Archive for the ‘Press Releases’ Category

Inhouse or outsource – how charities can meet PCI deadlines

Monday, July 12th, 2010

Today, it’s never been easier to make a charitable donation using your credit card which is why in some cases charities have seen donations increase four-fold in just ten years.
Whilst more money means greater aid, services and support for those that need it most, in many cases the cost of handling calls and processing payments can be extremely expensive; meaning a significant percentage of each donation is taking to cover these costs.

What’s more, credit card details are now hot property in the criminal underworld and if your charities network is attacked by hackers and credit card data is stolen then the results could be devastating.
As you would imagine, the Payment Card Industry (PCI) has been eager to reduce credit card fraud and in 2007 launched its Data Security Standard (DSS), which in short is a set of 16 security measures companies should adhere to ensure that they are adequately protected from hackers.

Whilst PCI DSS was initially voluntary, from the 1st July 2010 it becomes mandatory for every tier 1 business and organisation, with failure to comply resulting in significant fines and in extreme cases the loss of merchant codes.

The main issue addressed by PCI compliance is data storage, making it an offence to store both the credit card numbers and three-digit security codes on your premises, which together could be used to make fraudulent transactions. 

Becoming compliant will depend entirely on whether your charity handles its calls and credit card processing in-house or chooses to outsource, both have pro’s and cons and affect the amount of each donation which actually goes to the charity.
Doing it in-house

The biggest factor with building and maintaining your own internal call handling and payment solution are the upfront capital costs, even though IP telephony has really driven down the costs of a managed telephony system.

How ever expensive the costs of an in-house solution, charities need to take the bigger picture into account and look at the amount charged for call handling and credit card clearing for both in-house and outsourced models.

For example, outsourcing your donation lines to a call centre which answers these calls manually will cost you around £5 per call.  In addition, outsourcing the card processing means you’ll be hit with clearing rates of around 6-7 percent per transaction.

So for a £20 donation the charity might only see about £13.60.  Doing it in-house will void the £5 call handling fee and see clearing rates drop to just a few pence per donation.  Over the cost of a year, the savings made can go a long way to off-setting the initial costs of your system.

These costs can be off-set further by automating some or all of the lines used to receive donations, by replacing manual call centre agents with an automated IVR (interactive voice response) system, capable of receiving hundreds of calls and donations simultaneously.

Of course, given the choice anyone would prefer the human touch over an IVR platform, but using PCI compliant IVR ensures that every call is handled first time and processed in a compliant environment.

The truth about outsourcing

Outsourcing offers perhaps a safer option for charities as costs are more controllable and capacity can be scaled up as and when required.

It also eliminates the costs of management, recruitment, HR issues and the need for additional office space, enabling charities to focus on core your core business, raising funds and providing a service.

One other thing to consider with outsourcing is that the technology landscape is constantly evolving and by outsourcing you always have access to the latest technology.

However, charities are in a unique position where every penny lost through operational expenses actually affects the lives of individuals, so making the right decisions are
important.

The dilemma of whether to in-source or outsource, or have calls automated or answered manually has been recognised by the Charity Technology Trust (CTT), the specialist, independent and impartial organisation which provides technology solutions to the charity sector.
To help charities in this situation the CTT has partnered with BT to launch BT Safe Pay, a dedicated interactive voice response (IVR) system which works with CTT’s CP Terminal card payment processing system and which is fully compliant with these guidelines.

Safe Pay enables charities and other organisations to avoid the expense of using call centres and guarantees that every call is answered, allowing donors to register for gift aid and ensures that once money is pledged, the payment is authorised and deposited with the charity within 48 hours.

Becoming PCI Compliant

Unfortunately achieving compliance isn’t as simple as renewing the car tax or TV license and takes time and resource to complete.  Every charity which hasn’t yet got its house in order needs to start the ball rolling now, not only to protect customers from fraud but also to avoid any applicable fines which may come with the passing of the 1st July deadline.

The costs involved with becoming compliant depend entirely on the reach of your scope, namely the number of contention points in your network where a data breach might occur, so If you handle your donations internally then your scope will be much larger that if you simply outsource. 

First off you need to get yourself a good Qualified Security Assessor (QSA), who can hold your hand through every stage in the compliance process. QSA’s are trained in the latest compliance legislation and will work through every aspect and contention point within your network and premises.

