Is your contact centre security up to scratch? Could your organisation afford to pay the massive fines that are imposed if you breach any of the security regulations that you must comply with?
It could easily happen, as some contact centres have discovered.
- UK telco/ISP Talk Talk was fined £100,000 after the data of 21,000 customers were exposed to fraudsters in an Indian contact centre who had been engaged by Talk Talk to provide technical customer support.
- US giant AT&T was fined $25 million for a customer data breach in their Mexico call centre after two employees confessed to accessing customer information and reselling it to strangers.
Whilst these two examples relate to outsourced contact centre operations, there are also many cases of internal breaches and fraud.
Contact centres hold a wealth of personally identifiable information and are often a prime target for fraudsters.
Not protecting your contact centre security appropriately could cost you a lot money, and your clients, your reputation and ultimately your future.
Key security regulations affecting contact centre operations
The Australian NDB Scheme
As of 22 February 2018, retail businesses with an annual turnover of $3 million or more, or who trade in personal information, are required to comply with the Notifiable Data Breaches (NDB) scheme. What this means is that if a data breach occurs, and is likely to result in serious harm, an organisation must notify affected individuals and the Australian Information Commissioner. Penalties for not doing so can be up to $1.8 million.
The Australian Privacy Act
The Privacy Act was updated in March 2014 to place more obligations on Australian companies to guarantee that they have thorough and transparent practices when it comes to protecting customer information. The amendments tighten up the collection, use and disclosure, and secure management of personal information and allow individuals to access that information and have it corrected if it is wrong.
The General Data Protection Regulation (GDPR) requires organisations around the world that hold onto data belonging to individuals from within the European Union (EU), to provide a high level of protection, know where every single piece of data is stored and to abide by the articles. With data protection being the crux of the regulation, contact centre software, credit card transaction devices, call recording software and service/case management platforms must be GDPR compliant, for services provided to EU residents.
PCI DSS is a global set of security regulations created in 2004 by the four major credit card providers, to protect consumers against the misuse of their personal information shared during a cash, credit or debit card transaction. Contact centres who take payment information must follow strict procedures to be PCI DSS compliant and not record or store sensitive cardholder information.
Tips for improving security
There are a number of measures that Contact Centres can take to increase protection against internal and external security breaches. We suggest that you use several measures.
Use multi factor authentication
To verify identity, Contact Centres predominantly use Knowledge Based Authentication (KBA) – where callers are asked to provide something they know – such as account no, birthdate, address, name of their favourite pet etc. However if hackers have extracted this information from a database, then it’s easy for fraudsters to pass this type of verification.
Multifactor authentication (MFA), adds a further dimension by adding in “something they are” such as fingerprint, facial or voice recognition. Mobile devices and security systems use the first two, and contact centres are increasingly using voice biometrics to beef up authentication. Each person’s voice is unique based on our nasal passage, vocal track and the speed and pitch with which we speak. See our article Securing Customer Loyalty with Data Security to see how MFA is being used by banks.
Use secure technology for collecting payment information
A global survey of Contact Centre agents found that
- 72%of agents who collect credit/debit card information over the phone require customers to read numbers aloud
- 30% have access to payment card information even when not on the phone with customers
This is alarming, and breaches PCI DSS protocols.
Provide a secure environment and regular training
The majority of security issues are external, however there’s always the danger that fraud can come from within.
Agents have access to personal information, and so it stands to reason they could be a potential security problem. While the majority of agents are good, honest people, it takes just one malicious person to expose sensitive data and ruin a business’ reputation.
Depending on the nature of the business, and the level of access, minimum security measures can include:
- Banning of mobile phones, other personal digital devices and notepads within the workspace
- Changing passwords regularly
- Restricting access to external communication platforms
- Setting up alerts to monitor for unusually high file copying or transfer activity
- Removing access to external ports so that storage devices like USB memory sticks can’t be used
Provide staff with regular training in the purpose of your security measures, the consequences for the organisation and customers, the procedure requirements, and the sorts of things to look out for.
It takes skill and sensitive management to implement tough security measures, yet maintain a motivated and productive environment. You want a culture of understanding and co-operation, not an environment of mistrust.