How does the Indian business process outsourcing (BPO) sector guard against the threat of “insider theft”? One prominent global BPO, WNS, came up with a unique VoIP security solution to tackle this problem, while simultaneously overcoming the inherent risk of potential weaknesses in client legacy systems being transferred to the BPO as a part of the outsourcing engagement.
WNS provides outsourcing services, including research, customer analytics, customer care, finance accounting and communications, to clients in travel and leisure, BFSI, insurance, retail and consumer packaged goods industries. Like other BPOs, WNS often faces the challenge of servicing clients stuck with outdated (and hence potentially insecure) infrastructure, who are often reluctant to upgrade because of cost or other resource constraints. WNS has deployed points of presence (POP) globally, and clients connect with the WNS infrastructure at the nearest POP. For instance, a client’s inbound/outbound call center infrastructure for payment collection might still be based on traditional methods of information collection over voice calls rather than modern technology such as an IVR platform integrated with a payment gateway incorporating robust VoIP security.
If humans answer phone calls and accept confidential information, it invariably constitutes a risk from WNS’ perspective. For example, agents facilitating air-ticket bookings solicit credit card details on a recorded phone line, which is a risk for the customer. “Providers like us are caught between the devil and the deep sea,” says Pervez Workingboxwalla, the senior vice president for risk management & audit at WNS. He explains that clients have on their own stipulated that humans will answer the calls, and cannot be easily asked to change their old systems.
In such cases, service providers cannot lose sight of the fact that credit card numbers and CVV numbers solicited in this manner could pose a grave security risk for end customers. Says Workingboxwalla: “WNS is on a better wicket to provide BPO services from a security viewpoint after putting in place the controls that come as a part of the solution deployed. They are more fool proof.”
VoIP security to the rescue
WNS adopted a simple yet effective VoIP security strategy which addressed the risk without making any changes in the recording received from the client. A couple of vendors were evaluated, after which WNS selected the solution whose offering was tailored for the BPO vertical and appeared to be the best available in the market.
“The cost incurred is per device, amounting to about Rs. 15,000 - 20,000 per workstation – a one-time capex,” explains CISO Arup Chatterjee, who heads the information security risk management function at WNS.
The VoIP security solution essentially consists of a small hardware dongle serving as a decoder, sitting between the call center agent’s landline phone and desktop computer. Rather than speaking out the credit card number and CVV, the customer now enters these numbers on his/her phone. The information is registered by the dongle as dual tone multi-frequency (DTMF) input, decoded back into the corresponding numbers and mapped to the appropriate database fields based on the key length, i.e. 15-16 digits for credit card numbers and three digits for the CVV or CVC. An overlay screen on the agent’s desktop masks the sensitive data, ensuring that the numbers are not visible to the agent, in order to maintain confidentiality
Fig 1: WNS' setup before the implementation
In addition to the dongle, the VoIP security solution also incorporates a call filter, which is a rack-mounted telecom device. This filter detects the DTMF tones and prevents them from getting recorded as part of the voice call. The DTMF tones are converted to a monotone and recorded as a single beep. This ensures complete PCI-DSS compliance of the VoIP security solution. In this way, the payment card data and authentication information are securely passed to the application without the agent obtaining access to this sensitive data.
The VoIP security solution was identified by WNS in 2010. The BPO spent about 12 months perfecting it and demonstrating proof of concept. “Recently we have struck a deal with one of our customers having roughly 500 nodes,” says Chatterjee.
Fig 2: WNS' setup after the implementation
This VoIP security approach does not need any customization at the client end. It is installed at the agent’s workstation, in this case at the WNS POP. In fact, it could be implemented on any phone with an RJ45 or RJ11 jack, and there is no degradation of call quality.
This was first published in December 2012