When it comes to financial fraud (credit card and debit card fraud), cybercriminals are shifting their tactics. E-commerce websites were their target of choice, but those sites are making it harder for bad guys to break in. Fraudsters have found new opportunities in companies that rely on telephone commerce.
It is public knowledge that regulatory agencies require certain phone calls to be recorded— these are typically conversations where Personally Identifiable Information (PII) and data pertaining to debit/credit cards is exchanged. Using modern voice-to-digital conversion technology, it’s relatively simple for nefarious types with access to a company’s database containing recorded phone calls to sift through the database and look for PII.
To help combat this type of information theft, the Payment Card Industry Security Standards Council in March 2011 revised the FAQ section of the Payment Card Industry Data Security Standard (PCI DSS) to state that companies can no longer store digital recordings that include sensitive financial card data if it is possible to query the recordings. For those interested, the pertinent PCI DSS policies and procedures are available at PCI Portal.com.
In order to comply with PCI DSS, companies developed Interactive Voice Response systems that allowed credit-card information to be collected and meet regulations. The biggest complaints with this technology are that the customer is required to jump through hoops, and the interface is awkward.
SEE: Encryption Policy (Tech Pro Research)
CallMiner is a company in Fort Myers, Florida that has a better idea on how to remain PCI DSS compliant and keep customers happy when there is a need to record and retain telephone conversations.
CallMiner’s voice-analysis platform called Eureka is the company’s solution to improve contact center and enterprise performance through conversational analytics (text and speech). A side benefit of Eureka is the ability to remove sensitive data from customer channels of communication without the need to change payment processing applications, agent intervention, or integration with the CRM system.
“CallMiner Redactor uses speech-analytics technology to prevent sensitive cardholder data from being recorded; call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken,” mentions Scott Kendrick, vice-president of marketing and product management. “Because Redactor prevents you from recording sensitive payment information, calls are not in scope for a PCI audit.”
Image courtesy of CallMiner and Scott Kendrick
Kendrick says that Redactor removes sensitive data from the audio portion of telephone calls in the following stages.
- Stage one: The audio is converted to text using a speech-to-text engine that leverages a vocabulary system to maximize recognition accuracy. Kendrick adds this stage produces a text transcript that is used by stage two.
- Stage two: The location of sensitive data is identified and tagged using a list of language patterns (e.g., credit-card strings, expiration dates, CCV codes, and Social Security numbers). This information moves on to stage three.
- Stage three: Using the tagged locations, the sensitive portions of the audio recording are replaced with silence. The newly-redacted file is then encrypted and written to a cache on a storage device or written back into the source’s original database.
Kendrick states that if redaction is applied in conjunction with the full Eureka analytics platform, placeholder words are substituted instead of silence in order to maintain privacy, yet be recognized in the user interface.
Another interesting compliance issue that CallMiner’s Eureka platform can help businesses control is the number of mistakes made by call-center employees. The speech-analytics platform can be configured to flag comments or phrases that if used could be construed as being out of compliance. CallMiner’s various applications can be configured to alert any such offense.
The accuracy of CallMiner Redactor
As to CallMiner’s accuracy claims, Kendrick feels that using the company’s proprietary pattern database will allow Redactor to identify more potentially sensitive data and tag it. In addition, Kendrick suggests there are other checks and balances in place to ensure accuracy, adding, “When a potential area is identified, other patterns are deployed to ensure accuracy and overlap.”
Note: Accuracy of categorization is greatly improved with the ability to identify more complex language patterns, including the ability to target the location within a contact (first 10%) and looking for conditional patterns such as language before or after or not before or after other language.
Kendrick noted that CallMiner received PCI DSS certification in 2010. KirkpatrickPrice, a compliance management qualified security assessor, performed the validation.