Contact centers today face a variety of challenges – from keeping customers happy to the pressures of meeting key performance indicators (KPIs) to staffing issues – so it’s understandable that data security compliance may not be top of mind. However, times are changing. With the European Union’s newly enacted General Data Protection Regulation (GDPR) now in effect, the data security and privacy and consent rules that pertain to contact centers will now be more stringent than ever. Any business that uses a customer call or contact center as part of its operations must make data security, privacy and compliance top priorities. Here’s what you need to know to keep your contact center secure and compliant.
A Patchwork Quilt of Regulations
Call and contact centers receive, process and often store a variety of personally identifiable information (PII) such as addresses and phone numbers, birth dates, payment card numbers, account numbers, social security numbers and more. As a result, they are within scope for various data security and privacy standards and regulations. Some of these regulations complement each other, whereas others weaken or in some cases even seem to contradict each other.
For example, contact centers that accept payments over the phone must comply with the U.S. Electronics Funds Transfer Act (EFTA) which requires them to record telephone conversations that authorize electronic funds transfers. However, the Payment Card Industry Data Security Standard (PCI DSS) complicates this process by stipulating that certain aspects of payment card information (specifically the CVV2 code on the backs of cards) must never be stored as part of the recording. To try to comply with these different rules, many contact centers adopt unsecure practices and work-arounds, such as manual “pause and resume” or “stop/start” call recording systems, which come with their own set of problems.
The new GDPR is perhaps the closest thing we’ve seen to a comprehensive, global data protection standard. It regulates how businesses must treat the personal data of EU residents, regardless of where the business operates. That last part is important: if a company operating in the U.S. or in another non-EU country handles, processes or stores the data of even one EU resident, it must still comply with the GDPR. If a business fails to comply, it can be fined up to four percent of its annual global revenue, or €20 million (whichever is greater), and risks facing class action lawsuits from EU citizens.
However, there is some good news. Because so many contact centers accept payments, many are likely to already have measures in place to make them PCI DSS compliant, which can help make it easier to abide by the data security obligations that exist – explicitly and implicitly – within the GDPR.
GDPR and PCI DSS – Differences and Similarities
While both the GDPR and PCI DSS aim to protect consumers’ sensitive data, there are some key differences. One of the most important distinctions is that the GDPR is a law, whereas the PCI DSS is a self-created industry standard. In other words, PCI DSS is not a federal requirement and does not carry the weight of a law. That said, most organizations that process, store or transmit payment card data do aim to comply with the PCI DSS because they can still face significant repercussions for noncompliance. If a merchant suffers a data breach and is found to be noncompliant, the payment card brands (such as American Express, MasterCard Worldwide and Visa International) will typically impose costly penalties on the merchant’s bank, and the bank will likely pass those costs along to the merchant. These can range from $5,000 to $500,000 per month. For repeated offenses, a merchant could even lose the ability to take card payments.
GDPR and PCI DSS also vary in terms of the type of data they cover and how that data may be handled. PCI DSS deals exclusively with payment card data and cardholder information. This includes payment card numbers, primary account numbers (PAN) and authentication data, such as the CVV2 code and the data embedded in the magnetic stripes on the backs of cards. The GDPR covers any type of personal data relating to an identified or identifiable natural person. This can include names, addresses, email addresses, bank details, medical information, a computer’s IP address and even photos or posts on social networking sites. A breach of GDPR compliance must be reported to designated supervisory authorities, also known as data protection authorities, within 72 hours of becoming aware of the incident. In contrast, PCI DSS has no requirement for notifying the public of a data breach or even notifying the PCI Security Standards Council, although merchants must complete annual self- and third-party assessments, depending on their merchant level.
Fortunately for businesses, the GDPR and PCI DSS have some similar requirements for how sensitive data must be handled. For example, PCI DSS requires that businesses know where cardholder data resides, and that the data be encrypted to a certain standard. PCI DSS requirement 10.6.1 also requires that logs be kept and reviewed daily to ensure personal data is adequately controlled. Similarly, the GDPR requires logs be kept relating to the processing of personal data. As such, many of the processes that contact centers already have in place to maintain PCI DSS compliance will also help them abide by the GDPR and can help make their path to compliance easier. However, it is important to note that the GDPR goes beyond prescribing data security standards and what an organization should do in the event of a breach. It also makes consumer privacy and informed consent key components of conducting business. It gives individuals the right to see what personal information an organization has on them, as well as the right of erasure, and it describes requirements an organization must follow to obtain clear, affirmative consent from an individual to process their personal data.
How Contact Centers Can Ease Compliance
Though businesses have had some time to prepare for the GDPR, many are still scrambling to comply. One of the most overlooked areas when it comes to compliance is the contact center – especially if that contact center is outsourced or reliant on remote workers. But there are ways to ease some of the aspects of compliance. One method is to, as much as possible, keep sensitive data out of the contact center in the first place.
For example, contact centers that take payments over the phone can adopt dual-tone multi-frequency (DTMF) masking solutions that allow customers to input their payment card information into the telephone keypad while shielding the keypad tones from agents, customer service representatives (CSRs), nearby eavesdroppers and call recordings that could be breached. The sensitive data is securely routed directly to the appropriate third party, such as a payments processor, bypassing the contact center’s IT infrastructure completely.
By keeping sensitive data out of the contact center, DTMF masking solutions can help de-scope the contact center from PCI DSS compliance and can even help with GDPR compliance by reducing the amount and type of PII on hand. This reduces the costs and complexities associated with meeting and maintaining compliance and allows contact center executives to focus on their core business. It also makes a company a much less attractive target for hackers and fraudsters, thus helping decrease the risk associated with a data breach. After all, they can’t hack data you don’t hold.
GDPR and PCI DSS are just the tip of the iceberg when it comes to data security and privacy regulations that can apply to call and contact centers. Others can include the Electronic Communications Privacy Act (ECPA), the Sarbanes-Oxley Act (SOX) and the aforementioned EFTA, just to name a few. While it may seem a daunting task to keep all the regulations straight, there are tools and resources to help.
By treating sensitive data as “toxic” and keeping as much of it out of the contact center’s IT infrastructure as possible, the road to cross-compliance can be greatly smoothed. The most important thing to remember is that compliance is not a one-time, check-the-box exercise. High standards for data security, privacy, customer consent and regulatory compliance must be an ongoing part of your everyday business and employees must be continually trained on proper practices. By doing so, call and contact centers can help safeguard their most sensitive customer and business data and do their part to ensure that the company’s brand reputation is protected.