Maintaining PCI DSS Compliance In The Contact Center

For years, credit and debit cards (payment cards) have been the most common form of debt payment, and they still are today. Ensuring that the data stored on payment cards is secure continues to be a significant problem that businesses face globally. Companies risk considerable financial penalties and sometimes irreparable damage to their reputation when data breaches occur. Since contact centers manage an enormous volume of this sensitive data, managers are challenged by the safeguard of such customer information. For many organizations, software deployments such as workforce optimization can help ease the burden of PCI DSS compliance.

National, state and local governments require companies to safeguard consumer information, including that found on payment cards. In response, the largest payment card brands established the Payment Card Security Council and the Payment Card Industry Data Security Standard (PCI DSS). This standard is a set of voluntary requirements and provides common benchmarks for payment card issuers, processors and merchants with regard to payment card data security. PCI DSS is an international standard accepted in markets throughout North America, Europe and Asia. It covers areas such as data center security, protection of data during transmission, and standard operating procedures.

The ecosystem of payment card transactions includes banks, card issuers, interim card processing centers, merchants and others. This article will discuss what contact center managers should know about PCI compliance to ensure appropriate implementation.

UNDERSTANDING THE PCI DSS

While the PCI DSS standard seems broad, it’s important to remember it only covers securing personal data located on the payment card and on the card’s magnetic strip. This data may include but is not limited to the owner’s name, account number, Card Validation Value (or Code), Personal Verification Value (PVV) or Personal Identification Number (PIN), and expiration date.

USING WORKFORCE OPTIMIZATION TO ASSIST IN PCI COMPLIANCE

Many companies now use workforce optimization (WFO) software and services in several segments of their business, including contact centers, branch operations, marketing and customer care, and back-office operations. Workforce optimization helps capture customer interactions and sentiments across multiple channels while providing insight on the performance of internal people, processes and technologies. Armed with this information, companies can make better, more strategic decisions to increase service efficiency and effectiveness, reduce costs and fraud, and build customer loyalty and competitive advantage by delivering an improved customer experience.

While the PCI DSS has several well-defined mandates for maintaining information security, monitoring and controlling measures, contact centers still face inherent challenges. Among the challenges that contact centers face in relation to achieving PCI compliance are avoiding the capture of sensitive or private data, secure storage of recorded interactions and preventing improper actions and behaviors by internal employees that compromise PCI data security. A few of the workforce optimization products, along with associated processes and best practices in managing people are ideally suited to aid organizations toward achieving and maintaining compliance with PCI mandates. The WFO products that can help are call recording, encryption and desktop and process analytics.

CALL RECORDING IS OFTEN OVERLOOKED

The contact center is recognized as one of the most data-intensive areas of any business, often with sensitive data residing in multiple systems and formats. Contact centers can protect data collected during phone interactions, such as cardholder data through masking and encryption techniques.

Recordings of customer interactions may contain information meant to be protected by PCI DSS when developing contact center data protection strategies. Protecting audio recordings when they are recorded, in transit, and archived needs to be a priority investment for contact center managers and IT decision makers within the greater enterprise.

Here are some ways to address this:

Pause-Resume. For companies currently recording calls that want to improve security, the recording capability called “Pause-Resume” prevents unnecessary vulnerability. The capability can pause call recordings when agents ask for sensitive customer data, such as the card verification value (CVV) security code.

• One approach is via a direct application programming interface (API) integration provided by the recording vendor with payment processing applications that support the API. Alternatively, call recording, in combination with desktop and process analytics (DPA), can help contact centers “mask” or avoid capturing data deemed sensitive under the PCI guidelines. When the agent moves to a payment screen on their desktop application or begins to enter the CVV code (or other private information into specific fields), DPA can send a “pause” trigger to the recorder to stop it from recording the audio and the screen. Once the transaction moves forward from this step, DPA can send a “resume” trigger to the recorder to continue recording the interaction
• Another approach for pause-resume is manual. A pause-resume button can be added to the agent desktop for the agent to manually activate at the appropriate time. Use of the pause-resume function will sound to the user on playback, very much like a momentary “muting” of the audio recording with an overlaid audible tone. The use of pause-resume will not split the call into multiple segments but will retain the call as a single file.

Encryption for additional layer of protection. In addition to the pause-resume capability, WFO provides sophisticated encryption capabilities. Recordings can be encrypted end-to-end, from the time of capture from the switch to storage and to archival. This ensures that, even if sensitive data like the CVV was inadvertently captured and/or the recordings were inappropriately accessed, they would not be able to be played back in standard audio formats (MP3, WAV) and without the right keys.

