How the payment practices of US insurers are compromising security and compliance

By Ben Rafferty Global Solutions Director, Semafone

If you have recently been asked to provide your payment information verbally over the phone, it’s time to take note. No one would dream of reading out their PIN at an ATM, but, somehow, it’s still commonplace for customers to be asked by Customer Service Representatives (CSRs) to provide payments card details out loud over the phone, particularly in the US. And, as it turns out, the insurance industry is one of the biggest culprits.

In fact, a recent anonymous survey of 10 of the top insurance providers in the US found that all of them still require customers to read their card numbers out loud when paying for insurance services over the phone. You may have even heard this happen in public once or twice, or done it yourself, since it has become the norm. But the reality is that verbalizing card numbers is an incredibly risky practice, and should not be happening.

The following are a few specific ways this common payment practice among insurers creates problems for consumers, companies and additional stakeholders:

1. Potential for Customer Service Representative (CSR) fraud

Beyond the risk of opportunistic bystanders taking note of credit card numbers as they are read out loud over the phone, CSR misuse is a serious concern and is not to be taken lightly. Equipped with the ability to hear and see customers’ payment information, rogue CSRs have an opportunity to engage in illicit behavior, which may include copying down information, or engaging in social engineering or high-pressure sales tactics. In fact, research shows that company insiders account for approximately 50 percent of security incidents, making CSR fraud a very real threat.

2. Exacerbated compliance complications

Requiring card numbers to be read out loud is not only a security concern for customers, but it also puts companies at risk by neglecting Payment Card Industry Data Security Standard (PCI DSS) compliance. The same anonymous survey of U.S. insurance providers found that eight of 10 U.S. insurers also record customer calls. The PCI DSS, which governs all card payments, specifically requires additional protection and controls for the storage of full card numbers, and strictly prohibits the recording of card security codes. So, if a payment takes place over the phone, the call is being recorded and payment information is read out loud, the company may be in clear violation of PCI DSS if the CVV is captured on the recording.

3. Broken attempts at mitigation

Some companies attempt to mitigate the security and compliance risks associated with call recordings by using a partial and constrained approach to shielding payment card information – the “stop/start” method. “Stop/Start” is a practice in which call centres block payment information (and other sensitive data) from call recordings. It involves exactly what its name implies. When customers read their payment card details out loud, the call recording is stopped, paused or muted, either manually by a CSR or automatically using computer telephony integration (CTI). The recording is then restarted, resumed or unmuted once the caller is done sharing the sensitive information. Final findings from the aforesaid survey showed that several U.S. insurance companies do indeed use this method. This is alarming, as the complications associated with this practice are numerous.

Although stop/start systems intend to prevent the recording of sensitive information, payment data still touches and is stored in many and various elements of the call center infrastructure – resulting in many weak and poorly defended vectors from which card data could be obtained in the case of a breach. Additionally, stop/start can negatively impact customer experiences. Common occurrences such as multiple card numbers, mis-keyed/rekeyed digits and failed payments may lead to many instances of starting and stopping the recording, thus elongating customer transactions.

Finally, one of the most startling aspects of stop/start is that companies in regulated industries are required to record 100 percent of their calls to demonstrate compliance, and when they use stop/start they have an incomplete record of the call. Therefore, many of these companies are audited against an inherently broken process. This is especially true for companies in the insurance industry, where call recording is often required to show compliance with an increasing number of regulations and even local or state laws.

There must be a better way for insurance companies to handle payment transactions and other PII. The insurance sector has been charging higher premiums for corporate policyholders who fail to take cybersecurity seriously; now it’s time for insurers to get their own house in order. So, what could they do instead?

Companies can ameliorate any complications associated with payment card information simply by “de-scoping” their call centers, or, in other words – keeping credit card information and other PII out of the business infrastructure altogether. This is accomplished through solutions that allow customers to securely and discretely enter payment card information on their telephone keypad. The numbers are shielded from the CSR (and recordings) using dual tone multi-frequency (DTMF) masking, and sent straight to the payment processer—never touching the call center’s systems, including networks, applications and databases. Meanwhile, the recording does not need to be stopped and the CSR can remain on the line, in full conversation with the customer, to ensure a smooth customer journey.

It’s no question that asking customers to read credit and debit card numbers aloud over the phone must become a thing of the past. It’s now up to insurance companies to embrace new methods that will ensure that this change happens.

Related reading