data still passes through and is stored in IT and business systems that are vulnerable to external and internal cyberattacks. In addition, these systems can cause frustration and lead to poor customer journeys. Often, customers don’t know how to correct miskeyed information using an IVR system, so they simply hang up the phone. This negatively affects customer satisfaction, contact resolution metrics and quite possibly your bottom line.
One of the most alarming aspects of stop/start is that companies who must record 100% of their calls to demonstrate compliance no longer have a complete record of the call. Thus, firms are actually audited against an inherently broken process. Many organizations are so focused on recording calls that they completely ignore the other security issues presented by this practice.
Who is using start/stop?
To gauge first-hand how insurance companies are blocking PII from call recordings, Semafone, a UK-based provider of call center security solutions, recently spoke with agents at 10 of the largest US firms. While some form of stop/start seemed to be commonplace, the company was intrigued by the wide variety of methods in use. For those who record calls, some agents assured that they rely on a program that automatically blocks out card details from the recording as the caller speaks. Others said PII is removed from the recordings after the fact. One firm said that calls are randomly recorded, and all recordings are kept for 30 days before being deleted. Despite the various security methods, it appeared that many agents were simply unaware or uninformed about safeguarding information from recordings and the compliance implications that come with these practices. The ambiguity surrounding insurance call recordings only reiterates the need for an alternative solution to stop/start.
There’s a better way... an alternative solution to stop/start
It’s time for call centers – especially those in the insurance industry – to abandon the practice of stop/start and investigate new technologies that keep customer data safe and brand reputations intact, while complying with the PCI DSS.Research into available solutions demonstrates there are several firms that enable an insurer – or any merchant – to mask the credit card number from both the recording and the agent, while keeping it secure. However, the solutions are varied.
In some cases, the agent stores the data on a USB stick or dongle on their desktop so that the call recording and agent cannot “hear” the card data being inputted. Yet, the card data still physically resides on site. Therefore, the insurer must adhere to more than 300 steps of PCI compliance for the physical environment and attest that the agents’ computers are secure to the PCI standard. Plus, all the hard fought “defense in depth” that IT and information security teams have put in place are for naught if someone can just come along and plug a USB device equipped with malware directly into the corporate network. Think of USB sticks as the dirty needles of the computer security world – insurers and other merchants alike should not introduce them, nor allow desktop computers with USB ports. There is no telling what these devices will bring in, putting customer data at risk.
The most effective way of eliminating stop/start and other broken processes is to ensure credit card information and other PII never enters the call center infrastructure in the first place. A growing number of insurers in Europe and in the US are successfully moving away from stop/start by using technologies that block payment information from recordings and agents by allowing customers to directly and discretely input numbers via their phone’s keypad, while agents remain on the line. With this approach, as customers input their card numbers, the touch tones are masked with a flat tone using a method called DTMF masking, ensuring that neither the agent nor anyone listening to the recording can decipher the numbers in any way. Meanwhile, the agent is able to stay in full voice communication with the customer, improving the overall customer experience, streamlining the journey and even reducing average handling time (AHT).
The biggest benefit is that sensitive information is not stored in any internal IT or business systems. In the case of payment transactions, the payment card data is segregated and securely sent straight to the payment processor. This approach not only secures PII, but also drastically simplifies PCI DSS compliance. The call center is no longer burdened by time-consuming compliance efforts and associated costs are significantly lowered.
As CNP fraud and the threat of cyberattacks continue to grow, insurers need to implement new security measures and examine new technologies for their call centers that safeguard customer data and protect their brands from costly reputational damage. Abandoning the risky practice of stop/start is a simple, but effective, step toward call center security.
The preceding article was an opinion piece from Daniel J. Doherty, founding member of Viziulo Global Advisors, LLC. The views expressed within the article do not necessarily reflect those of Insurance Business.
Related stories:
Why auto insurance agents are still needed in the digital age
BLOG: Running an insurance agency like a software company