Eight Tips to Ensure Call Center PCI Compliance
July 17, 2019 Ronnie Mize
Every good business leader knows there will always be times when risk-taking is beneficial to your organization. We have all heard the adage, “The Greater the Risk, The Greater the Reward”. However, when it comes to regulatory compliance in the contact center industry, taking risks should never be considered as an option. Adhering to the Payment Card Industry Data Security Standard (PCI DSS) is one of the most important ways to operate your business with integrity. Developed in 2006 by five major credit card companies to protect consumers from fraud, data breaches, and identity theft during business transactions, PCI DSS standards are enforced by the PCI Security Standards Council. There are several risks associated with non-compliance to PCI DSS standards; Monetary Fines, Damaged Reputation, System and Process Forensic Audits; Loss of Business; Legal Action; and the list goes on. The good news is there are several easy to follow guidelines to ensure your company achieves and maintains full PCI compliance.
- Maintain a secure network. Nearly 80 percent of companies that experience a data breach doesn’t have a reliable firewall in place. Avoid putting your customers at unnecessary risk by investing in robust security controls for your online network. If you’re unfamiliar with industry standards for establishing a safe network, hire a reputable IT firm to help you get started. Understand where all your access points are. Document your data flows and ensure there are measures to protect the data at rest and in transit.
- Ensure your web hosting is PCI compliant. Call center security begins with a web host that routes valuable consumer financial data through a private, dedicated server to protect sensitive information from unauthorized users. While this option can be more expensive than a shared hosting plan, the peace of mind it can give you and your customers is well worth the expense.
- Do not allow mobile devices in secure work areas where Protected data is present and/or displayed. While it’s important to hire and train contact center agents who are ethical and trustworthy, you also need to accept the reality that a data breach could begin with a someone importing sensitive customer data onto their mobile device. Reduce the risk by prohibiting personal mobile device use in secure areas. If mobile devices are part of your employee working toolset, ensure you have robust MDM (Mobile Device Management) and DLP (Data Loss Prevention) policies in place.
- Encrypt all sensitive data. We have all heard the saying, “There are two types of organizations, those that have been breached, and those that don’t know they’ve been breached”. If data becomes compromised, can the malicious actors do anything with it? A fundamental element of PCI compliance is shielding customer personal and financial information with strong cryptography. Cryptographic controls are important for data at rest as well as data that is in transit. You should be utilizing a minimum encryption key strength of 256 bits, and for an extra security safeguard, if you utilize a third party to store your customers’ data, they should not have access to the encryption key.
- Redact and protect recorded calls containing sensitive information. You would be surprised at the number of companies recording calls that never think about the protected data on those recordings. While call recording is an invaluable training tool, it can also put the security of your organization and your customers’ data at risk. Recorded calls are subject to the same PCI DSS standards as any other method of capturing private consumer information, so consider investing in a call monitoring system that will allow redaction of financial information on the recording. Also, ensure recordings themselves are protected through proper encryption methods and access controls.
- Establish role-based security. One of the basics of PCI DSS compliance is limiting who can access your customers’ financial information on a strictly need to know basis. That’s why it’s essential to implement role-based credentials in your contact center. Follow a Policy of Least Privilege. This will ensure that each team member has only the access needed to adequately perform their job duties without unduly exposing them to sensitive consumer data.
- Provide appropriate contact center employee training. Your contact center agents are part of your security/compliance team and each is an invaluable tool in maintaining PCI DSS compliance. Make sure they understand the fundamentals of PCI standards, why they are important, and how a data breach can negatively impact your business. By establishing your agents as the front line in preserving contact center security, you’re providing one of the strongest defense systems to your customers.
- Don’t underestimate the importance of system testing. Less than 30 percent of companies remain PCI compliant a year after becoming certified, usually because they fail to maintain and upgrade their network and data security after the initial installation. Security is not a one and done project. It is continually evolving to counteract cybercriminals attempting to remain one step ahead. Protect your investment by scheduling regular testing of all firewalls, encryption methods, redaction methods, credential audits, and call monitoring. Commit to enhancing your security systems as needed so they meet or exceed all current industry standards.
When instituting PCI compliance within your organization, remember that you, and not the consumer base you serve, are the gatekeeper of sensitive data. At Etech, we have maintained full PCI DSS certification for several years, and we realize that we and not our clients are primarily responsible for meeting all security and compliance requirements for each program within our contact centers. We provide our clients with a dedicated team of regulatory compliance experts to give them peace of mind in all aspects of their program management. Contact us today to learn more about how we can help you create a PCI DSS compliant security system that will give your customers the protection they deserve.