Second in a two-part series
Yesterday we looked at the Payment Card Security Council and the Payment Card Industry Data Security Standard which were established to protect the credit card user. Today we look specifically at the standard and the requirements it places on contact centers.
DMG Consulting LLC is a leading provider of market research and consulting services for contact centers. The 2009 – 2010 Quality Management/Liability Recording Product and Market Report is the definitive guide to this growth market.
What Are the Implications for Contact Centers?
Businesses and the credit card brands are responsible for ensuring that all data transmission systems, network segments and data storage solutions comply with the data security standards; this includes any wired, wireless, private and public networks.
Security starts at the point where payment card information is received by the business, whether from a Web-based ordering system, swiped into a point-of-sale device, or given to a contact center agent over the telephone; it ends with the brands.
While contact center solutions cannot be PCI-DSS compliant, the report says, contact center solution vendors, such as call center quality monitoring and assurance (QA)/liability recording (workforce optimization) providers, must ensure that their solutions provide appropriate security protocols and operate within a secure network to enable users to comply with PCI-DSS. More importantly, contact centers and IT departments must use the solutions correctly, employing all security features.
What Are The Most Applicable Standards for Contact Centers?
Yesterday’s blog mentioned several of the 12 key requirements for protecting data contained in the report. The most significant of these for contact centers are that they protect stored cardholder data; encrypt transmission of cardholder data across open, public networks; and maintain a policy that addresses information security.
In addition, there are a number of sub-requirements that also apply to contact centers. These range from screening of employees to requiring companies to store payment card data only when absolutely necessary, have a disposal procedure in place, display only as much of the card number as necessary and use strong encryption protocols to provide secure transmission of data over the network.
How Should Contact Centers Protect Cardholder Information?
Contact center executives and leaders need to find the right balance between complying with all state and federal recording requirements, the PCI-DSS, and their own internal quality assurance guidelines. The DMG guide suggest steps for managers.
Collaboration with IT
Data security safeguards may require collaboration between corporate IT departments and Call center monitoring software and CRM vendors. DMG suggests among other things that managers maintain all database servers on which payment card information is stored in secure data centers with restricted physical access, ensure the data within the QA/recording and CRM solutions are encrypted using strong encryption protocols, and limit the amount of time that card information is kept on the QA/recording server and CRM solution databases (both voice and screen recordings).
PCI and At-Home Agents and Supervisors
Remote call center agents and supervisors pose additional risks because there is no way to certify that at-home employees are working in a fully secure area. In addition, many remote agents and supervisors send and receive data over the unsecured Internet. Some even utilize unencrypted VoIP telephone systems for their home-office phones.
The report urges that when dealing with at-home agents, contact center managers work with their IT departments to ensure that secure systems are put in place and a clear set of best practices are developed and implemented.
The PCI report goes on to recommend that contact center managers develop security-oriented best practices for at-home agents and supervisors. At-home agent best practices may include ensuring that at-home agents and supervisors encrypt their wireless networks using a strong encryption protocol, require agents to enter payment card information as it is given to them and then mask the information once they verify its accuracy.
The report affirms that any company accepting or processing American Express, Visa, Discover, MasterCard or JCB Global brand credit and debit cards must be PCI-DSS compliant. It is the responsibility of businesses and payment card processors that accept these cards to implement and maintain PCI-DSS compliance.
Quality assurance/liability recording solutions, CRM applications and VoIP-based telephone systems cannot be PCI-DSS compliant, but can provide functionality to help a company comply with PCI-DSS regulations.
Contact centers are one of the few points in the corporate infrastructure where payment cards are both viewed by humans (while being confirmed or entered) and stored. Contact center managers and executives, the report said, need to work with their IT department and third-party application vendors to ensure that payment card information is secure from the time it is acquired, through database storage, and until it is finally discarded.
While no one wants to think about data theft, it does happen, often resulting in significant cost and loss of consumer confidence in a company. The Payment Card Industry Data Security Standard offers companies a wide range of options to help keep their customers’ credit and debit card information secure. The full guide can be downloaded compliments of KnoahSoft.