If you visit the official PCI website you find advice on finding a QSA plus a list of approved assessors https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml, or you can contact C3 which offers a free consultation service to charities on how best to begin there road to compliance.

Any charity which is concerned about the costs and what level of compliance they require should take the self assessment questionnaire found of the office PCI website https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions
Understanding the process

To become compliant your QSA will want to work through the following aspects of your operation:

Is your network well protected?
Without an adequate or updated firewall wall in place, your network is going to be wide open to attack from cyber criminals.  Once inside, hackers will look to gain access to password protected areas of your system in search of stored credit card data.  Are all areas password protected?  Are you still using the default vendor supplied passwords or using obvious passwords which could be easily cracked?

What about your’ Voice Network?
One of the areas often overlooked is the telecoms’ network that can carry an awful lot of customer payment card information. Many organisations have managed to remove the Call Recording of payment card details but have they considered the telephony based automated services as this also has to be PCI compliant.

What about other systems or applications?
There are various ways to gain access to your computer system and extract data such infection from a Trojan horse virus embedded in an email.  This is why the QSA will look to ensure you have a rigorous process in place for checking that antivirus software is updated and all your call centres systems and applications are as secure as they can be.

Is the actual cardholder data secure?
During the course of a credit card payment the customers’ details may have to cross multiple open networks before the transaction is complete.  The QSA will want to see robust encryption measures are in use to protect data across the entirety of the transaction. If you are re-billing using existing credit card details then this has to be dealt with in a secure indirect method to be compliant.

The enemy within – protection against internal fraud
Last year a BBC News investigation uncovered a criminal gang selling UK credit card details stolen from Indian call centres, highlighting the risks of fraud posed by staff and individuals within your call centre.

Whilst you might think you know and trust your staff, the QSA will be less accommodating, requiring that a broad range of measures are in place to restrict employee fraud.
The QSA will look to restrict access to the data to only a few employees, assigning every employee a unique ID for computer access, the installation of security cameras and general processes of monitoring who has access the your premises.

Be the fraudster – test your own security measures
The QSA will know what is secure today, may not be secure tomorrow so will be looking to ensure that you call centre has processes in place to ensure that your systems and access to cardholder data is regularly tested for flaws.

Make sure you have an Information Security Policy in place
Staff move on and positions get refilled so it’s important that your call centre produces a clear document outlining the Information Security Policy. This will be a mandatory requirement for compliance.
Summary
Whilst the decision to in-source or outsource is down to the individual charity, PCI compliance applies universally, and from 1st July any charity which hasn’t yet acted may find themselves in trouble. The scope of compliance will vary between organisations and the chosen technology will have to be scalable to meet current and future applications.
As every charity will need to make at least some operational changes, perhaps now’s a good time to look at the bigger picture and bring in changes which not only ensure that your charity can focus on its core business, but may actually increase the amount of money you have to help those that need it most.
John Wood is Sales & Marketing Director at C3, which provides PCI compliant IVR systems to call centres and has worked with companies achieve all levels of compliance.

www.c3.co.uk

  • Share/Bookmark

Posted in Press Releases | Comments »

The aftermath of the General Election

Friday, May 14th, 2010

Last week we witnessed the highest electoral turnout for more than a decade. As a result of various initiatives (TV debates, social media campaigns and adverts in publications like Heat Magazine), undertaken by the Electoral Commission in an effort to persuade Britons to exercise their right to vote, a significant proportion of the population did indeed do their bit for democracy. But despite their efforts, when the big day finally arrived, at 10.00 p.m. thousands of people were turned away from polling stations up and down the country and denied their right to vote, because councils were unable to cope with the increased turnout.
 

A variety of different excuses were used: constituencies running out of ballot papers, out-of-date polling lists, people turning up at the wrong polling stations or turning up without their polling cards. Granted, voters themselves need to take some of the blame – there isn’t really an excuse for turning up without your polling card or going to the wrong place, is there? But after so much campaigning, one would have hoped that the different councils would have been slightly better prepared and had enough reserve staff and desks etc. at their disposal to have coped with the situation.

Under European law, everyone has the legal right to vote and if you are denied this right, you are entitled to sue and claim compensation – in this case the amount could be as high as £760 per person. If all those people who did not manage to vote decide to exercise this right and take further action, it could cost the country a lot of money – as if it isn’t facing enough financial problems already.

