Expert insights – Neira Jones on GDPR, DTMF masking and the future of payment security

Expert insights, PCI DSS

Expert insights – Neira Jones on GDPR, DTMF masking and the future of payment security

This is the first in an occasional series of blogs in which we interview payment industry experts and thought leaders to get their perspectives on current issues facing the industry. Our first interviewee is Neira Jones, independent advisor and international speaker.  

Could you start off please just by telling me a little bit about your background and how you’ve come to be involved in the payment security industry?

I have always been a technologist. I was in IT for a very long time, aeons ago I was actually a programmer, then an analyst. I’ve always been in financial services either for retail banks or for technology companies on the supply side of retail banking.

Round about 2008, card payment entered my consciousness and I found it interesting enough that it lodged in my mind as something to investigate further. Around that time, I approached Barclaycard as a specialist in change and organizational management with a keen interest in payment.

I knew very little about PCI DSS at that point. I always had this idea, having never been involved in security, that it was quite a boring area but I really wanted to work for Barclaycard and really wanted to get involved in payments, so I thought “This is a programme I can do something with. It’s about change. I can do change, and I can always move on from security.” So, I became director of Payment Security and Fraud and in fact PCI DSS became one of my favourite things!

Very rapidly I realized that payment security was only a small part of overall information security, so I started getting interested in that alongside my interest in payments. I ended up spending five years at Barclaycard where I thoroughly enjoyed myself. Eventually it was time to move on and I’m now an independent consultant looking at all aspects of payment digital innovation including risk, cybercrime, fraud prevention, payment security and all these other things.

I’m thoroughly enjoying myself because information security and financial services are actually intrinsically linked. I’m also very interested in the regulations around all of those, which makes for a very interesting working day.

What would you say are the main challenges that face organizations who are trying to ensure card security these days?

The main challenge for organizations trying to achieve card payment security is to avoid falling into the trap of only looking at card security. What I mean by that is that you can no longer just look at card security alone. There are many reasons for this but the most pressing one currently is the regulatory landscape. We’ve got the general data protection regulation coming up, we’ve got the payment services directive already in force since January of this year, we’ve got the fraud and anti money laundering regulations, which are also similar.

All of those put immense regulatory pressures on organizations. Those who only look at card payment security will learn that having siloed regulatory programmes or initiatives that don’t talk to each other is very inefficient and means that you end up making numerous investments in lots of similar things.

I think the challenge really is to look at the regulatory environment and certainly the security and fraud prevention environment in a holistic fashion, not only from a regulatory standpoint, but also from a customer experience standpoint.

You have seen all sorts of new jobs coming to the fore because of the plethora of data. Obviously, you’ve seen the recent data privacy scandals at various social media companies. So organizations are now quite scared and sometimes don’t quite know what to do to put the appropriate risk management procedures in place to manage that very complex regulatory landscape whilst remaining competitive with all the new entrants who are not burdened by legacy infrastructures and can make use of new technologies quite well.

GDPR presumably has made card security much more of an issue for organizations.

Absolutely. GDPR, in my opinion, is absolutely in line with card payment security, certainly with the definitions of personal data and sensitive personal data that have now been clarified by the regulation in the UK enacted under the data protection laws. Yes, it has put tremendous pressures on organizations.

What remains slightly puzzling to me is that in the UK certainly, many organizations, in their current practices, are not even compliant with the current data protection and privacy regulations. The global impact that the GDPR is having, compounded by the fact that we have seen many very high profile data breaches in the last year or so, means that organizations are waking up to something they should have been already very attuned to.

How much awareness is there of PCI DSS in the market? Is that something that merchants take seriously?

If you talk about the market globally, I would say those who should be aware of PCI DSS are very well aware of it. Anyone who is outside the card payment ecosystem probably has a vague awareness of it but it doesn’t really apply to them, but for those who are in the card space yes, they very much know about PCI DSS. Whether they comply or not is another matter though, particular in the SME space.

What I think is happening is, because the GDPR is so wide-ranging and applies to so many organizations including small and medium enterprises, those organizations are now starting to look at the data they’re collecting and to think about what they’re doing. The GDPR has a beneficial side effect because the way that it defines personal information and sensitive customer information is actually pushing more awareness of the PCI DSS.

Even if small organization don’t comply or don’t see the point, by the very fact that cardholder information is indeed personal information linked directly to a person, then by definition and by osmosis, they will start protecting that information as well, or certainly be aware that they should be protecting it.

Do you think that merchants or call center managers are still seeing PCI as a cost or is there a move toward seeing it more as a benefit now?

That’s a hard one because specifically for call center managers, more so than in any other channel, friction is extremely important as a KPI. We want to have as low an average handling time as we can, whilst being helpful and maintaining a seamless customer experience. If you overlay over all of that the security layers that you need to put in place then it may, if not implemented properly, basically increase your AVH, which will certainly be an operational concern in call centers.

