Despite new data security regulations across the EU and the U.S., data breaches are on the rise. In the context of these data breaches, call centers are in a unique and fragile position. Call centers are already vulnerable to traditional data breaches. However, if your identity verification process is weak, your call center could unknowingly provide cybercriminals with access to customer accounts.
How cybercriminals use personal information
Once a cybercriminal steals personal information from a corporation, they’re going to use that information in every way possible for personal gain. For instance, they might use social security numbers to open credit cards and make purchases. They might also call the victim’s bank and attempt to gain control of their account.
If you’re running a call center, you need a highly secure process to verify the identity of callers that includes information unlikely to be obtained through a data breach. Here’s what you can do:
1. Get PCI Level 1 certified immediately
Call centers are vulnerable to data breaches just like any other business. Your first priority should be to tighten up your security protocols to prevent hackers from stealing your customers’ data. Getting PCI Level 1 certified is the first step. Certification states that your company can manage up to 6 million Visa and MasterCard transactions per year.
There are 12 requirements your call center must meet to become certified. These requirements deal with network security, end-to-end encryption, access control, tracking and monitoring network traffic, regular testing, and enforcing a security protocol.
To become certified, Global Response says a call center must:
- Complete annual on-site audits by a PCI-SSC-accredited Qualified Security Assessor (QSA)
- Complete annual penetration testing via an Approved Scan Vendor (ASV)
- Complete attestation and payment card industry data security standard PCI DSS compliance documentation
Certification ensures you remain PCI compliant and serves as proof of your compliance to your customers. You can’t afford to guess at whether you’re compliant on your own. Non-compliance is costly. Failure to comply with PCI regulations will result in higher banking fees and fines after a data breach.
2. Verify uncommon, unique information
Most call centers ask for basic personal information to verify a caller’s identity. Unfortunately, that information is what gets stolen in a data breach. For instance, in 2014, Home Depot was the victim of a data breach that compromised customer debit cards. The thieves took advantage of weak authentication methods used by automated phone systems and successfully changed the pin numbers.
Take identity verification one step beyond the usual. Require your customers to provide a unique piece of information to verify their identity – information they need to set up when they open the account. For example, some credit unions require customers to provide a “code word,” even in person, in order to access their account without a photo ID.
Although people will generally use the same code word wherever it’s asked for, a hacker is unlikely to have obtained a person’s code word from a data breach since they usually target small businesses that don’t have a use for code words.
3. Employ multi-factor authentication
Most people are used to social media requirements for multi-factor authentication. Once you log in with a password, you need to verify a code provided to you via text message or a phone call. It’s smart to set your call center up with the same type of system.
Your two-factor authentication system could be as simple as requiring customers to retrieve a code sent via text message or email.
Don’t let your guard down
In 2017, there were more than 2,200 publicly disclosed data breaches in the U.S. that exposed over 6 billion records. That was before reporting requirements were increased.
According to data published by CNN, the average hacking attack costs U.S. companies $15.4 million. Although denial of Service Attacks have historically been the most costly attacks, GDPR violations are more expensive. For instance, one violation can result in a fine of up to 4% of annual global turnover or €20 million – whichever is greater.
Don’t let your guard down. You need to protect your customer data not just from hackers, but cybercriminals looking to take advantage of call center weaknesses. Using two-factor authentication is no longer optional.