This latest cycle of misdemeanours further highlighted the need for modernising our entire voting system, which has been described as being “Victorian” by the media. The Times commented last weekend that our voting procedures are worse than those of many African countries.

When I went along to my local polling station, it struck me how archaic the whole process was. I am amazed that our registration processes still involve pens and papers – I thought we lived in a digital age. Is not quicker to use computers for cross reference purposes?  The electoral register does exist in electronic format after all. What about adding bar codes to polling cards?  They seem to work in supermarkets very well. 
Modernising administration processes is one thing, but adding more modern voting methods; telephone, text and e-voting also need to be considered, especially if politicians want to engage the younger generation. Figures have shown that during the 2005 election, less than 38% of 18 – 24 year-olds voted. There are even case studies that suggest that over half of these young people are not even registered to vote. This is a generation which readily engages with TV voting, so why not adopt similar methods available at polling time? If we did, electoral outcomes could well be comparable to those of the 1970s and 80s – when turnout regularly exceeded 70%.

Take, for example, all those people that queued outside the various polling stations; if phone, SMS or e-voting had been an option, they would have been able to vote. Who knows, the results may even have been slightly different in some marginal areas. People doubt the security of e-voting and phone voting, but let’s face it how secure is our existing system? When you go along to vote, you are not required to show any sort of ID, you could be anyone – and what about postal votes? Incidents of fraud are already being investigated.

Anyway, now we’ve got our Coalition Government we will hopefully see changes to the voting system in this country. Let us also hope that the new powers that be see fit to modernise voting processes at the same time.

  • Share/Bookmark

Posted in Press Releases | Comments »

Chip and pin technology may not be that safe

Wednesday, February 17th, 2010

Online credit card fraud is always making the headlines. We read something about in the media almost daily. The online charity appeal for Haiti is a prime example, with cases of banks not authorizing online donations made by some first time donators. http://news.bbc.co.uk/1/hi/business/8463286.stm

According to industry statistics, online fraud costs the average person around £600 per annum – which is pretty shocking! As a result of some high-profile fraud cases, an initiative, known as PCI DSS, has been introduced by the credit card industry to ensure that all online merchants are trading securely and protecting consumer data.

In the States, it is illegal not to comply with PCI DSS standards and even though it is not yet law in the UK, the penalties are pretty severe if you are found to be running a business that is in breach of these standards.
 
What does this have to do with chip and pin I hear you ask? Well I’ll tell you. It was revealed by a bunch of computer scientists on Newsnight last Wednesday (10th Feb), that the trusted chip and pin technology may not be as secure as we might think. Indeed, they’ve suggested it’s so full of flaws that the entire chip and pin system should be re-written!

A couple of years ago, these same computer scientists revealed how criminals were able tap into the communications between a pin terminal and a customer’s card and read off sufficient information to create a clone card. (Something that has happened to me).

These techies have spent hours hidden away in their laboratory trying to find flaws in chip and pin technology and they’ve found a loop hole in the whole system so glaringly obvious it has shocked even them. They’ve found a way to carry out transactions without needing to know a card’s pin.

So how does it work?

Apparently it’s really simple – all a potential thief would need to do is put a stolen credit card into a ‘bog standard’ card reader (something easily obtainable) that’s hidden away (perhaps in a rucksack?). This card would then communicate with a chip that’s running software written by the thieves and controlled from a laptop. The card information could then be hooked up to a fake card, which slots into an actual terminal in a shop.

The process takes advantage of a flaw in the existing chip and pin system and it makes the terminal think that the correct pin has been entered and that the transaction has been authorized with a signature.

The scientists’ theory was put to the test by a Newsnight reporter and his team. They were given permission to try to make fraudulent payments in one of Cambridge University’s cafeterias and they used four different cards to prove the theory. They bought goods with all four cards, using “0000” as the pin number each time. In each instance the chip and pin machine’s print out stated that the purchases had been “verified by pin”

Granted – these attacks were part of a computer science experiment but the technology that was used to commit the fraud is not rocket science. All you need is for one clever criminal to build a portable device that would enable people to carry out these types of attacks and sell it on the Internet – and this kind of thing happens already.

The laws governing credit card transactions changed in November last year and now the onus is on the banks to prove that a customer has been negligent in the event of a dispute, which is why everyone is taking PCI DSS so seriously – the repercussions are pretty severe if you don’t.

