Identity theft is one of the fastest growing crimes in America and the world. According to an exhaustive study funded by the Federal Trade Commission, 8.3 million people — or about one out of 25 adults — were victimized by identify theft in 2005. Estimated losses were $15.6 billion. The three major sources of fraud were new accounts, misuse of account numbers and misuse of credit cards and credit card account numbers. The most prevalent source was misuse of existing credit cards. While most victims report small or no out-of-pocket costs, one out of 10 incurred expenses of at least $3,000 and spent at least 55 hours of their own time resolving problems like replacing lost documents or restoring damaged credit ratings.

In December, 2006, TJX Companies, which is made up of several popular retailers including TJ Maxx and Marshalls, admitted that hackers placed software on the company’s network to capture data from at least 45.7 million customer credit and debit cards. Some numbers were used to make fake credit cards, which law enforcement authorities said were used to buy millions of dollars in expensive electronics from Wal-Mart and other retailers in Florida and elsewhere. According to the Boston Globe, several analysts estimated TJX’s costs could run as high as $1 billion, including legal settlements and lost sales.

So what has all this have to do with call centers? Actually — a lot. Call center agents, particularly those tasked with generating revenue, often have access to personal information such as credit and debit card numbers, banking accounts and social security numbers. A British newspaper investigation revealed that customer details, including bank accounts, passport numbers, mobile numbers and even medical records, can be bought from poorly paid Indian call centre workers for small amounts of cash. The paper reported that its investigator was able to buy financial details of 1,000 people for only $5 per contact.

To combat identity fraud, the major card issuers including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, formed the Payment Card Industry Security Standards Council (PCI-DSS). The council is responsible for issuing and maintaining industrywide data security standards. Previously, each card issuer had its own standards.

The data security standard (PCI-DSS) is freely available (https://www.pcisecuritystandards.org). Enforcement is via contracts signed with the card issuer. Payment processors, service providers and merchants that process more than 20,000 e-commerce transactions and over one million regular transactions are required to engage a PCI-approved Qualified Security Assessor (QSA) to conduct a review of their information security procedures and scan their Internet points of presence on a regular basis. The card issuers can fine

Early in 2007, Minnesota became the first state to codify certain requirements of the PCI-DSS. Under the state’s new Plastic Card Security Act, any company that suffers a data breach and is found to have been storing prohibited card data on its systems will have to reimburse banks and credit unions the costs associated with blocking and reissuing cards. Such companies could also be subject to private action brought by individuals who might have been affected by a violation of the state law. Companies handling fewer than 20,000 payment card transactions per year are not liable under the law.

Other states have pending legislation. At the federal level, Senator Patrick Leahy (D-VT) has sponsored the Social Security Number Misuse Prevention Act. Social Security Number Misuse Prevention Act amends the federal criminal code to prohibit the display, sale or purchase of Social Security numbers without the affirmatively expressed consent of the individual, except in specified circumstances.

Payment card industry standards are just one of many industry and regulatory initiatives intended to protect personal identity. Contact centers need to be aware of the requirements that apply specifically to their environments and have a program for achieving compliance. At a minimum the program should include:

• In-depth reviews with in-house IT staff and compliance officials;
• Examination of pre-employment screening practices;
• Research into technologies and applications that encrypt or conceal sensitive information;
• Exploring ways to confirm caller identity without requiring protected information;
• If you use outsourcers, make sure that they are compliant with applicable requirements and are rigorous in hiring practices and internal security;
• Do not use default passwords; and
• Have a clear written policy regarding the processing of credit/debit cards and be sure everyone understands it.

The contact center is only one function in the enterprise that may have access to protected information. Compliance initiatives need to address the enterprise as a whole.

The Pelorus Group is an independent market research and consultancy company serving the financial services and telecommunications industries. For more information, visit www.pelorus-group.com.