PCI-DSS: A Million Dollar Risk for a 10-Cent Hacking Cost
Forty lines of code, a cloud API, and one open source program are all it takes to extract credit card data from call recordings. High school students can figure out how to do it over a weekend.
This is just one example of how the world of computing and software apps is undergoing unprecedented change. And, hackers keep pressing the envelope of what most IT security departments can afford for prevention. The old ways of securing call recordings are no longer enough, and companies of all sizes are at substantial risk.
How is this Impacting contact centers and call recording?
- The cost of the aforementioned hacking approach is roughly 10 cents USD per call—that is $1000 for 10K calls.
- Companies pay an average of $3.5 million for a hacking incident, and larger companies have a total cost which can reach into hundreds of millions—transaction processors fines, class action lawsuits, and lost revenue are just some costs.
- Examples show that call recordings and transcriptions are already being targeted.
Healthcare has one of the most substantial risks, and this is why we’ve just launched a new integration with Epic systems. But, any industry accepting credit cards over the phone are targets. But, we also support Cisco Finesse, Salesforce.com, Pegasystems (OpenSpan) and more.
What are the key costs and penalties?
While they can be organized different ways, here are five major areas:
- Payment Processor Penalties for Non-Compliance
- Legal and Operational Costs—class action lawsuits, cyber-insurance, public relations, financing costs, costs of disruption, mandatory credit monitoring and identity protection, additional contact center staffing, IT security, and more.
- Lost “Current Quarter” Revenue from Customer, Partner, and Supplier Attrition
- Loss of Reputation and Future Revenue
- The Costs of Executive Resignation and Job Replacement
NOTE: Download our white paper [link] on this topic, which provides comprehensive detail on this blog post. The product web page [link] also explains key information.
What should we do about it?
The first step is admitting there is a problem—any compliance officer, contact center business leader, and CFO should be very uncomfortable with the risk. The standards are clear, and the only way to begin is by making PCI DSS compliance a priority.
Then, there are three major alternatives to preventing PCI DSS data from being stored in audio and video recordings. In our view, number three is the most often overlooked while being the most cost and risk-effective option.
1. Ensure agents don’t speak about or show PCI data
Contact centers can implement authentication, verification, and transaction processes that don’t require agents to speak or display PCI during calls. Sometimes this can be achieved through simple process reengineering – “Do we really need to ask for social security number AND birthday?” – but it more often requires additional technology solutions such as IVR applications, 3rd party processing, and/or self-serve applications.
2. Manual pause and resume of call recordings
In this scenario, agents select a pause button from a telephone UI to stop audio/video recording and press the button again to resume recording. While this doesn’t typically create significant additional IT costs, this approach relies on the agent remembering to pause and un-pause while simultaneously interacting with the customer and processing a transaction. Mistakes are common and put your PCI DSS compliance at risk.
3. Automatic pause and resume of call recordings
With automatic pause and resume, the agent’s interaction with a desktop app triggers the call recording application to pause and un-pause according to business rules. For example, putting the agent cursor in a credit card field pauses recording—and removing their cursor from the field resumes the recording. There are two approaches:
- Installing an additional desktop app that learns where the cursor goes for every possible set of pixels and apps on a screen, then recognizing the right circumstance to trigger an API call to the call recording server for pause and resume functions.
- Having an existing desktop app (like a payment capture app) trigger an API call when the cursor moves into or out of a specific field. This would pause and resume “behind the scenes.”
The first of these two options are typically very expensive to implement because someone must train the “computer vision” app to recognize which set of screen pixels and apps to react to, and requires “re-training” if the desktop apps change. The latter requires an API in the UI to trigger the cursor movement, but implementation is simple.
ZOOM provides multiple solutions for pause and resume:
To help our prospects, customers, and partners in this area, ZOOM provides three approaches:
- Open APIs
- Manual pause and resume for Salesforce.com and Cisco Finesse
- Automatic pause and resume for Pegasystems RPA (OpenSpan) and Epic systems (in healthcare)
Learn more: ZOOM WFO