It is fair to say that chip and pin technology has eliminated face to face fraud – but if something is not done about this fundamental flaw in the overall infrastructure that sits behind chip and pin technology, then no one’s card details are safe. It seems to me that a cashless society is still very much a long way off.

Visit our website to find out more about who we are and what we do

  • Share/Bookmark

Tags: , ,
Posted in Press Releases | Comments »

Things to think about when implementing Unified Communications

Wednesday, February 10th, 2010

Today’s business environment is very demanding, with businesses under ever-increasing pressure to reduce costs and become more competitive. Its workforce is also becoming increasingly dispersed because people no longer need to travel to the office every day to do their jobs. Provided they have access to the Internet and a mobile phone, they can work from virtually anywhere.

As a result of these changes, a company’s communications solutions must comprise a great deal more than just phone lines and Internet cables. A dispersed workforce is resulting in more and more communications channels being used for business, such as Instant Messaging, SMS, social networking sites like Facebook, Twitter Linkedin or custom-developed social media applications.

But while dispersed workforces may result in cost savings for businesses in relation to office-overheads, they can have long term efficiency and profitability implications if the multiple devices (PDAs Blackberries, iPhones etc) and communications methods (phone, email, fax, SMS, instant messaging etc), used by employees are not fully synchronized.

C3 has been trading for twenty years and during that time we have installed many thousands of lines of communications technology to many different organisations. We have helped companies in many different markets and we understand the different types communications issues different businesses may face. Our proven experience means we would like to offer some advice on what  to take into account if you are thinking of upgrading your existing unified communications system or implementing new one.

  • Satisfaction – does your existing unified communications system meet all your requirements?  If the answer is no, then try to identify where the problems and inefficiencies lie and make sure your new solution is flexible enough to meet your specific requirements. Your needs may be very different to those of your competitors, so make sure your new solutions will meet those needs.
  •  Value for money -Unified communications systems supplied by larger organizations can have limitations regarding Switch integration and IP suppliers.  They can also have a “one size fits all” approach, selling you applications that you don’t necessarily need at an initial stage, making the overall installation more costly.
  •  Future proof – IP telephony is definitely the way forward long-term, but are you in a position to implement a complete IP telephony solution at this stage?. Many organisations are still using traditional PBX switches (in higher education this figure is 65% for example). They could benefit from a hybrid solution that connects to traditional telephony and IP networks simultaneously, allowing them to make a smooth transition to IP telephony.
  • Multi channel – Does your existing system support all communications methods? It is important that your unified communications system supports the different communications methods used by your customers – phone (be it land line, mobile or soft phone), SMS, Instant Messaging, video. It must also offer your staff versatile unified messaging facilities. They need to be able to access their messages by different means – telephone, Internet, iPhone app etc – and pick up their messages in what ever format they chose. 
  • Flexibility – Most solutions offer basic voicemail facilities as standard, but would your organization benefit from other self service applications such as automated help desks or information hotlines running from the same core infrastructure? Easy-to-use back end software is also very important factor because it means you to react very quickly to external situations – setting up information hotlines advising on school closures due to bad weather for example.
  •  Automated payment facilities – many companies offer telephone-based payment facilities to their customers, but under a new standard, known as PCI DSS (set up by the credit card industry), all credit card transactions must be processed in real time and financial data must be managed in a highly secure manner. Payment facilities that do not adhere to these new standards will have very costly implications, resulting in large fines and the loss of merchant codes.

Other things to think about are scalability and stability. It is very hard to predict the future, so a scalable solution that will satisfy your current requirements, but  allow you to expand painlessly in the future is the most cost-effective option. Regarding stability – what would happen if your supplier became involved in an acquisition or a restructuring process and would you be offered the support needed if things went wrong?

Visit our website to find out more about who we are and what we do

  • Share/Bookmark

Tags: , ,
Posted in Press Releases | Comments »

C3 granted environmental award ISO 14001

Wednesday, February 3rd, 2010

Following an assessment by an independent body, QMS, Quality Management Systems, C3 is pleased to announce it has been awarded ISO 14001 certification. Only one percent of businesses in the UK have been successful in obtaining ISO 14001 certification to date. This prestigious award is supported by Government and is recognized in over 150 countries world-wide.

Said John Wood, Joint Owner of C3: “We are delighted with the result. We have always been very proud of the products and services we offer our clients and the way we conduct our business with regard to environmental matters. We make every effort to ensure we supply eco-friendly solutions that will help our customers reduce their carbon footprint. Our efforts have finally been recognized by independent experts who are used to judging ISO standards on a daily basis in a wide variety of trades and industries.

