Contact centres face an “alphabet soup” of necessary rules and standards
By Tim Critchley
Complying with today’s data security and privacy regulations may not be at the very top of the “to-do” list for sales, marketing and customer service professionals. But for those who manage contact centres the times are unfortunately changing.
First and foremost, the sheer number of data breaches is rising as is the severity of their impacts. A new reported survey from Kaspersky Labs1 shows that a single breach costs an average of $1.23 million for an enterprise and $120,000 for small and medium-sized businesses.
Because contact centres handle, process and store sensitive data—payment card and social insurance numbers, addresses, birth dates and other types of personally identifiable information (PII)—they are major targets for cybercriminals and fraudsters.
New security, privacy rules
To address the onslaught of cyberattacks, governments and regulatory bodies around the world are upping the ante by ushering in new and amended compliance legislation.
In May 2018 the European Union (EU) launched the much-anticipated General Data Protection Regulation (GDPR), which aims to standardize how EU citizens’ personal data is protected: no matter where it resides. The GDPR also covers three of the European Economic Area countries: Iceland, Liechtenstein and Norway that have signed on. That means even North American companies must comply with the GDPR if they conduct business with or handle data pertaining to EU and affected EEA country citizens.
In Canada, beginning November 1, 2018, the Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations to notify affected individuals of data breaches and report them to the Privacy Commissioner.
Although the United States does not have all-encompassing data security and privacy regulations, there is no shortage of individual state laws and government mandates for specific industries and the types of data they handle.
For example, New York became the first state to enact its own cybersecurity law last year, the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation. While we will likely see more states follow in New York’s footsteps, all states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have some form of legislation that requires private or government entities to notify individuals of security breaches of information involving PII.
In addition, contact centres that process payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Although it is a not a law, the PCI DSS provides a very robust set of requirements for securing cardholder data and protecting consumers against the misuse of their personal information. Penalties for non-compliance can range from $5,000 to $500,000 per month to the acquiring bank, which is often passed onto the merchant.
Call recording challenges
Complicating compliance with this alphabet soup of regulations is the fact that many contact centres record phone calls. The PCI DSS prohibits the recording and storing of Sensitive Authentication Data (SAD) for credit and debit cards. This leads contact centres to adopt “pause and resume” or “stop/start” solutions that allow contact centre agents to pause recordings while PII, like credit card numbers, are read aloud and the agents resume the recordings after the information is captured.
But this is an unreliable system that is prone to failure due to human error. What if an agent forgets to resume the recording, leaving out much of the information required to resolve transaction disputes or help with quality assurance? Or, more importantly, what if an agent forgets to pause the recording, inadvertently capturing PII on a recording that could be breached?
Indeed, storing PII on call recordings is a massive risk. Just last year a data breach of a telemarketing firm exposed 400,000 recorded telephone conversations, more than 17,000 in which customers provided sensitive information, including their credit card numbers2.
Keeping up with compliance
This is only a snapshot of the regulatory landscape, but it is easy to see why it is nearly impossible for every contact centre executive or employee to understand every law or standard. However, it is important for everyone within an organization to recognize that compliance is ever-evolving: it is not a “one-and-done” checklist exercise. Instead compliance must be a living, breathing part of your daily business that is perpetuated by every employee.
Therefore, contact centres should treat all PII as “toxic.” Your agents may not think twice about collecting customers’ verbalized credit card numbers, for example, or the consequences of logging those numbers on call recordings that may be breached. Emphasize to all employees the detrimental effects of improperly handling or storing PII: it could cost your company its reputation and livelihood.
Of course, awareness and education can only go so far. That’s why you should take the initiative to remove as much sensitive data from your business’ IT infrastructure as possible.
Instead of struggling to determine which regulations apply and when, which controls you must have in place and how a violation might impact your company and your customers, invest in new technologies that keep data out of your vulnerable contact centre.
For example, dual-tone multi-frequency (DTMF) masking technologies are a popular option for contact centres that collect numerical PII, like credit card and bank account details, over the phone. Callers directly enter their details into the keypads—shielded from agents and call recording systems—which are then routed directly to the appropriate third parties. However, agents can remain on the lines with the callers to answer questions, handle wrap-up tasks and ensure smooth customer journeys. This technology helps keep contact centres out of scope for PCI DSS and many other regulations, making compliance far easier and much less costly.
Perhaps one day we will see a truly global mandate that will make compliance far simpler. But until then contact centres must do their part to protect their customers’ most sensitive data.
Tim Critchley is CEO, Semafone (www.semafone.com). Semafone has published a compliance guide Navigating the Challenging Regulatory Landscape in Your Contact Centre.
1 Brandon Vigliarolo, “An average data breach will cost an enterprise $1.23M and an SMB $120K, here’s why”, TechRepublic, May 24, 2018.
2 Dell Cameron, “Major leak exposes 400K recorded telemarketing calls, thousands of credit card numbers”, Daily Dot, January 26, 2017.