Call center PCI compliance is essential to avoiding disputes, claims and legal action
Written by Scorebuddy
31 October 2019
Contact center regulatory compliance impacts every aspect of your business. The fact is that thousands of customer interactions happen in the contact center each and every day, many times exchanging sensitive information that could result in disputes, claims, or legal action. And unfortunately, the systems that most contact centers use are not set up to implement compliance processes and protect your business.
According to a recent survey by NICE, 99 percent of all organizations admit that they could improve their compliance tools and software, and nearly 96 percent admit that their IT team faces challenges when it comes to contact center compliance.
Regulatory compliance concerns everyone, and customer privacy and data safety are crucial to your organization’s success. Compliance breaches also open organizations to financial and reputational risk in the form of fines and the cost of breach notifications. This article will look at the importance of call center regulatory compliance, what it means, and how you can ensure that your contact center makes compliance a high priority.
Why is Call Center Compliance Important?
Contact center data security is fraught with opportunities for agent fraud and data breaches. According to a study conducted by Semafone, 72 percent of agents required customers to read credit/debit card information or social security numbers aloud instead of using a secure voice transaction. On top of that, 30 percent of agents reported access to payment card and SSN information even when not on the phone with a customer. Agents regularly need to share personal records and account information where identification and validation is critical and often covered by consumer and data protection regulations
When it comes to taking calculated business risks, you should never risk your call compliance as it could result in steep fines—up to $100,000 a month. For example, telemarketing service Infocision—who has represented the American Heart Association and the March of Dimes—was recently fined $250,000 by the Federal Trade Association for lack of compliance.
Lack of compliance could also risk your company’s relationship with your bank. However, the greatest risk of non-compliance is how it makes you more vulnerable to data breaches and financial attacks. According to the Ponemom Institute, the average data breach costs $4 million. But—over ten years of research conducted by Verizon revealed—none of the companies breached were fully PCI DDS (Payment Card Industry Data Security Standard) compliant, meaning they didn’t follow all necessary security standards in regards to secure card transactions and data breaches.
Many call centers strive to be PCI DSS compliant; this is a set of stringent policies and procedures designed by the card companies to protect against credit card fraud. PCI compliance is a requirement for any business that stores or transmits credit card information. You must adhere to all PCI DSS security standards, including but not limited to building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, and implementing strong access control measures.
Increasingly the consumer data protection rules similar to those applied in Europe under GDPR are being adopted globally with the potential for very large fines in the event of a breach.
In 2017 hackers stole credit data from Equifax belonging to 147 millions Americans, but also British and Canadian nationals. They received a fine of $700 million. This marks the largest fine ever issued by the FTC following the $148 million fine handed to Uber following its own data breach. U.K. authorities already issued its maximum penalty of £500,000 — about $624,000. Under the new GDPR rules, which had not come into effect at the time of the Equifax breach, the credit rating agency would’ve been liable for fines of up to 4% of its global annual turnover.
Call Center Compliance: PCI and Beyond
As organizations have begun to embrace digital transformation, new cybersecurity issues have cropped up, particularly when it comes to accepting payments online. Companies must ensure that their customers’ data is securely protected regardless of transaction size, volume, or the type of credit card accepted. Thus, in 2006, the credit card industry established the Payment Card Industry (PCI) Security Standards Council to help regulate payment security throughout the industry.
But PCI is just the beginning of the numerous compliance and regulatory mandates that contact centers must follow. You also must consider:
- Call Monitoring Consent: Federal and state laws require your customers to be aware if a call is being recorded and they must give consent.
- Fair Debt Collection Practice Act (FDCPA): Passed in 1977, this act prohibits the use of threatening or abusive language to collect personal consumer debt.
- Do Not Call Registry: Consumers must be allowed to opt-out of telemarketing calls.
- General Data Protection Regulation (GDPR): Businesses with customers in the EU (even if the business is not located in Europe) must comply with all regulations in regards to data ownership and sensitive information.
- Truth in Lending Act: Contact centers must disclose information about terms, late fees, and interest rates to customers.
- Dodd-Frank Act: Contact centers must record all phone conversations and save them with a date and time stamp in a searchable format.
- Sarbanes-Oxley Act: Businesses must implement a system that ensures recorded calls cannot be changed or deleted prior to mandated end time.
- HIPAA: Contact centers in the health sector must follow strict steps to protect personal health information and ensure it’s not shared with other parties.
- Equal Credit Opportunity Act (ECOA): Prohibits businesses from using age, race, color, gender, religion, etc. as qualifications for loans or credit.
