Short Message Service (SMS)

Paying Attention to Customer Data Security

By Keith Dawson (News - Alert)
Principal Analyst, Frost & Sullivan

Today’s contact centers act as a funnel for massive amounts of data that flow from silo to silo. Some forms of data are kept long term and archived; others are needed only fleetingly and are soon discarded. The sheer quantity of it, though, is staggering, on the order of petabytes of information. And that creates a bit of a problem when it comes to managing and isolating the specific pieces of data that need to be secured and safeguarded because of customer privacy concerns.

Customers are much more sensitive to what happens with their personal information than they used to be. Breaches that can be traced to contact centers are rare, but companies need to battle the perception of insecurity as much as the reality. And attention to better data handling and security can be fashioned as a key competitive differentiator for a company that takes pains to let customers know that it is active in that area.

Data security is a well-managed area in corporations, with regimes and protocols that guide the handling of different categories of information, including customer data. Health care and financial services firms have long had mandates that spell out proper procedures for releasing personal information about customers. From the contact center point of view, emphasis has usually been on making important data unavailable for agents to misuse or take away from the center.

At the most rudimentary level, this has involved removing the means for agents to copy or download personally identifying information about customers – restricting disk drives and printers, for example. However, there are always ways to circumvent those restrictions (for example, you can take a picture of a computer screen with an iPhone (News - Alert)).

The best standard for data protection came out of the credit card processing industry. PCI, or Payment Card Industry Data Security Standard, was created to insure safe handling of customer account data. It goes well beyond the contact center to control how companies manage their network architectures and build consistent (and ongoing) security policies for data handling.

In the contact center industry, few companies actually use PCI (News - Alert) (or any rigorous and defined customer data security standard). The financial services industry is the largest and by some measures most important sector of contact center business. Because they rely intensely on PCI, vendors of contact center systems have been integrating PCI compliance into their call handling infrastructure. We’ve seen a move towards incorporating PCI into call recording, for example, preventing recorded calls from saving the customer PIN numbers or Social Security Numbers, depending on the application. Vendors are keen on implementing these features because they provide a route into that lucrative financial services market.

It also means that companies outside that sector can take advantage of a rigorous security protocol built for the demanding credit card business.

Another approach is built into an interesting application from a service provider called Interactions.net. Their model is to simulate an IVR by presenting callers with a natural language automated interface. They chop each call into tiny six-second chunks, and pass each chunk to a human to figure out what the caller’s intent is during that increment. It’s a specialized application, but one of the by-products of the model is that no human ever hears more than a tiny piece of the caller’s entire data set. In a given call, the customer may speak his name, his phone number, his account number, and his social security number – but they are all farmed out to different “agents” during the call, so no two pieces of data can be put together in a form that’s personally identifiable. That’s the definition of security.

It may be an extreme way of handling the data, and certainly isn’t what Interactions.net set out to build, but it may provide a model for how we handle identifiable information in the future. Some speculate that we may start seeing security applications that chop up the data saved by contact centers – the screens scraped, calls recorded, and so forth – into discrete segments that then camouflage certain pieces from unauthorized users. So an evaluator checking an agent’s performance wouldn’t need to see the part of her captured screen that included certain sensitive data, for example, unless it was part of the specific task that the evaluator needed to check.

In the long run, we’re likely to see more security solutions emerge from the financial services sector, as that industry controls more (and more varied) pieces of information about customers. Most contact centers will probably adopt customer security tools on an ad hoc basis, unless the pressure from their customer bases rises.

In the meantime, some gentle suggestions to those that are ambivalent about adopting some security protocols: document what you are doing; audit what you have available as far as technological resources; and see what measures are in place via the existing IT infrastructure that may be extended to the contact center. You may find that you can add a bit more security than you have with minimal extra cost. And once you do that, trumpet what you are doing to the customer base. That value added service may be worth a few customer satisfaction points.

CIS Magazine Table of Contents