Independent Contact Center Consultants: Bridging Strategy, Technology and Operations Since 2004

PCI and Other Requirements Demand Contact Center Attention

While contact centers and their IT departments have plenty of demands on their all too limited time, consumer information protection, and data security needs to get on the radar.

data protectionThe Payment Card Industry (PCI) Data Security Standards (DSS) provides a set of technical and operational requirements that applies to anyone who “stores, processes, and/or transmits” cardholder data. The Health Insurance Portability and Accounting Act (HIPAA) and other privacy standards have different (but similar) requirements.

All such standards are grounded in best practices – e.g., encrypting data in storage and across networks, securing networks and systems, maintaining an information security policy, monitoring and testing, and strong access control and login rules in today’s environment.

The implications of PCI for the contact center are significant:

  • You are not permitted to store a card’s security code – i.e., the 3 or 4 digits recorded on the back of the card – on data systems or voice recordings. This requirement has significant implications for quality monitoring programs as well as your Customer Relationship Management (CRM) application or Customer Information System (CIS).
  • You must encrypt sensitive information before you store or transmit it.
  • There are restrictions on what you are permitted to display using your CRM or CIS, and playback on your quality management system.
  • You must have robust password management and access to information across the corporation, not just the center.

Agents may have a “need to know” credit card numbers to do their jobs. If they are allowed to hear and capture that information, you must have the right tools and processes to manage and protect it. Some prefer to not expose agents to the information and not deal with spoken numbers; technology options make that possible.

Agents versus systems taking private information highlights the need to define requirements and select the best approach for the customer and the center, considering costs and benefits, risks and mitigations, training, resource use, efficiency, etc.

To explore the main options and some advantages and considerations for each, download the full article. It also covers other key areas related to privacy and security – e.g., non-phone media, VoIP/SIPREC, masking data, physical space, home agents, and outsourcing/cloud-based solutions.