- Gramm-Leach-Bliley Act: Requires contact centers to maintain written documentation of their security protocols and divulge their information sharing practices with customers, allowing them to opt-out.
What Tools Can Managers Use to Ensure Call Center Regulatory Compliance?
As regulatory compliance requirements become more and more complex, contact centers are struggling to rise to the challenge. While almost 72 percent of organizations already keep records to make sure their contact center interactions are discoverable for audit purposes, few contact centers have the necessary sophisticated software solutions in place to ensure complete call compliance.
So, what tools can managers use to ensure call center PCI compliance and beyond?
Call Recording Software
Every conversation within your contact center is critical, which means it must be treated as such. Thus, it is important to record every call as required under the Dodd-Frank Act.
However, under PCI-DSS standards, you cannot record customer credit card information no matter what level of encryption you use. To handle this situation, it’s important to use call recording software that automatically pauses voice recording when an agent gets to a point where credit card information must be entered.
Look for an API that can stop voice recording only during the credit card payment portion of the call and then resume immediately once that portion of the conversation is complete. In this way, you can meet all compliance standards within your contact center.
Regulations vary by geography and industry. Typical areas for potential breach in the course of interacting with a customer are:
- Not identifying the account holder correctly
- Sharing personal information with a 3rd party
- Not providing accurate pricing or financial information (loans or insurance products)
- Not informing customers of their rights
When compliance regulations are not followed, you need to be immediately alerted to the breach. QA scorecards such as those offered by Scorebuddy automatically make this happen by tracking your compliance performance and highlighting failures as they happen. Line managers are then immediately alerted, so you can deal with any risks immediately.
QA scorecards also provide an audit trail for regulators and demonstrate that the organization have processes in place.
- Breach Alerts: You’ll get an email as soon as a compliance question is missed with the full details of the breach.
- Pass/Fail Rates: A dashboard that provides a compliance pass/fail rate, making reporting easier.
- Compliance Failure Details: When you fail on compliance, you want to know why. Scorebuddy offers supervisor’s comments as well as the ability to immediately listen to the customer interaction so you can take remedial action.
Compliance Audit Trail: Scorebuddy keeps a record of compliance performance over time and the nature of the breaches identified.
- Compliance Activity Log: Keep a full log of your call compliance monitoring and performance.
Most CRM vendors are designed for compliance, and can be optimized based on your contact center’s privacy and information-handling needs. Set up correct, a well-designed CRM can help your contact center avoid problems when it comes to audits and inspections because they are engineered for better data safety. They are specifically created to surpass industry standards in regards to compliance rules and regulations, so you’re protected without any additional work required.
The internal IT policies and procedures must take account of the unique nature of the Call center environment, With more employees bringing personal devices to work the opportunity for a breach is dramatically increased, Employees need to understand clearly what your policies are and the removal of client data in any form is a serious breach. All customer interactions should be encrypted; this is the foundation of your call center protection efforts. Whether the customer transmits data to you over the phone, across the Internet, or through another network, encryption protects your contact center from liability. Simple restrictions such as not allowing the use of data sticks will improve your risk profile.
Call Center Compliance Checklist
To help you meet the new demands of PCI compliance as well as other call center regulatory compliance standards, below is a quick call center compliance checklist.
- Create and Maintain a Secure Network: Sensitive information must be secured behind robust firewalls and strict safety protocols.
- Cardholder Data Protection: Customer information cannot be stored without encryption—writing it down on a piece of paper is not allowed.
- Vulnerability Management Program: All software systems and applications must be updated to their latest version and protected by anti-virus software.
- Access Control Measures: Cardholder data access should be restricted and agents must be assigned a unique ID for computer access.
- Monitor and Test Networks: Access to network resources and data must be regularly monitored and tested for security.
- Information Security Policy: This policy must address information safety for all employees and contractors.
- Agent Communication: Call center agents must speak calmly and use nonviolent language whenever they speak to a customer.
- GDPR Compliance: If you have customers in the EU, you must present a compelling reason to record and store customer interactions, ask for consent before recording a call, and be able to retrieve personal customer data for no charge.
- Patient Health Information: If your contact center has access to patient health information, you must protect all information, including but not limited to, social security numbers, IP addresses, photographic images, geographical identifiers, account numbers, etc.
Get Compliant Today
If you have any concerns about your call center’s compliance, contact Scorebuddy today. We’d be happy to talk with you about any issues you may be facing and talk to you about how call monitoring and agent scoring can help. In just a few steps, we can help you protect your valuable data, address any privacy concerns, and help you spot compliance errors as they happen. Learn more.