If the recent data breaches has taught us anything, it’s that failing to protect customer privacy can result in serious fines and reputation issues. During the 2013 holiday season, Target confirmed publically that credit and debit card information for 40 million of its customers had been compromised (as well as email and mailing addresses for an additional 70 million) and the company has since reported spending $61 million related to the breach.
To ensure the safe handling of information and protect customers against identify theft, the five major credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. For contact centers, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion.
So how can call centers remain PCI compliant and instill customer confidence that data is being protected? Here are 5 key ways:
- Redaction: According to the PCI Security Standards Council, recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data. Some recording systems provide call center agents with a button, allowing them to pause the recording when credit card numbers are spoken, while others integrate with the CRM system to automatically pause the recording based on actions taken by the agent. CallMiner Redact operates on data, meaning it does not depend on a change in payment processing, agent intervention, or integration with the CRM system. Instead, it uses speech analytics technology to prevent sensitive cardholder data from being recorded; call recording is automatically muted when account numbers, security codes, and other sensitive information is spoken. Because Redactor prevents you from recording sensitive payment information, calls are not in scope for a PCI audit.
- Network Security: It’s also critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet.
- Role-Based Security: In any contact center environment, agent and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. A Contact Center World white paper on security and PCI compliance in cloud-based contact centers offers an example of how this might work: “A sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same Contact Center or project.”
- Additional Security Considerations: In addition to role-based security, contact centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance. Carl Adkins of Infinity CSS maintains that access to sensitive customer and payment data should be restricted (e.g., limiting access to key areas of the building by adopting an RFID card system). “You should [also] make sure that all of your access passwords are strong (e.g., a mix of numbers, and lower- and upper-case characters) and are changed regularly,” says Adkins in a Call Centre Helper article on PCI compliance.
- PCI Compliance Information: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. Make sure you know all the rules.
In today’s digital world, large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and instilling customer confidence in your business.