The Call Center: The Perfect Breeding Ground For Retail Fraud

Written by David Taylor
March 18th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Call centers have very high turnover, often more than 30-40 percent per year. Not only do these people represent your brand, but they also have access to lots of confidential data, well beyond card data, which creates significant potential for fraud and theft.

These employees are closely monitored, for “call quality” and other reasons. Some studies have suggested this creates a negative attitude, prompting numerous unionization efforts and increasing the potential for data theft and fraud. These are the classic “disgruntled employees” you’ve heard so much about. If you got yelled at all day because of product failures or promises made by sales, you’d be disgruntled, too.

In addition to monitoring–audio, video and even key logging–call center employees, call centers are sometimes classified as “sensitive areas” (per PCI 9.1.1), which has caused some companies to build walls and erect partitions to physically isolate the call center or those specific agents who have privileged access to card data or other confidential data. On the bright side, this can cut down on “shoulder surfing” and other social engineering efforts by some disgruntled employees to take advantage of their more “gruntled” (satisfied) colleagues. The downside is that this tends to exacerbate tensions in the group and increase the risk of data theft and fraud.

One of the keys to reducing the risk of this situation is to eliminate data access by call center employees beyond initially typing the record. Masking 12 out of 16 digits after initial data entry and verification is common among newer call center software. But call quality monitoring software and services will often have access to the full 16 digit number. This has been viewed by some QSAs as bringing the entire call quality process and all service providers into scope. The PCI SSC, however, has stated (in their FAQ) that if the call recordings cannot be queried, then they are (in most cases) out of scope of the PCI assessment process. In general, older contact center applications and payment processing modules must be upgraded to PA-DSS compliant versions (if applicable) or come from service providers who have been certified as PCI compliant.

There is a growing demand by merchants for outsourcing of confidential data collection, processing and storage. Given that many call centers are also outsourced, this creates the potential for confusing sub-contracting partnerships that are extremely difficult to monitor on an ongoing basis. It is very important for any firm that outsources all or part of its contact centers to not only review the contracts for PCI compliance (and subcontracting limitations), but to also put into the contracts and into practice a quarterly review process by the PCI team, or IT security, or internal audit. This is critical when dealing with data that is collected from each service provider, especially when that data focuses on gathering factual information about how each service provider is managing to isolate each customer’s unique cardholder environment, as stipulated in Appendix A to the PCI standards. When it comes to outsourcing confidential data, it’s important to remember that if continuously complying with PCI standards is tough for you as a merchant, just imagine how difficult it is for a service provider which must create and protect “cardholder environments” for thousands of merchants. Ensuring that service providers do this is part of each merchant’s obligation of due diligence.

The PCI Knowledge Base is about to launch an investigation of the connection between PCI controls and fraud levels, working with the Merchant Risk Council. We will be talking to many E-Commerce and other merchants about these controls and would welcome the opportunity to speak (100 percent anonymously) with any readers who are interested in this topic. Please send E-mail to


2 Comments | Read The Call Center: The Perfect Breeding Ground For Retail Fraud

  1. Rob Martell Says:

    WHY are all cubes built to at best, 1980 specs, with my back, and the screen I am working on, facing OUT to anyone who walks by? Aside from the poor design of the cube ergonomically with just about everything at the wrong height, it seems no one is thinking about the real world. But that could just be me.



  2. david taylor Says:

    Well, people have changed a lot since the 1980s. They’re taller now, of course. Plus, back in the 1980s, people’s screens were green and boring; now people can watch us as we play movies on YouTube all day!


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.