Does contact center compliance give you security?


2 Aug 2023

Will PCI DSS 4.0 compliance give your contact center robust security — creating a force field around sensitive information? At a time when data breaches can run into millions of dollars, it’s important to know the difference between compliance and security.

Right now, many companies are in full scramble mode, getting their contact centers and processes ready to meet compliance deadlines for the new PCI 4.0 security standard.

A raft of new measures will help protect cardholder data from security breaches, which are estimated to cost an average of $4.35 million per organization globally and $9.44 million if they happen in the USA, according to IBM research.

The more rigorous certification process will flush out older security techniques, such as pause-and-resume for voice payments, and tighten up protocols in multiple areas.

But there’s a danger that achieving PCI DSS 4.0 compliance will lead to complacency. Why? Because compliance doesn’t automatically mean stronger security. These are different beasts – and you need both of them.

Compliance Vs security

In the world of merchants and contact centers, PCI DSS compliance is about obtaining an entry pass so you can accept payments. Put simply, proving you’ve got the right controls and industry protocols is a standard requirement for acquiring banks and the card providers to let you into the game.

Hitting your PCI DSS 4.0 compliance goals is a moment worth celebrating. But it mustn’t stop there. Being compliant with a set of standards is not the same as having robust security.

Here are three factors that underline this:

1: Compliant organizations can still get breached
Household brands and other major players regularly make the news when data gets exposed. These organizations haven’t been operating outside of the system somehow. Most likely, they ticked the right boxes for compliance but sensitive data was exposed anyway. Another sobering thought is that 83% of breached organizations have been hit more than once, according to research. Tightening up compliance doesn’t automatically mean your security becomes rock solid.

2: Your cloud partners’ security isn’t enough
There’s a common misunderstanding that relying on the robust security of public cloud platforms will somehow give you a ring of invincibility. But this only goes so far. Nearly half of all data breaches happen in the cloud. Cloud platforms give you a set of keys – but if there’s a slip-up in your own security, then criminals and mischief-makers can do their worst.

3: If you’re handling sensitive data, there’s always a human risk
It’s an uncomfortable fact but Verizon’s 2023 Data Breach Investigations Report found that 74% of breaches involved a human element, which included social engineering attacks, errors or misuse. Something as mundane as getting distracted can be a key reason why employees sometimes fall for a phishing scams, according to separate research published in CISO Mag.

How security goes beyond compliance
Compliance is something that has to be done, whereas security should be done. Compliance is about top-level, one-size-fits-all policies and controls. But security is more attuned to each organization. It must mitigate any risk that threatens data confidentiality and integrity – extending across the physical and data environments – and policies must keep pace with change.

PCI DSS 4.0 acknowledges this by urging organizations to view security as a continuous process, which often requires a shift in mindset.

But the task is becoming more complex. As contact channels increase, payment methods expand, and data becomes more valuable, then the attack surface widens.

This begs several questions for contact centers: How many of your team do you want to devote to securing data non-stop? And will you settle for bare bones security, opt for something fairly standard, or consider military-grade protection?

Fortunately, there’s another path available to contact centers ...

There’s nothing to steal here
Let’s consider an illustration for a moment. Imagine a community with good policing, street lighting, and an active neighborhood watch group. These things will help with general security but they won’t absolutely protect a person’s property. You also need your own door locks, maybe an alarm system, and the habit of remembering to secure the premises. You may decide to increase your security from time to time.

But what if your most valuable possessions weren’t stored in the house at all – but were kept elsewhere? Then, even if there was a lapse in security and a break-in, your world wouldn’t come crashing down, as thieves would have very little to steal.

In a similar way, many forward-thinking contact center leaders rely on partners to process card payments for them. This means that customers’ valuable payment card details will never enter their company’s premises, remote offices, devices or cloud-based systems. Sensitive data can’t be seen, heard, recorded, or stored anywhere – so nothing can be stolen.

This takes your security to a level that’s way beyond compliance. And it makes getting certification far easier, because your trusted partner is handling so much of the burden for you. Put simply, outstanding security sets you up for comfortable compliance.

Discover more
How easy is it to hack a contact center? Watch this video to understand more about the security needed today. Also, take a look at our guide Why you should rethink your PCI DSS Strategy.