Major UK insurer chooses Semafone to protect customer data

Semafone, the provider of secure payment software for contact centres, has signed an agreement with a major UK insurer to protect customers who pay over the phone.

The new customer is one of an increasing number of insurance companies on both sides of the Atlantic that have signed contracts with Semafone, reflecting a need for greater compliance and tighter security within the sector. A recent survey from Semafone revealed that many top insurers in the US and UK are still taking data security risks by asking customers to read card details out loud. What’s more, nine out of ten in the UK still reported using the inadequate system of pausing call recordings* to avoid the capture of card details.

Semafone’s Cardprotect solution will allow customers to pay for insurance products by entering their own payment card numbers into their phone’s keypad, rather than reading them aloud. For the insurer, this means that customer card data is protected and that the telephone payment system complies fully with the Payment Card Industry Data Security Standard (PCI DSS), which regulates all card payments.

As none of the sensitive card details are spoken out loud, Semafone Cardprotect will allow the company to record calls in their entirety. This is vital for PCI DSS compliance, which prohibits the recording of sensitive card data, such as the three-digit security code on the back of the card.  It is particularly important for organisations operating in the financial services sector, where FCA regulations frequently require the capture of complete calls.

With Cardprotect, the numbers are transmitted directly to the payment processor, without being stored on company IT systems. The keypad tones are disguised to ensure numbers cannot be identified by their sound, and the agent is free to continue the conversation while the caller is entering their details.

Semafone’s CEO, Tim Critchley, commented, “The insurance industry is taking customer payment data increasingly seriously, which is driving the adoption of Cardprotect to prevent contact centre fraud. In such a heavily regulated sector, it’s crucial that customer payment data is protected fully so it’s great to see one more major player who won’t be asking people to read their card numbers out.”

Why it’s high risk to ask customers to read card details out loud when paying over the phone:

  • The numbers may be overheard when the customer reads them out to the agent
  • Agents themselves may be targeted by fraudsters. Call centre agents have been bribed or blackmailed to steal customer card information
  • A malicious agent could have the opportunity to write down or remember the numbers to sell on or for personal use
  • The numbers have to pass through the contact centre IT system, where they will be at risk from hackers

Why call recording amplifies the problem:

  • The Payment Card Industry Data Security Standard (PCI DSS) prohibits the recording of sensitive card data, such as the three-digit security code on the back of the card
  • Interactive voice systems can be effective in protecting data, but leave customers with no support if they hit a problem
  • Such automated systems also slow down the process by obliging customers to select a series of menu options punctuated by lengthy instructions

*Pausing the recording does not work because:

  • The recording can be accidentally – or deliberately – paused at the wrong moment
  • The recording will not be complete and therefore will not be admissible as evidence in court

Semafone provides software to contact centres so they can take personal data securely over the telephone. Semafone’s patented data capture method collects sensitive information such as payment card or bank details and social security numbers directly from the customer’s telephone keypad for processing. This prevents personal data from entering the contact centre, which protects against the risk of fraud and the associated reputational damage, ensuring compliance with industry regulations such as PCI DSS.

The company was founded in 2009 and now supports customers in 22 countries on five continents. Semafone’s customer base includes insurance companies such as AXA and Amica, as well as brands across a range of other sectors including AO, The British Heart Foundation, Rogers Communications, Santander, Sky, TalkTalk and parts of the Virgin Group.

BT offers a hosted version of Semafone’s technology – Cloud Contact PCI. Major investors of Semafone include Octopus Investments and BGF (Business Growth Fund).

Semafone has achieved the four-leading security and payment accreditations: ISO 27001:2013, PA-DSS certification for Cardprotect its payment solution, PCI DSS Level 1 Service Provider and is a registered Visa Level 1 Merchant Agent.