Perhaps the most confusing challenge of safeguarding call center card-not-present transactions is the mind-bending complexity of multiple potential breach points. While you’re installing deadbolts on the front door, someone is jimmying the window on the second floor, while yet another hacker picks through your trash for personal information. With each big, dramatic headline, call center executives breathe a sigh of relief that it happened somewhere else, but still wondering will the next time be here?
The 2015 AT&T breach at call centers in Mexico, Colombia and the Philippines underscores just how difficult it is to anticipate where tomorrow’s attack will come from. In that case, call center employees were bribed by mysterious cyber crooks — one known only by the name El Pelon — to divulge the cardholder information of approximately 280,000 customers. It’s difficult to imagine how AT&T could have prevented a breach that preyed on the one vulnerability point that can never be 100% protected: human weakness. Even so, it cost the telecommunications giant $25 million to settle the case with regulators.
Given the complexity of trying to defend against breaches, call centers are adapting a different approach to the problem. While prevention will always be the first line of defense, they are deploying security solutions that render card information stolen during processing transmission useless. Point-to-Point Encryption or P2PE (as well as End-to-End Encryption/E2EE), the core technology is encryption. Each transaction is assigned a randomly generated string of characters and numbers. If this string is stolen, it is impossible for the thieves to decode it into the actual card information.
Is P2PE a silver bullet? No. Is it a critical component of an overall call center card-not-present security strategy? Absolutely. Furthermore, it can reduce your scope of PCI DSS compliance. Something to think about as we go into 2018 when card-not-present fraud is expected to hit $6.4 billion.