Gambling with Customer Transaction Information Can Be Risky Business
August 6, 2013 1 Comment
- The use of credit cards to complete sales transactions in a contact center has become commonplace, but assuming all contact centers have taken appropriate actions to mitigate the risks associated with these transactions is a mistake.
- Since standards are not yet fully developed, customer service managers should implement agent-assisted solutions that enable agents to obtain personally identifiable information, such as credit card numbers and codes, without ever actually seeing or hearing it themselves.
Contact center compliance with the Payment Card Industry Data Security Standard (PCI-DSS), often referred to as PCI compliance, brings key security benefits to customer service operations and non-compliance can often have severe, long-lasting consequences. PCI is the global data security standard that businesses and their customer interaction centers are required to follow in order to accept credit/debit card payments and to store and process related information at their site and/or transmit cardholder data between locations. The obvious and immediate benefits of PCI compliance are likely to be increased customer security and trust, decreased customer churn and an improved status with credit card payment partners such as American Express, MasterCard and VISA, which will often require PCI compliance of their business partners. Longer-term indirect benefits can include the fact that your center will likely be better prepared to include other security regulations as they are rolled out, such as the Health Insurance Portability and Accountability Act (HIPPA) and Sarbanes-Oxley (SOX), if applicable to your business situation. The bottom line is that if you operate a contact center that handles customer personal and financial information, PCI compliance is becoming more important, if not mandatory.
The irony is that while the PCI DSS standards are very clear about the requirements for the back-end storage, access and transmission of personally identifiable customer information, the standards council has not specified much detail regarding the collection of customer information on the front end of the customer interaction process, whether the information comes through websites, interactive voice response (IVR) systems or live contact center agents.
However, this does not release the contact center operator from culpability or customer reprisal should information be compromised. Often, call center customers are asked to give their credit card numbers, card security codes and expiration dates to call center agents; yet often there are few, if any, controls in place to deter an agent from ‘skimming’ this information for personal gain. In addition, many retail and financial call centers deploy some kind of call recording software, which is capturing and storing this sensitive consumer account data. These recordings, which are often not encrypted, can be accessible later by a variety of call center personnel. Remote agents pose an additional level of threat and will require the company to ensure there is a secure channel from the remote agent to the centralized enterprise contact center ACD and software.
I would suggest when an agent needs to collect credit card information during a call, at minimum, the call should be transferred from the agent to an automated IVR system to protect the sensitive information from human capture. However, this may create an awkward customer interaction. A better method might be the use of agent-assisted solutions which allow the agent to ‘collect’ the credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the customer relationship management software using telephone DTMF tones that are manipulated so that they cannot be recorded and reused by the agent. Either method will ensure a greater level of customer satisfaction, as callers understand security measures are in place for their protection. PCI-compliant solutions can be deployed easily within company premises, or through a cloud service, based on your company preference. The benefits of increasing the security around the collection of personally identifiable information goes beyond customer good will and the prevention of credit card fraud, to include protecting the enterprise from legal action or mitigating the penalties should fraud or theft occur.