Chief Security Officer
This month I had the chance to sit down with Aaron Lumnah, Senior Manager of Demand Generation at Semafone, and ask him a few questions about protecting payments made over the phone.
Noah: What challenges does Semafone typically help organizations solve?
Aaron: Semafone helps contact centers secure sensitive personal information taken over the telephone. Our patented data capture technology uses DTMF masking and allows customers to enter their numeric information over the phone while keeping it out of the contact center infrastructure entirely. As a result, organizations are able to significantly reduce the cost, scope, and complexity for compliance with industry standards and regulations such as the Payment Card Industry Data Security Standard (PCI DSS) in the case of taking payments.
Noah: What unique challenges do you see in the healthcare payments industry?
Aaron: Given the extremely sensitive nature of the data they process—social security numbers, bank details, payment card numbers, medical records & claims and other types of personally identifiable information (PII)—the healthcare industry is particularly fraught with risk and is a major target for hackers. A recent study published in JAMA found that healthcare data breaches increased by nearly 73 percent between 2010 and 2017, while the HIPAA Journal reports that these incidents are occurring at a rate of more than one per day in the U.S. alone.
At the same time, while not specific only to healthcare, the shift to EMV chip cards decreased the rate of point-of-sale fraud, but conversely increased the rates of card-not-present (CNP) fraud. This presents issues for contact centers, who, by their nature, exclusively process CNP transactions.
Additionally, we’ve found that many healthcare organizations still use legacy systems or architectures in their IT environments, which leave vulnerabilities for hackers to exploit. Using encrypted devices and employing data masking technologies can go a long way in protecting the contact center.
Noah: Why do you think the call center presents a point of vulnerability for payments?
Aaron: Call and contact centers are major hubs for customer information, and depending on the size of the organization, can be sitting on massive troves of Personally Identifiable Information (PII) at any given time. Most contact centers keep recordings of all their calls for various purposes, and for this reason, PII can be inadvertently captured and stored in databases, oftentimes with lax security controls. When collecting payments over the phone, Semafone has found that the vast majority of organizations require customers and patients to read their payment card numbers aloud over the phone, which then make their way onto call recordings. Data hackers know this and look at contact centers as an easy target to make a quick buck. In healthcare organizations in particular, patients also call in and often share Protected Health Information (PHI), which is subject to oversight under HIPAA, adding another layer of complexity and hazard to an environment already mired in risk.
In addition, inside actors prove to be another major threat requiring attention. A staggering 58 percent of healthcare data breaches are caused by individuals inside the organization – essentially, anyone with access to patient data can pose a risk.
Noah: What is DTMF masking, and what are the benefits?
Aaron: DTMF stands for dual-tone multi-frequency masking. This technology allows healthcare organizations operating contact centers to take payments and other numeric information over the phone. The process is simple. When a patient is ready to make a payment, the contact center agent enables Secure Mode on their desktop application. The patient is then able to enter their payment card number on their telephone keypad. While this is happening, the system masks the (DTMF) dial tones so they all sound like zeroes or ones, and at the same time replaces the digits on the agent’s desktop with asterisks. The agent stays on the line with the patient for the entire duration of the call, allowing them to help troubleshoot should any issues arise. When the patient is done entering their payment card information, the system then passes it directly to the payment service provider (PSP), bypassing the contact center infrastructure entirely. Because the card data is masked and encrypted, it is never held or stored on call recordings or any other business systems.
DTMF masking offers many benefits. On a customer service level, DTMF masking solutions allow for a more seamless patient payment experience, alleviating the need of having to transfer a patient to a dedicated payment line, or an IVR. We’ve also found that it can reduce Average Handling Time (AHT) and increase First Call Resolution (FCR) rates, shortening the length of time it takes customers to resolve their issues and lowering operating costs inside the contact center. From a compliance standpoint, DTMF masking allows for complete PCI DSS compliant payments over the telephone. Additionally, there is no need to pause the call recording for the duration of the transaction, allowing companies to maintain full recordings for the purposes of quality assurance, dispute resolution, or even compliance. From a security standpoint, because the payment card information is never entering the contact center infrastructure, the risk of losing this information in a data breach is greatly reduced. After all, as we like to say, they can’t hack what you don’t hold!
InstaMed has leveraged integration with Semafone to deliver InstaMed VoIP Protection to healthcare organizations. This technology delivers a fully secure answer to payments made over the phone. Watch our webinar to learn more about how healthcare organizations can protect payments made over the phone with InstaMed VoIP Protection.