Independent Contact Center Consultants: Bridging Strategy, Technology and Operations Since 2004

Contact Center Compliance and Security

“Bad guys” seem to be lurking around every corner these days. They steal customer information and break into networks and systems. The recent massive data breach at Equifax has spurred action by a host of companies to plug leaks in security. At the same time, contact centers face a growing array of compliance requirements, rules, and regulations for handling sensitive data.

complianceBecoming Compliant

Compliance is a priority for many companies because of requirements from PCI and HIPAA, among others. In spite of the high importance, centers have not always been fully compliant. With the increasing pressure and risk, it’s time to get it right, because close doesn’t count!

Compliance is an area where experts are required to dive into all aspects, many of which are not in the center’s control. IT and vendors play a role in ensuring proper access control and management (e.g., logins and their use, password rules and triggers for change). Recording and storage are hot buttons for PCI that centers must consider. Recognize the products themselves may not be “compliant” – rather, they enable you to be compliant. Define requirement and have vendors show how they help you achieve them.

Here are the biggest hot buttons contact centers need to consider regarding compliance:

  • Logins – Centers have many systems to log in and out of, often with fast timeouts impacting handle times and potentially customer and agent satisfaction. Single sign-on solutions can address these issues and ensure compliance across a variety of systems. They can be standalone or incorporated into things like Unified Agent Desktop (UAD) or CRM applications.
  • Recording – Centers need to block recording of key information such as the three digits on the back of the credit card. Vendors offer a variety of options. Don’t fall for the manual ones that rely on an agent to turn recording on and off at their desktop – both because it won’t pass an audit and it creates risk. Look for integrations that are based on where the cursor is on screen, within an application or browser. Another option is to move the capture of sensitive information to an IVR, masking the information from agents. And don’t forget to look at controls over who can access the recordings, how they are managed, the networks they travel on, etc.
  • Storage – Storage policies must address retention and disposal. A full policy considers backups as well as recovery of data. For too long, many centers have put off developing full business continuity/disaster recovery plans. A push for compliance creates another reason to prioritize it!
  • Encryption – Encryption has a role in recording and storage, for data “at rest” and “in transit.” It may apply to the interactions themselves (voice conversations as well as other channels – e.g., emails, chat sessions, text messages) and to data about those interactions. Many different protocols have encryption built in – e.g., AES, SRTP, IPSEC, SSL/TLS, etc. (see figure 1). Another hot button is management of encryption keys – an area your IT experts and vendors should explore together.
  • Security – This one, while it can be part of compliance, is worthy of extended discussion, so let’s go there next.

Security on Many Fronts

The first aspect to address is access to physical spaces: Who has access to what? How is that access managed and tracked? The best scenarios employ biometrics, multi-factor authentication, and audited logs, backed up with strictly defined and enforced policies.

You must consider access to systems and networks, and all associated elements (e.g., servers, routers). Firewalls, DMZs, and SBCs, along with secure data connections using HTTPS, SSL, or other protocols – along with the all-important logins – can control access across networks and play a role in thwarting the bad guys.

Login access should be on a need to know basis, with role-based permissions. Careful management of logins and passwords, and access to recordings (interactions) and data about the interactions must all be considered. Part of security is also keeping track of who did what, so logging and event management tools must be considered as well (e.g., history of access, triggers for issues). Data storage and access are also part of security and are addressed above in the compliance section.

Make sure you address all aspects of data centers – whether your own, or those of cloud vendors, third parties, or platform as a service providers (e.g., Amazon Web Services (AWS) or alternatives from others such as Google, Microsoft, IBM and Oracle, etc.). And don’t forget the network. Explore certifications, audits, and testing (see sidebar) and make sure your agreements and SLAs hold vendors accountable for ongoing security commitments.

For more information, download What’s Keeps You Up at Night?