How can contact centres make sense of their data protection duties?

25 Jul 2018

Image: Atstock Productions

Semafone CEO Tim Critchley discusses the tangled web of data compliance issues for call and contact centres.

Call and contact centres have their work cut out for them in terms of data protection. As the chief hub for customer engagement for many businesses, contact centres naturally collect, process and store personally identifiable information (PII) – credit card numbers, social security numbers, addresses, bank account details and much more.

The collecting and storing of such data makes them particularly appealing to fraudsters and hackers in a day and age when data breaches are occurring at an alarming rate.

Data protection in the contact centre

In fact, the first quarter of 2018 brought nearly 700 global data breaches, exposing 1.46bn records. Although these figures show a welcome reduction from the number of breaches reported in Q1 of 2017, risks remain high for any entity holding PII.

It’s time for organisations across all industries to address the security of their contact centres, and compliance is a great place to start. But, in today’s ever-evolving regulatory landscape, compliance is easier said than done, given the laundry list of laws and standards that apply to these customer interaction hubs.

From PCI DSS to GDPR and beyond

Perhaps the most talked-about regime in the contact centre community is the Payment Card Industry Data Security Standard (PCI DSS), which provides guidelines for any organisations that handle cardholder data (CHD). Although the PCI DSS is not a law, non-compliance can result in penalties between $5,000 to $50,000 per month to the acquiring bank, which are frequently passed on to the merchant.

In addition to the PCI DSS, contact centres must deal with a patchwork of federal and state laws. The US has the Electronic Fund Transfer Act (EFTA), which protects consumers when they use electronic means to manage their finances; the Health Insurance Portability and Accountability Act (HIPAA), which protects healthcare data; the Electronic Communications Privacy Act (ECPA), which safeguards wire, oral and electronic communications; and a bunch of individual data breach notification state laws – and that’s just really scratching the surface.

Aside from the US, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA) and Australia recently enacted the Notifiable Data Breaches Act. Of course, we can’t forget the newly introduced EU General Data Protection Regulation (GDPR), which applies to any organisation anywhere in the world that handles the PII of any EU citizens.

So, if a contact centre in New York City has access to a CRM system with data pertaining to a resident of Dublin, it must abide by the GDPR. Moreover, if an organisation is found in violation of the GDPR, it may face fines of up to 4pc of its annual global revenue, or €20m, whichever is greater.

Further, some regulations seem to contradict one another. For instance, the PCI DSS prohibits the recording and storing of sensitive authentication data (SAD) for credit and debit cards. Yet the EFTA requires the recording and retention of telephone conversations that authorise electronic funds transfers.

To maintain compliance with both regulations, many contact centres that record phone calls end up putting themselves at even greater risk by using ‘pause and resume’ or ‘stop and start’ solutions. These systems allow customer service representatives (CSRs) to pause a recording while sensitive data is verbalised, and then resume the recording once the data is captured. Here’s the risky part: if the CSR forgets to pause the recording, PII may be inadvertently stored on a recording system that is breached.

In 2017, a telemarketing firm experienced a data breach that compromised 400,000 recorded telephone conversations. More than 17,000 of those conversations contained verbalised PII, including credit card numbers. Although you may be compliant from a controls standpoint, a flawed and outdated practice can quickly undo all your hard work.

Descoping technologies to the rescue

Given this alphabet soup of regulatory acronyms, hefty penalties and seemingly contradictory guidelines, it’s easy to see why contact centres struggle to navigate this tangled web of compliance. Undoubtedly, there are ways to secure these environments, but emerging descoping techniques and technologies hold promise for mitigating the situation easily and effectively.

For instance, many contact centres are bringing in dual-tone multifrequency (DTMF) masking solutions that allow callers to enter numerical PII directly into their telephone keypad, but the keypad (DTMF) tones are masked with flat tones. This prevents the exposure of PII to CSRs, agents and potentially fraudulent individuals, as well as solves the issue of accidentally capturing sensitive data on call recording systems. Further, PII is routed directly to the appropriate third party (like a payment processor), never touching the contact centre’s environment.

In other words, the PII is removed from the business IT infrastructure and offloaded to a compliant third party – putting the contact centre out of scope for compliance with the PCI DSS and many other regulations.

Where do we go from here?

The bad news is that the compliance landscape will become even more complex before it becomes simpler. The good news is that there is a glimmer of hope: the GDPR. Although it is causing a few headaches now, the GDPR may actually set the tone for the first truly global data security and privacy law that will replace the current, confusing patchwork of regulations. We are still years away from an all-encompassing mandate, but the GDPR is a step in the right direction.

Until then, contact centres – and any business that handles PII – can lighten the burden of compliance with descoping solutions that remove as much sensitive data from their environments as possible. Doing so will also strengthen overall security to protect customers and deter potential reputation-damaging data breaches. As we say, no one can hack the data you don’t hold!

By Tim Critchley

Tim Critchley has been the CEO of Semafone since 2009 and has led the company from a UK start-up to an international business that spans five continents. Under his leadership, the company has secured global partnerships and won clients such as Axa, BT, Capita, Harley-Davidson, Next, Rogers Communications, Santander and Sky.