Often left up to security or compliance professionals, payment card industry (PCI) compliance is a serious issue for call centers as well -- and one that call
“It’s a big pain for them. Everybody understands it, but it’s difficult,” said Lori Bocklund, president of Strategic Contact Inc., a contact center consultancy in Beaverton, Ore. “To me there’s two sides. The data side, that’s typically the IT people -- how do we store the data? Then there’s the voice recording part that’s unique to the contact center. That’s one where people looked the other way for a long time.”
The rules for PCI compliance in the call center can vary according to the size of the company. The PCI Security Standards Council offers an overview of the standards for call center compliance as well as some self assessment questionnaires.
According to Dennis Thrift, product champion for compliance and risk at Akibia, an IT consultancy based in Westborough, Mass., that helps organizations with PCI compliance, there are a few things call centers should keep in mind.
“What we find a lot of times is whether there are shared accounts or everyone has an individual account, with that many users accessing all the records, sometimes organizations will try to make it easy and have shared accounts and people can come in and access them,” Thrift said. “That’s a problem with some of the audit trails and who had access to records.”
Then there’s the notes.
“Another issue is people are on the phone constantly; they’re talking to people and they have a tendency to have a scratch pad or notebook and take handwritten notes,” Thrift said. “Oftentimes they’re writing down personally identifiable identification.”
Akibia conducts “PCI gap assessments” for companies, determining, for example, whether a company has a policy on taking notes on personal information and whether they’re following it, and offering recommendations. The firm might recommend, for example, that a company segment the customer service systems from the rest of the network.
“There are always areas that people can get better at,” Thrift said. “Some are better than others. In general, when you have a large user base that has access to the data you’ll find more opportunities for remediation. In larger call center environments there are more opportunities for a hole here or there.”
One common hole is voice recordings. Call centers that record customer service interactions for quality assurance are often capturing PCI data. They need to store and destroy those recordings properly.
However, few call centers are revamping their PCI compliance for the sake of compliance alone, according to Bocklund.
“The chance of an audit is pretty slim, so I think that they’re driven to get to compliance but it’s just a question of how fast,” she said. “If they’re doing a [call center] system replacement, that’s for lots of reasons. It might take years to put in a new system. On the voice side, it’s a matter of when they get the budget to do updates.”
And budget is never easy to come by in the call center. Though PCI compliance can, in some cases, increase the speed of call center technology investment.
“We see situations where they’re replacing whole systems and PCI is a part of the requirements,” Bocklund said. “If they’re sticking with the systems they have, it’s a question of how do they make changes, but there’s definitely awareness if they’re pursuing new systems. Then it becomes a burden on the vendors to be good at it and address the questions people have.”
One step call centers need to take, Thrift advises, is to make sure they’re up to speed on the requirements, particularly with the changes in regulation with PCI 2.0 and when outsourcing functions.
“If they’re not doing enough transactions to be a level 1 merchant and are 2 or 3, people get a false sense of security,” Thrift warned. “They are just as responsible for PCI as level 1s. Many times they outsource a lot of the transactions. So the system storing or transmitting the data is in an outsourced data center and think they have no responsibility anymore. They’re ultimately responsible. “