Cloud contact center 'shared responsibility': There is no cheat code for security


17 Apr 2024

If you’re powering up your contact center, you need to know that there are no cheat codes, and the cloud doesn’t come with a ‘shield of invincibility’

As growth goes, the cloud-based contact center market is on an impressive incline. The global market size is estimated to hit around USD 155 billion* by 2033 with compound annual growth of 18% between now and then.

But switching across from an on-premise system to a contact center as a service (CCaaS) doesn’t always happen overnight. Only 11% of businesses have fully embraced CCaaS, with 46% still on-premise, according to a recent report covered in CX Today**. “The remaining 43% of businesses have their hands in both cookie jars, slowly migrating elements of their operations to the cloud,” it adds.

Throughout the journey to the cloud, there are dozens of issues to consider. But misunderstandings abound in one area especially. And this is where a particular danger lurks. Let’s call it the ‘shield of invincibility’ …. as you might find in a role-playing video game.

PCI DSS security is essential

When launching your own cloud contact center, PCI DSS security is a must-have. Put simply, this payment security standard applies to any organizations that stores, processes, or transmits cardholder data. What’s more, the stakes have got higher recently with the arrival of PCI DSS 4.0.

Scanning down the features checklist for each cloud contact center offering, you might notice something glinting. It’s a big green tick in a box that says “PCI DSS compliant” or something similar.

This appears to offer payment card data protection for your contact center. Choose Vendor X and you’ve got your data shielded and you’re invincible right? But that’s where confusion creeps in.

What is shared responsibility?

IT teams will be familiar with the shared responsibility model for the cloud. Some security tasks are handled by the cloud provider and some are your responsibility. But professionals working in customer service may not fully understand this concept when selecting a contact center vendor.

Moving your entire contact center stack to the cloud gives you some significant security benefits. Criminals can’t break into your premises and steal data. The cloud provider may have extremely robust protection against hacking and a wide range of external cyber-attacks. And that’s where they’ve earned their PCI DSS green tick. Typically, this is where their role stops and yours begins.

CCaaS providers give you a set of keys – but how safely you operate in the cloud is your responsibility. If there’s a slip-up and a data breach, then you’re liable.

For example, under the shared responsibility model, you’re accountable for how you:

  • Capture, store, process, and transmit cardholder data
  • Guard against human oversights and errors where data gets exposed
  • Check that components in your stack are PCI compliant and always up to date
  • Ensure accounts and passwords don’t get into the wrong hands
  • Provide robust protection, whether your agents work in the office or remotely
  • Manage user access and access rights – and close accounts when people leave
  • Make sure no laptops, phones or other devices are compromised
  • Educate employees so they don’t fall for social engineering, phishing, malware, and other attacks

And the list goes on.

The big takeaway?

Moving your contact center to the cloud doesn’t eliminate risk – it simply concentrates all the sensitive data in one place. And criminals understand this. Cloud environments are frequent targets for cyber attackers, according to a recent IBM study. In fact, 82% of data breaches explored in the report involved data stored in the cloud.

One way to strengthen your security in the cloud would be to engage in a shared responsibility model of a different kind. Teaming with the right PCI DSS Level 1 partner can mean that cardholder data is kept completely outside of your cloud contact center environment.

The partner handles the data on your behalf, which can reduce your risks dramatically. Real data disappears and is replaced by tokenized placeholders. So even if there’s a social engineering slip-up or malware mishap, there’s nothing valuable for criminals to steal.

You may lack a shield of invincibility for your data – but instead you’ve got a cloak of invisibility that works a treat.

Discover more

Find out how to move your contact center to the cloud and safeguard sensitive data. Check out our helpful guide.


*Precendence Research cloud-based contact center market size 2023 to 2033

**CX Today - New Contact Center Research Reveals Five Market Megatrends for 2024