Call them centers of consumer frustration?
You know the drill. The standard way of getting help – the automated kind (through interactive voice response) – just isn’t cutting it. The chatbot isn’t enough.
There’s a need for a human on the other line – the hand-holder, who will assist with the technical problem or the transaction gone awry, or perhaps the recurring payment that didn’t recur.
But the problem with human interaction is … human interaction.
The interaction where one reads off an account number, a phone number or a Social Security number more than once – and where the process begins anew, seemingly several times per call. It’s like the movie “Groundhog Day,” except it isn’t funny.
Consumer frustration runs high with call centers, and perhaps so does the risk of exposing sensitive data.
In the latest Data Drivers, Patrick Brown, CEO at IntraNext, told PYMNTS’ Karen Webster that the tradeoff between the two need not always be a constant duel.
Data Point Number One: 70 Percent
A (perhaps surprising) 70 percent of call centers require customers to (literally) read information out loud to the call center agent – a litany of information that includes sensitive strings of numbers spanning birthdates, Social Security numbers and the like.
Ah, but who absorbs the risk? The caller supplying the information or the agent who is taking it down?
It’s a bit of a shared risk, said Brown.
“When you have to call in and you want to make a payment on an account or do something sensitive, you might not be in the comfort of your own home – you may be at work or are riding public transportation or whatnot,” said Brown. “Speaking that private information in a public place – that in itself is a touchpoint” of risk.
And though the percentage of actual wrongdoing – taking down data for bad aims – on the part of the agents themselves is low, Brown said “there are nefarious characters out there that have the ability to write things down and possibly misuse them.”
There’s a third factor at work (and at risk) here too, said Brown: The call center’s own systems may or may not be up to speed on the security side.
“So you’ve got all of that data potentially sitting on a PC or in a data center behind the scenes,” he noted.
And in a card-not-present environment, he said, agents must have some way to retrieve customer information, which boils down to using account numbers, likely the first choice ahead of credit card numbers or Social Security numbers.
Ah, but by the time the call comes – face to face, or voice to voice, so to speak – things have escalated to a new level of urgency, where consumers are rather fatigued from repeating those numbers.
The expectation is that the same data should transfer right alongside the consumer from department to department, noted Brown – but the friction-filled process remains stubbornly in place.
“There’s no magic change to that, unfortunately, just yet,” he told Webster.
Chalk it up to a lack of integration, said Brown.
“It’s the piece that causes the most frustration, because nobody wants to go [that route], but it’s really a technology implementation piece rather than anything else,” he said.
Data Point Two: 1 in 500
Kind of a hybrid data point. This is the number of incidences of fraudulent calls that come into contact centers and are flagged as fraudulent.
“It proves that the call center is a high attack point,” said Brown, who added that detection is an art as much as a science.
“There’s a variety of different entry points into a contact center,” he told Webster. “You’ve got voice over IP lines, you’ve got your traditional T1 and voice, you’ve got cellular coming in … trying to figure out where that call originated from is really the art in that early detection. You can build stacks of blacklists of IP addresses and known caller IDs … those [methods] are only as good as the bad guys figuring out they are in a list, and they can spoof that as well.”
And where there’s art combined with science, said the CEO, “you end up with a grading” tied to perceived risk. And after the grading, there tends to be a secondary vetting process based on the quality of what initial forensics has done, said Brown. By way of example, with a grading system of 1 through 5, at a level 3 or above, the system may prompt the agent to do a deeper dive, and thus new levels of identification questions become part of the process.
Noted Webster, only slightly tongue in cheek, the answers to those questions are available on the Dark Web, so the vetting method is hardly foolproof.
Biometrics helps as a line of defense, but even that approach mandates that a relationship (and some level of trust) is established with the caller at the very outset of the interaction, said Brown.
Data Point Three: 40 Percent
Webster noted the Verizon data point that states that 40 percent of retailers, restaurants and hotels taking card payments are not PCI DSS compliant. The Verizon study further suggests that half of those who are in compliance fall off the compliance bandwagon within a year.
There may not be a direct correlation or read across to call centers, said Brown. For the aforementioned verticals, every point-of-sale piece needs to be potentially upgraded or replaced. And yet, change happens in organizations, and change begets … inadvertent dropping of the compliance ball.
“Changes in systems and [introducing] new systems into the environment, along with changes in personnel … all of a sudden, you may allow things to fall out of compliance just because there’s a lot going on,” noted Brown. “It’s an ongoing effort to keep that data sensitive and protected.”
Call centers themselves may opt to hand off the sensitive stuff elsewhere, said Brown, a process akin to “We’re going to send you to this entity in a service bureau that essentially has all of the PCI compliance, and their specialty is just simply taking payment.”
But for those call centers that focus on both security and service, Brown said two-factor authentication is a good process – one where the consumer calls into the call center, which in turns shoots something to the consumer’s smart device. In tandem with, say, security protocols on the device itself (via retina or fingerprint scans), early fraud detection is strengthened. Tokenization also has a place, where it can be tailored to a particular consumer at a particular location.
“Good upfront detection helps the internal data protection,” he told Webster.