Having said that, there is a silver lining to all of this which is the availability of cloud-based security offerings which can ease the burden of deployment. Still cloud deployments are not as prominent as on premise deployments for such solutions but there’s a definite opportunity here as these kinds of solutions can help.

Also, what I think we will see happen is more and more use of innovative technologies such as biometrics in the call center to speed up the authentication process and release the agent from having to deal with security themselves, shielding them from all of that by deploying technologies that can help customer experience.

Are technologies like these the best way to tackle PCI DSS for contact centers?

Absolutely, I think that would be a definite help. The market is not heavily penetrated yet so there is still very much potential for growth. It’s happening very slowly in the call center arena as opposed to in other channels and industries.

Why do you think that is?

If we compare merchants in call centers to other card not present channels such as e-commerce, e-commerce merchants have been incentivised to deploy security measures for authentication such as 3D Secure (e.g. Verified by Visa or Mastercard Secure Code) to reduce fraud rates. That incentive is the liability shift.

When you’re a merchant and you take payments online then, if you do it according to the operating regulations using something like 3D Secure, then the liability passes on from the merchant to the issuer. By the very fact that the merchant has deployed the capability, should the transaction prove to be fraudulent, the merchant is covered due to the liability shift.

Unfortunately, that is not the case in the call center. Whilst an online merchant can make a justified investment in security technologies on the back of getting a liability shift and reducing their fraud rates in that way, in the call center any investment you make in security currently, you don’t get any liability shift. Basically, it’s your investment and therefore it becomes a risk call for the call center. They may very well make the decision that because of the fraud rates are so low compared to the volumes that they get, then commercially it is perhaps not viable to invest in security technology.

Will there be more of a push from consumers?

If you had asked me the question two years ago, I would have said, “No, not really,” but you’re asking me the question now in 2018 a few days away from the 25 May which is when the GDPR comes into force. For the past year, there has been tremendous awareness of data privacy issues. Consumers are now becoming more aware and data privacy is now in the public consciousness. I’ve seen it in my personal life when I’ve been with some of my friends dealing with companies on the phone, asking questions that they would never have asked two years ago, saying, “Why are you taking this information and why do you need it,” or, “I’m not comfortable with giving you this information.” This is happening more and more.

So, going back to what I said earlier about security investment being a risk decision in the call center, certainly consumer attrition and the value of transactions and so on and so forth may very well be a factor when measuring such investment in the future.

Is there an issue with merchants or contact center managers not necessarily understanding the different methods of tackling PCI, maybe thinking that something is secure and that they’ve done the job when actually they are still in scope?

Yes, absolutely, and you can see that by the fact that there’s still a predominance of pause and resume deployment in the market. Perhaps call center managers aren’t yet aware that there are other things or maybe they can’t justify the investment, but I think come 25 May, many organizations will have to look at their operations.

How well understood do you think that DTMF masking technology is in contact centers?

Looking at the market, I don’t think it’s yet very well understood. It’s been around for a few years. I’ve been talking to your company for quite a while now. We’ve been talking about DTMF masking as far back when I was at Barclaycard. Back then it was really new and I think still now, when you look at organizations that provide such services, we can count them on the fingers of one hand.

Do you see DTMF masking as having the possibility to become a standard method of payment in the same way that maybe chip and pin is or for contactless cards for retail?

I would like to think so. The GDPR says things to the effect of “you can use mitigation technology to protect the information of individuals” and it gives examples. It doesn’t mandate technology but it gives examples of suitable technologies. Those suitable technologies are obviously encryption, tokenization, anonymization, pseudonymization.

I would really very much like to see DTMF masking as well, as one such mitigation technology, because it is.

When it comes to a proper incentive for call centers to deploy such technology, that would change. Unfortunately, that is not here yet. It’ll either come as regulatory pressure or consumer pressure whichever one will be the greatest.

Are there other technologies on the horizon? You mentioned biometrics earlier, for example. Are there other technologies you can see that might be used to tackle fraud in contact centers?

Absolutely. Technology evolves very rapidly. There are quite a lot of interesting things happening in the digital identity space around authentication and verification including biometrics but also machine learning and artificial intelligence. When you’re trying to prevent fraud it’s a matter of understanding who you’re dealing with, not just when it comes to dealing with payments but also as it relates to anti money laundering requirements as well as other industry-specific regulations such as in the gaming industry where KYC [know your customer] is extremely important. There are quite innovative ways of understanding and recognizing that who you’re dealing with is really the genuine article.

So new technologies such as AI, biometrics, behavioural analytics are all very relevant for the call center. However, call centers are slow in adopting those things, certainly in the UK. In other countries, I believe it is different. Call centers here are still very traditional and not much investment is placed in innovative technology because pause and resume is still predominant. Hopefully that will change over time as call center operators become aware of other technologies such as DTMF masking, AI, biometrics and so on.