Best practices in managing recordings. Contact centers should enforce a policy that prohibits recordings from being played back over a speaker phone to prevent accidental overhearing of sensitive of information. Organizations should also establish and periodically revisit their archival and purge policies on how long to store interaction recordings that may have PCI sensitive information. If call recordings are being tagged with credit cardholder information or metadata, it is recommended that they be tagged with only the last few digits, or in some other manner as guided by a qualified PCI auditor.

AGENTS ARE THE MOST TRANSIENT AND HAVE THE MOST ACCESS

In the enterprise, contact center agents themselves present the biggest potential risk because they are the most transient employees with the most access to sensitive customer data. Fraud is usually perpetrated from the inside, often by a rogue employee who is stealing sensitive information.

In addition to the traditional quality control checks already in place at most organizations in compliance with PCI DSS, other practices can be utilized to ensure the utmost protection of critical customer data.

FOR COMPANIES CURRENTLY RECORDING CALLS THAT WANT TO IMPROVE SECURITY, THE RECORDING CAPABILITY CALLED “PAUSE-RESUME” PREVENTS UNNECESSARY VULNERABILITY.

These include:

Prioritize agent supervision. To minimize risk, employees must pass a security check, and those accessing payment cards should be physically segmented from other employees without the same security clearance, so others can’t walk by and see information on a screen.

Speech analytics as protective measure. The adoption of speech analytics can also identify unauthorized employees asking for CVV information. Speech analytics can either automatically surface or be set up to “listen” for specific phrases spoken during interactions associated with credit and debit card transactions. If these phrases are being used by agents not authorized to process payments, it indicates a process breach that can then be immediately corrected.

More often than not, PCI compliance is achieved with traditional quality control checks already in place. PCI DSS requirements in this area include familiar policies such as:

• Developing usage policies for critical employee-facing technology to define proper use of these technologies for all employees and contractors.

• Ensuring that the information security policies and procedures clearly define the responsibilities of all employees and contractors.

• Assigning an individual or team specific security responsibilities.

• Implementing a formal security awareness program so that all employees are conscious of the importance of payment card security.

• Screening potential employees prior to hiring to minimize the risk of attacks from internal sources.

Other recommendations more specific to payment card security include:

• Making sure that all employees and contractors are properly trained and knowledgeable about security policies and procedures.

• Requiring agents and supervisors to use only company-supplied systems.

• Ensuring that agents and supervisors do not share user IDs and passwords.

• Segmenting contact center operations so a limited number of agents have access to payment card data

• Restricting access to payment card data based on the user’s log-in account and corporate role.

MITIGATING AGENT RISK BY CREATING A POSITIVE ENVIRONMENT

While priorities should be paid to limiting access for agents to comply with PCI, other recommendations include an increased focus on fundamental education of company security policies for all agents. Many companies are finding that employee training, e-learning and coaching not only improves the agent’s understanding of security issues, but also makes them happier employees, less likely to commit fraud and more interested in their jobs and careers within the organization.

This is an area where workforce optimization software and services can play a supporting role. Contact centers are subject to high levels of agent stress, burnout and churn. However, satisfied and productive employees are more vested in their positions and less likely to commit fraud. Implementing processes that improve measurement, performance and engagement of employees is a big part of workforce optimization in the following ways:

• Provide employees with visibility into their own performance to create a better understanding of how their behaviors impact the bottom line. This can be done through updated scorecards that show individual metrics against goals to help employees understand how their contributions fit into the bigger picture.

• Encouraging appropriate work/life balance and accommodating flexibility requirements in choosing schedules and trading shifts goes a long way toward the creation of employee contentment, especially if the process is eased by mobile access.

• Provide employees with ownership of their own coaching by enabling them to fully participate in their quality evaluation process. When done in the context of their individual journeys within the company, employees will feel more connected to the results of their regular quality evaluations by providing their own feedback and commentary on the process.

These efforts can help contribute to overall enterprise productivity and better business outcomes that move beyond simple PCI compliance and the protection of your organization from fraudsters. And while PCI compliance can seem initially overwhelming, many are already implementing best practices through their regular security standards and enterprise productivity strategies. By leveraging workforce optimization, contact center managers can be even more thoroughly protected and highly effective.

– Reprinted with permission from Contact Center Pipeline, http://www.contactcenterpipeline.com