Gambling with Customer Transaction Information Can Be Risky Business

Ken Landoline
Ken Landoline

Summary Bullets:

  • The use of credit cards to complete sales transactions in a contact center has become commonplace, but assuming all contact centers have taken appropriate actions to mitigate the risks associated with these transactions is a mistake.
  • Since standards are not yet fully developed, customer service managers should implement agent-assisted solutions that enable agents to obtain personally identifiable information, such as credit card numbers and codes, without ever actually seeing or hearing it themselves.

Contact center compliance with the Payment Card Industry Data Security Standard (PCI-DSS), often referred to as PCI compliance, brings key security benefits to customer service operations and non-compliance can often have severe, long-lasting consequences.  PCI is the global data security standard that businesses and their customer interaction centers are required to follow in order to accept credit/debit card payments and to store and process related information at their site and/or transmit cardholder data between locations.  The obvious and immediate benefits of PCI compliance are likely to be increased customer security and trust, decreased customer churn and an improved status with credit card payment partners such as American Express, MasterCard and VISA, which will often require PCI compliance of their business partners.  Longer-term indirect benefits can include the fact that your center will likely be better prepared to include other security regulations as they are rolled out, such as the Health Insurance Portability and Accountability Act (HIPPA) and Sarbanes-Oxley (SOX), if applicable to your business situation.  The bottom line is that if you operate a contact center that handles customer personal and financial information, PCI compliance is becoming more important, if not mandatory.

The irony is that while the PCI DSS standards are very clear about the requirements for the back-end storage, access and transmission of personally identifiable customer information, the standards council has not specified much detail regarding the collection of customer information on the front end of the customer interaction process, whether the information comes through websites, interactive voice response (IVR) systems or live contact center agents.

However, this does not release the contact center operator from culpability or customer reprisal should information be compromised.  Often, call center customers are asked to give their credit card numbers, card security codes and expiration dates to call center agents; yet often there are few, if any, controls in place to deter an agent from ‘skimming’ this information for personal gain.  In addition, many retail and financial call centers deploy some kind of call recording software, which is capturing and storing this sensitive consumer account data.  These recordings, which are often not encrypted, can be accessible later by a variety of call center personnel.  Remote agents pose an additional level of threat and will require the company to ensure there is a secure channel from the remote agent to the centralized enterprise contact center ACD and software.

I would suggest when an agent needs to collect credit card information during a call, at minimum, the call should be transferred from the agent to an automated IVR system to protect the sensitive information from human capture.  However, this may create an awkward customer interaction.  A better method might be the use of agent-assisted solutions which allow the agent to ‘collect’ the credit card information without ever seeing or hearing it.  The agent remains on the phone and customers enter their credit card information directly into the customer relationship management software using telephone DTMF tones that are manipulated so that they cannot be recorded and reused by the agent.  Either method will ensure a greater level of customer satisfaction, as callers understand security measures are in place for their protection.  PCI-compliant solutions can be deployed easily within company premises, or through a cloud service, based on your company preference.  The benefits of increasing the security around the collection of personally identifiable information goes beyond customer good will and the prevention of credit card fraud, to include protecting the enterprise from legal action or mitigating the penalties should fraud or theft occur.

One thought on “Gambling with Customer Transaction Information Can Be Risky Business

  1. One of the important aspect of customer service is to ensure that customer personal details that includes credit card, contact details etc are handled efficiently. That’s why call centre companies are registered with consumer and privacy acts which they extensively go through with agents in their trainings. More over call centre software’s are now handling the details in encrypted form so during the transaction time the credit card and other details are encrypted and once the order is processed the details are automatically removed from the software. We also provide call centre software that easily integrates with Microsoft Lync, Avaya, Cisco platform etc. We are certified partner of Microsoft Lync Solutions running offices in NZ, AU, UK and USA more details about various call centre technologies at

What do you think?

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.