While most of the PCI requirements are hardware and software related and behind the scenes, the call center professional comes in to play with “Protecting Cardholder Data”.
The greatest impact on the contact center is PCI Compliance. How can contact centers remain PCI compliant and instill customer confidence that data is being protected?
Here are 5 key ways:
1. Call Recording: According to the PCI Security Standards Council recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data. Enterprise level contact center platforms provide recording systems where agents control the recording with a button, allowing them to pause the recording when credit card numbers are spoken.
There are three technologies used in the contact center:
- Automated “pause and resume”
- Automated “mute and unmute”
- Keypad payment by phone
If you don’t want agents handling the recording, enterprise level contact center platforms that integrate with the CRM system can automatically pause the recording based on actions taken by the agent.
Encrypting the audio files is a higher level of security and some enterprise level contact center platforms have this capability. The audio files are encrypted and password protected, allowing only authorized users to retrieve and review audio files. Encryption is the highest level of security; today you can’t have enough security.
2. Network Security: PCI guidelines include the entire network. Ensuring the network has an effective firewall and router as well as a documented internal process that provides layers and layers of protection. It is recommended to restrict all traffic from unsafe networks and there should never be any direct access between any network component containing cardholder data and the internet. Encrypt cardholder data that transmits across any open public networks.
3. Role-Based Security: In any contact center environment, agent and supervisor desktops should have role-based login-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. For example, a sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same contact center or project.
4. Additional Security Considerations: In addition to role-based security, contact centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance. It is recommended that access to sensitive customer and payment data should be restricted (e.g., limiting access to key areas of the building).
5. Change passwords frequently: You should make sure that all of your access passwords are strong (e.g. a mix of numbers, and lower- and upper-case characters) and are changed regularly.
Swap paper for white boards; A simple and cost-effective way to become PCI compliant is to remove all pens and paper from your contact center. Replace them with mini whiteboards, which cannot be removed from the desk and are cleaned on a regular basis.
Ban the use of mobile phones in your contact center; If you ban your agents who handle card payments from using their mobile phones, you will reduce the chance of sensitive information being leaked from your contact center via text, phone call or picture message.
PCI Compliance Information: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. There are many websites that outline the policies and procedures, forms, checklists, templates, and other supporting material. Make sure you know the rules.
Today with every transaction being completed on a smartphone or tablet large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and instilling customer confidence in your business. PCI is just good business.