Workforce Management Featured Article
PCI Compliance in the Contact Center Means Making Changes to Call Recording
Once upon a time, contact centers weren’t places of laws or regulations. In general, the worst they had to fear was offering bad customer service. With the advent of telemarketing legislation in the 1990s, companies had to start worrying who they were calling and when. Later, came do-not-call registries and, for contact centers working the healthcare field, HIPAA rules for patient privacy. Mandatory call recording for financial services and healthcare were added in later.
Today, what raises the most nerves in contact center is the potential for data breaches of customer financial information. We have seen a spate of it lately, culminating in the mind-boggling breach that has affected Target (News - Alert) Corp. and millions of its customers. The disaster isn’t simply about having to spend money for credit monitoring for existing customers: it’s about public relations. Target’s reputation has taken a dent it may take years to recover from, and the breach hasn’t done good things to the company’s bottom line.
For this reason, most contact centers are laboring under remaining compliant with the Payment Card Industry Data Security Standard (PCI (News - Alert) DSS), which requires file encryption, secure storage of data and the mandatory deletion of specifically sensitive information such as the credit card security code (the three digit number on the signature line of the card).
Part of PCI compliance means ensuring that sensitive financial data does not fall into the wrong hands. Companies take many steps to ensure that this information remains secure, but it’s easy to forget about their call recordings. Most companies today record at least some calls, but PCI compliance means that those companies cannot store credit card information in recorded call archives, according to a recent blog post by Monet Software CEO Chuck Ciarlo. As a result, every call recording solution needs a feature that assists with compliance.
“This can be as basic as a Pause and Resume option, or a Mute button,” writes Ciarlo. “When cardholder data is transmitted and/or stored, it should be done only after this data has been encrypted. Any potential flaws in the system should be reviewed through a vulnerability management program.”
It’s not necessary to store the credit card information in the call recordings, after all. Since these recordings are used for training and evaluation, or call type best practices – neither of which require the financial information – or simply for legal insurance (to prevent “he said, she said” scenarios), the pause and resume or mute option is a rather simple solution for the problem. When shopping for call recording solutions, companies should specifically ask vendors what approach their products take to ensuring call recordings remain PCI compliant.
Edited by Stefania Viscusi