Restructuring the Contact Center for PCI Compliance
November 10, 2008
Data security should be a top concern for contact centers handling credit card information (or any other personal information, such as a social security number). The theft or loss of consumer information over the past few years has cost organizations billions of dollars in fines and fixes. In one highly visible case, the loss of credit card information at The TJX Companies cost the company anywhere from $118 million to $1.35 billion, depending on whom you believe.
To stem the tide, the Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies. It is a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security threats. While most organizations focus on the data encryption and network security aspects of the PCI standard, they need to address all the requirements to be in compliance. One important component of the standard is Requirement 7: Restrict access to cardholder data by business need-to-know.
Contact centers that allow Customer Service Representatives (CSRs) to access customer credit card data are at risk. A single dishonest CSR has the potential to steal the confidential information of tens of thousands of callers in a single year. If the identity theft is done on a small scale, where the agent selectively takes information from the customers they come in contact with, the source may never be identified.
Luckily, today’s contact center technologies can be used to secure customer information and eliminate the agent breach point. The key is to authenticate callers before they reach the agent and use automated systems to collect credit card and other private data not already on file to resolve issues or complete transactions. Contact centers can utilize computer-telephony integration (CTI) and interactive voice response (IVR) to implement new call handling procedures that secure customer-agent interactions.
CTI is a technology innovative contact centers are already using to personalize service, reduce call time and ensure that the right agent receives the call, the first time. It unites voice and data systems to enable new applications such as agent screen pop, intelligent routing and click-to-dial capabilities. By capturing the phone number from which the customer is calling and checking the database, the customer can be identified and a screen pop of the caller’s record can be sent to the agent along with the call. To meet PCI DSS requirements, a “need to know” screen pop can be configured so that the agent has the ability to collect and view the information needed to assist the caller while blocking highly confidential information.
For added security, organizations can implement a multi-factor authentication process. There are three types of authentication factors: something a user knows such as an account number, social security number or PIN, something a user has such as a phone or a one-time password generated by a security token or something unique to a user such as a voice print. Adding an IVR front-end to collect an additional piece of information or voice print to the CTI solution will further mitigate risk and exposure to agent fraud.
The combined CTI/IVR solution can handle the authentication of callers and ensure that agents do not have access to customer credit card and personal data from the start. However, there are still times when an agent needs to collect this type of information from the caller to complete a transaction.
For example, a customer calls in to book a vacation. They work with the agent to determine the dates and location that best meets their needs. Once complete, the agent would normally ask the customer for a credit card number to hold the reservation. In these cases, adding a secure IVR application to validate credit card information eliminates this breach point. The agent’s desktop would need to be configured with a button to transfer the call directly to the reservation application. The IVR application can be configured to speak confirmation information or automate additional post call work. In this way, the contact center can reduce call time and handle more customers with existing staff.
Providing personal information over the phone can be disconcerting to customers. Consumers no longer know whom to trust, and recent high-profile security breach cases underscore the need for ever higher security measures to protect consumers from fraud. Companies that adopt this type of CTI-IVR solution can provide their customers with the security they crave and protect themselves from a potentially devastating problem. More importantly, those that do it properly will win the respect and loyalty of their customers for a lifetime.
Don’t forget to check out ContactCenterSolutions’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.
J.R. Sloan is vice president of product management and marketing at Syntellect, a provider of enterprise-class contact center solutions in Phoenix, Arizona.
ContactCenterSolutions publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.
Edited by Mae Kowalke