For the third year running we’ve been given a Gold award by BenchmarQ for providing excellent quality of service and customer care to our customers, so to be granted ISO 14001 certification as well is a real honour.

 
Peter Gamble, who undertook the assessment for QMS Quality Management Systems, paid particular tribute to “the investment in people and training that enables C3 to provide an efficient and environmentally friendly service to its customers.

  • Share/Bookmark

Posted in Press Releases | Comments »

Bogus charity appeals

Monday, January 25th, 2010

When natural disasters strike – as the earthquake in Haiti has clearly shown – they usually bring out the best in us; people’s kindness and generosity is at its peak because everyone wants to do their bit to help. Just read the full story about Charlie Simpson, the seven-year old boy who managed to raise £85K for the Haiti appeal in a single day, by doing a sponsored bike ride around his local park and you’ll see what I mean. His mum put his appeal on the JustGiving website and things just took off from there.

So far donations for the Haiti appeal have exceeded $305 million and, thankfully, the money is still coming in. The death toll is now around 150 000 and more than twice as many people are homeless.

Natural disasters may well bring out the best in people but they also bring out the worst of human traits. There are always those few who are prepared to take advantage of a situation in order profit at the misery of others and, unfortunately, this latest disaster has been no exception.

Online fraudsters have been quick to exploit the Haiti appeal and the number of bogus charity websites has increased five-fold in the last ten days as these “profiteers” sink to new lows in order to try to con money out of us.

Bogus sites are publishing appeals along the lines of “Please give what you can to help thousands of people in desperate need of humanitarian assistance”. They even suggest how much you should donate and ask you to make donations via bank transfers – something that bonafide charities don’t tend to do. People are even pretending to be victims of the disaster.

Not only does this type of online fraud deprive these who need the help the most, it also leaves the donators themselves vulnerable to identity theft and the huge loss of time and money.

The number of cyber fraudsters trying to take advantage of the situation has been so high this time that the BBC has reported that some online donations to charities helping victims of the Haiti earthquake are being blocked by banks.

 If someone steals your card details, they will often make a charity donation with your card to make sure it works properly before using it to buy stolen goods. The information needed to process online donations is minimal and authorization is generally granted. There is no need for a complex refund process because nothing has been bought.

So what can we do in this cruel world of ours if we want to make a donation?

 Firstly if you think a charity website is not genuine, you should visit www.charitycommission.gov.uk to check its authenticity. You should also report the situation.
Secondly you must never make a donation by responding to an email – a classic fraudster trick.
Thirdly, you should be wary of the street collectors – if you don’t think they are genuine, then don’t donate.

C3’s automated IVR and card processing platforms have been used to support online and phone based charity appeals for many years. Our equipment has helped raise millions of pounds for a number of worthy causes including the Tsunami disaster of South East Asia.
 
If you are involved in online payments, we can help you ensure all your transactions are being processed securely, and in real time, thus minimizing the risks of fraud. Check out our website to find out more about who we are and what we do.

  • Share/Bookmark

Tags: , , ,
Posted in Author's update, Press Releases | Comments »

iPhone apps and the corporate world

Tuesday, January 19th, 2010

I’ve always associated iPhone apps with the consumer market. However, after recently attending the AUA University Telecoms Conference, it has come to my attention that iPhone apps and social networking are at the forefront of everyone’s minds in Higher Education.

Students are choosing universities based their ICT facilities; universities are actively engaging with existing and perspective students via Facebook, gap year students are keeping in contact with friends and lecturers via social media and under graduates are setting up friendship networks before even arriving at their chosen universities, using them as a means to find perspective flat mates or different social clubs, for example.

Future IT strategies of our good old “red brick” universities are including the incorporation of iPhone and other Smart phone apps in their overall communications infrastructure. A significant proportion of delegates at the conference were iPhone owners – an interesting trend – because, to me, it shows that telecoms and IT departments in our universities are slowly starting to merge and operate as one unit.

From talking to delegates I also found out that a number of universities are putting teams together to develop iPhone apps for students and staff and “talked about” apps included location-based ones for university campuses, so people can find their way around, and conferencing ones for distance learning.

The iPhone is now available on three networks in the UK, so it is clear to see to see why development teams are eager to jump on this latest band wagon. There are no payment issues associated with iPhone apps because, thanks to iTunes, a payment infrastructure that consumers trust already exists.

