Securing Credit Card Voice Transactions

Written by

This afternoon, I met the CEO (and co-founder) of Semafone, Tim Critchley. When the invitation to interview him landed in my inbox, I was all set to turn it down. As Critchley himself admits, call centre security is “far from sexy”, and it’s not a topic that had ever occurred to me would be interesting.

I don’t know what stopped me from declining this meeting, but luckily my instinct got the better of me. Semafone, quite uniquely, is founded by a trio of “non infosec guys.” Critchley describes himself as a “call centre guy who understands security and compliance problems” and an entrepreneur, but not an information security professional.

To put it quite simply, (and for my brevity I apologise, but for more details visit www.semafone.com) Semafone is a secure call centre voice transactions company that protects over-the-phone credit card payments. How? An operator will ask the customer to type in their credit card digits on the keypad rather read them vocally (and hears a flat tone as the customer types in their digits). The [tokenised] details are trapped and made available to the payment system only.

The security of telephone CNP (Cardholder Not Present) payments, without technology such as Semafone, says Critchley, is actually a serious problem. There are several reasons for this information security concern. Firstly, call centre staff are typically poorly paid and thus unmotivated. The act of stealing – and selling – customer credit card details therefore becomes a bigger temptation and a bigger issue.

Secondly, thousands of computers are running on one network, with credit card details “floating around and accessible to operators.” Other challenges include data in transit, card data being sniffed on the telephony network, and hacked telephone lines where calls are silently monitored.

Semafone’s marketing suggests that its greatest selling point is that it addresses and enables PCI compliance. Critchley admits that most of their clients become clients “re-active to PCI-DSS”, but insists its “pro-active to a breach.” I consider debating and challenging this loyal statement, but bite my tongue. Us infosec people are so cynical, aren’t we?

Critchley’s main piece of advice in relation to PCI compliance - which he praises for “doing a phenomenal job creating a bar” – is to “remove as much card data as possible from your environment. You can’t secure it all, so reduce the amount of data stored and process it outside of your environment.”

It all makes complete sense. I’m surprised at myself for not given telephone payment security the time of day before now, and the ‘solution’ (I hate that word, apologies) seems glaringly obvious.

Just one thing strikes me as concerning about the Semafone business model: Are telephone payments becoming redundant given the huge evolution in e-commerce and the willingness of people to shop online? “Maybe in twenty, thirty year times that may be true. It’s a generation thing – the younger generation are more likely to shop online”, Critchley tells me. But for now, he is confident that the one billion credit card payments taken over the phone every year in the UK will keep Semafone – and himself – busy.

“Call centre seats and phone payments are an important part of customer service. So many online sales are lost at point-of-sales due to confusion or unanswered questions, so being able to take payment over the phone whilst clarifying any answers is crucial”, he says.

Last year, Semafone received a £1.5m investment which has enabled the expansion of the company in terms of headcount, turnover and in winning overseas business (namely in Australia and Canada). So what’s next, I ask.

“I’d like Semafone to be the default method of taking payments over the phone. I find it inconceivable that people will be taking card payments via phone [without security technology] in five years’ time”, he tells me.

And in his wildest dreams? “I’d like to crack phone call authentication. Not reinvent the wheel, but make authentication available while someone is on the phone.”

Perhaps the dream is not all that wide given that Critchley is the man that “invented the iPhone that wasn’t actually the iPhone before the iPhone was invented.” Despite his entrepreneurial flair, however, Critchley “likes to finish projects and execute things”, so Semafone it seems, may have its co-founder and CEO for a little while yet...

 

What’s hot on Infosecurity Magazine?