Many companies are confused today about how they should be handling customer data today. It’s no wonder they’re concerned: the number of data breaches is on the rise, and scary high-profile hacks are becoming the norm in the news. This kills customer confidence and can even change their buying habits. While most companies know there’s something they need to be doing right now, many aren’t sure what. Even standards such as PCI (News - Alert) compliance can be confusing.
The Payment Card Industry Data Security Standard is an information security standard maintained by the Payment Card Industry Security Standards Council, but there is a difference between certification and compliance, wrote VoltDelta’s (News - Alert) Lauren Maschio in a recent blog post.
“A service provider certification means that a vendor captures credit card information, but does not have a direct interface with a credit card brand for processing,” wrote Maschio. “Achieving compliance, something that some contact center solutions have done, means that a vendor has achieved a complex set of security requirements. It’s an important distinction to make.” According to VolltDelta, any companies processing over a certain threshold of transactions is required to achieve certification with the help of a quality security auditor, or QSA.
In a second blog post on the topic, Maschio notes that it’s even important for companies that choose certified contact center solutions to understand what it is they are buying. She recommends companies dig a little deeper into a solution’s security processes to evaluate whether the cloud based contact center vendor goes above and beyond self-assessed compliance when it comes to protecting customer data.
“For example, some cloud contact centers may limit the scope of their self-assessment to segments of their platform handling sensitive data,” wrote Maschio. “This is a common pitfall noted auditors who emphasize that a holistic perspective of security must be applied relative to PCI standards. VoltDelta has applied these rigorous PCI standards to the entire platform with audited verification.”
She notes that companies should ask vendors how they track assets. This will help buyers understand if a solution will allow them to track all platform software versions, servers, transport and operating systems so they can more easily and quickly identify risk and mobilize for threats.
For companies that work in healthcare, PCI certification also applies to HIPAA (Health Insurance Portability and Accountability Act) rules that govern patient data privacy. Some contact center solutions that are PCI certified will address these HIPAA rules, while others won’t. If HIPAA applies to your contact center, it’s critical to ask solutions vendors if their product addresses patient privacy. Maschio notes that although HIPAA certification does not exist, contact centers that handle patient data must focus on data encryption, call recording, and many other issues that parallel PCI requirements.
Edited by Maurice Nagle