New iPhone apps are appearing all the time – Vodafone has launched two new ones to accompany its promotion of the iPhone – one is a satellite navigation app (a bit like a personal “Tom Tom”) and the other is a “People Sync” app so their customers can easily move their contact details over to their new phones.

There are apps for absolutely everything: travel, restaurants, time tables, sport, newspapers (the Guardian has successfully launched a paid for app), taxis, sex, spirit levelers, social media, Twitter, toilet locators (great if you’ve got young kids) – you name it, there’s bound to be an app for it.

As far as I can make out, the general feeling is, “if you provide web based services, you need to develop an iPhone app for those same services”, for marketing and promotional purposes if nothing else.

Here at C3, we’re busy developing an app for LookOut call, our mobile phone based personal safety solution. We’re also looking at developing an app for our unified communications software. We’ll keep you posted on developments.

Take a look at www.c3.co.uk to find out more about who we are and what we do. With the launch of Google’s Nexus One in the States this year, the appetite for apps can only get bigger.

  • Share/Bookmark

Tags:
Posted in Press Releases | Comments »

GFM Ltd use C3′s IVR for self-service applications

Thursday, December 17th, 2009

GFM Services Ltd, one of the UK’s leading multi-service business agencies, has been using Apcentia, C3’s mass call handling platform, to provide bespoke IVR and call recording facilities for many different marketing projects for more than 10 years. C3’s IVR software is used primarily to support specialized campaigns such as telephone-based fund raisers, outbound telephone interviews and specialist automated surveys.

Apcentia is an enhanced mass call handling platform used by network operators, service providers, private companies and the Public Sector to provide automated services such as automated information services or data capture for brochure distribution. It includes many other supporting applications such as robust call recording and data storage facilities.

GFM Ltd manages a diverse range of campaigns on behalf of its customers, including interactive sports or holiday competitions for many of the UK’s National newspapers or bespoke projects for large corporates and blue chip companies.

Their marketing and project fulfillment campaigns embrace all communication channels and the open architecture of C3’s bespoke IVR software means it can be seamlessly integrated into web based applications, as Rob McLaughlin of GFM explains: The Apcentia platform is very flexible and because we have access to the source code, we are able to integrate its IVR capabilities into other software solutions we use to manage online and SMS campaigns, thus providing consumers with multiple entry points to competitions and quizzes.

More specialist projects GFM Ltd has been involved in include the provision of IVR and call recording facilities for Greater Manchester Police and automated pharmacy testing services for a leading healthcare media company.

For the latter, trained pharmacists tested their knowledge by using a number of pre-recorded examination modules, accessed by pressing different buttons on their phones. C3’s IVR call handling software collated all the information on its robust back-end database and participants were advised if they had passed and of their overall course performance to date.

GFM has also project managed many fund raising campaigns to help those effected by conflict or natural disaster. In 2005, they were invited by the BBCs Disasters Emergency Committee to compile and manage a telephone-based fund raising campaign following the Tsunami disaster of South East Asia. They were able to put appropriate infrastructure in place to manage the campaign within 24 hours and, using C3’s IVR software, they were able to handle in excess of 125K calls and process more than £3M in donations in the first three days of the campaign. GFM have run many other fund raising campaigns since then, including disaster appeals for Darfur, Asiaquake, Niger, Bangladesh, Burma and the Congo.

  • Share/Bookmark

Tags:
Posted in Press Releases | Comments »

Protecting consumer data

Thursday, November 19th, 2009

Yet again the subject of customer data protection has made the headlines. This time it’s T-Mobile who are in the lime light. The ICO have discovered that some of its employees have been supplying thousands of customer records to brokers who have subsequently been selling them on to other mobile operators at a very high price. http://news.bbc.co.uk/1/hi/uk/8364421.stm

Rival mobile operators have then been cold calling T-Mobile customers, whose phone contracts were due to expire, in order to try to sell them an alternative contract.  Sales personnel can earn substantial commission if they manage lock customers into contracts that last more than 12 months.

The data sold included customer names, addresses, phone numbers and contract termination dates of  several thousand T mobile contract customers. The only saving grace is that the data sold did not include any financial information such as bank or credit card details.

