Tokenization: The Security Key For Call Centers

Call centers are fast becoming a fraudster favorite. Why? Because they’re just so darn inviting. Committing fraud over the phone in a call center environment represents a path of least resistance as other popular fraud targets ramp up defenses.

As with any industry, the real challenge is striking that perfect balance between security and convenience. Call centers, merchants and others are now turning to tokenization to reduce or remove friction while enhancing interaction security and PCI compliance.

IntraNext and TokenEx have just teamed up in an effort to address this issue and push tokenization as a best practice across the board.

In a recent interview with Karen Webster, IntraNext CEO Patrick Brown and TokenEx Co-Founder Alex Pezold shared how tokenization can protect callers phoning in to call centers, why it’s important and what organizations must sacrifice to introduce it (spoiler alert: nothing!).

How Tokenization Protects Callers

Pezold explained that the new system creates the ability for call center agents to select the credit card number for the customer straight from the back-office automatic call distributor, immediately tokenize it and reintroduce it to the environment in a form that is more secure because it has no value outside that environment.

“In a persistent state,” Pezold said, “the token is only valuable through that business and its relationship to the processor. So, that token is useless anywhere else.”

By “persistent state,” he means that whenever the same card is entered, it generates the same secure token. The system stores only enough data elements to identify the user — say, the first or last four digits of the token — so that, if the caller wants to change or add to his order, the card can be charged a second time without pulling the credit card number back into the environment, which reintroduces the PCI scope. The actual sensitive value is forwarded to the service provider who needs it rather than floating around the call center’s system.

In other words, said Pezold, “Tokens are specific to the vault in which they’re stored; they’re specific to the merchant. Trying to use it elsewhere creates a cross-domain tokenization scenario. The worst-case scenario would be that the fraudster could go back and buy more from that merchant, but not from anywhere else.”

Single Vs. Multi-Use

All of the above pertains to multi-use tokens — that is, ones that are partially stored in the system to facilitate frictionless future orders. It is possible to create single-use tokens, which are generated anew each time those credentials are entered, regardless of whether the credentials themselves are new.

Single-use tokens are extremely beneficial in eliminating fraud at call centers, Pezold said, but there are advantages to multi-use ones. Organizations with a certain risk appetite like being able to take advantage of the business analytics offered by multi-use tokens, he said.

Single-use tokens also generate a lot more data, he added. Merchants who don’t have recurring billing are often more open to the idea, while those with recurring billing aren’t too keen on having to store unique data that single-use tokens would generate with each billing cycle.

Conversely, Pezold said an industry like insurance is unlikely to ever forsake the multi-use token. Insurance companies have too much sensitive data: card numbers, ACH information, privacy data. It’s no easy task securing all that, and adding single-use tokens to the mix would simply crowd the data vault.

Beyond Credit Card Numbers

Credit card numbers aren’t the only sensitive information call center agents may need to obtain from callers. Some providers, like TokenEx, are able to tokenize other data sets that call centers and their customers may want to protect: driver’s license numbers, Social Security numbers, country identifiers and ACH information, just to name a few.

“People can’t adopt tokenization of personal identifying information fast enough,” Brown said. “Everybody hates giving out their Social Security number.”

Privacy requirements are becoming more stringent in call centers of omnichannel merchants and service providers.

New General Data Protection Regulation (GDPR) standards are rolling out in May, but Pezold said the industry is already seeing the effects of the new requirements, and that will only grow more pronounced as call centers find their traditional tokenization partners struggling to support newer strategies.

The Tradeoffs

Brown and Pezold said there are none — or, at least, there don’t have to be.

Because the card number can be pulled straight from the automatic call distributor CTI system, Brown said it negates any extra work customers may think they’d have to do to integrate a new tokenization solution. They don’t have to modify work stations or networks, because all that’s floating through the system is a valueless token.

Pezold said no latency is added to calls by this process, and call duration need not be extended. Therefore, the overhead cost is not impacted, and the burden on the people doing the process is slight.

That doesn’t mean call centers can start shedding employees, Brown said. This isn’t an automation element that cuts rote tasks out of the workflow. However, there are cost savings to be had.

“We’re streamlining the security component, and often can reduce call transaction time,” Brown said. “The cost savings also come from reducing cyber insurance premiums and PCI costs.”

If new flows are implemented correctly, Brown and Pezold said, the consumer should never know the difference. They can simply “Press 1 to use card ending in 1234” or “Press 2” to use a different card.