This escapade is believed to be the largest data breach of its kind and in parallel to this, the ICO have been investigating other incidents of data breaches, including a case where forged identity documents were used to gain unlawful access to a number of peoples’ credit card files held by a credit card reference agency. 

Data breaches like these are just some of the unfortunate consequences of our digital age. As we move ever closer towards the era of “Cloud computing”, (where data is stored on centralised servers and accessed remotely), these breaches will only get worse unless stringent security measures are put in place to safeguard against them.

The Data Protection Act stipulates it is illegal to sell 3rd party data without customer consent and fines of up to £5K can be imposed if you’re found guilty. In light of this latest  breach and some high-profile credit card debacles that have happened not so very long ago,(TK Maxx, for example), there is no wonder that ministers are campaigning for breaches of these kind to be punishable with a prison sentence. Paltry fines are simply not enough to deter opportunists from stealing data, particularly when times are hard, because the rewards far out weigh the risks.

Many TV charity shows like Children in Need and Comic Relief  run the risk of being victims of fraud because many of them have operated a “capture and store” process, where card details are collected by IVR systems or call centres and processed after the event.

The BBC, however, has decided this is no longer satisfactory (about time too!) and has declared that all credit card processing must be done in “real time”.

 Our digital world is resulting in more and more of our personal data is being stored on large centralised servers, (Think Child Benefit and what happened there not so very long ago!), so it’s paramount that communications providers and data storage companies put very strict procedures in place to improve database security. This means purchasing resilient hardware, having “bullet proof” fire walls and making sure that, when necessary, information is encrypted and stored on 3-D secure databases.

Consumers must also take some responsibility to help prevent breaches occurring. They must be on their guard and be wary of divulging too much information to email addresses they don’t recognise and of purchasing goods from bogus websites.

At C3 we work very closely with our customers to ensure they have resilient IVR and data management infrastructure in place for managing customer information appropriately and securely.
Visit www.c3.co.uk To find out more about who we are and what we do.

  • Share/Bookmark

Tags: , ,
Posted in Press Releases | Comments »

C3 builds bespoke PCI compliant card processing system for Telebilling

Monday, October 26th, 2009

TeleBilling, a provider of many different interactive entertainment services, has been operating voice and web based card clearing on its C3 built platform for many years. As a result of both diminishing trust in traditional premium service and increased regulatory requirements by card issuers they have recently seen increased demand for card clearing services

The existing C3 card processing platform is only able to handle transactions through TeleBilling’s own merchant accounts, forcing a re-seller agreement with its clients. To grow the business, TeleBilling needed to be able to handle transactions direct into client’s merchant accounts whilst maintaining PCI compliance and C3 has made some changes to the platform to help them achieve this.

Payment Card Industry Data Security Standard (PCI DSS) has been adopted by all major card issuers to ensure that card details are held securely to the satisfaction of the issuer. As PCI DSS is phased in, banks and credit card companies are increasing the levee on non-compliant systems to force merchants to move to compliant platforms.

C3’s bespoke solution stores all information relevant to the transaction, including card number, address validation (AVS) and 3-digit security code (CV2) then forwards the request to the client’s bank’s clearing house for authorisation. Once funds have been secured the system generates a unique reference code that is stored on the approved database. The entire process, including system build, documentation, server location, security and the vetting of personnel who have access to the platform meets and maintains the stringent PCI compliance requirements.

TeleBilling’s existing card platform meets card industry requirements but has limitations as Alex Robson, CEO of TeleBilling explains ‘Our existing system works fine and is compliant. Because it was built for our own use, it was only integrated to our merchant accounts. As we have seen considerable growth in card clearing on the web, voice and WAP, we need to add client merchant facilities to the platform whilst maintaining the ever changing PCI compliance. The C3 additions will change our business model as collected funds will go direct into the clients’ merchant account – we will then charge a fee to use our compliant platform. All the additional security checks we run to minimise charge backs and protect accounts will also be extended to the clients.’

‘Being able to pay for goods or services by credit card offers customers a very positive experience compared to some of the existing mobile billing mechanisms’ continues Robson “Credit and debit card billing is well understood and the card companies spend millions ensuring consumer confidence. In the event of a dispute, consumers can easily query charges and receive refunds. The refund processes for other billing mechanisms are not so straight forward.’

TeleBilling’s bespoke card billing platform is hosted at C3’s secure co-location premises in Cambridge.

  • Share/Bookmark

Tags: , ,
Posted in Press Releases | Comments »

« Older Entries