Posted inPCI DSS Compliance
US companies are being urged to take security seriously in their contact centers when adapting their work-at-home and office working routines as the lockdown is eased.
We all had to adapt quickly when the Coronavirus Pandemic took hold, which may have meant some organizations took short-cuts with security, suggests Eckoh, the contact center security specialist who has helped a number of its clients to securely operate their contact centers from home.
The company is calling on US organizations to take time to ensure their remote and work-at-home agents can offer the same levels of data and payment card security as their office-based contact center, to ensure customers’ data is protected and the organization is compliant. As the lockdown eases Eckoh is advising organizations to take a medium to longer-term view on how a remote or work-at-home contact center can be set up to work alongside an office-based one to accommodate the ‘new normal’ where working practices may be very different.
"Criminals are opportunistic and have already seen this crisis as an opportunity for fraud," says Nik Philpot, Eckoh’s CEO. "They might use anything from phishing attacks via email, infiltrating organizations with planted employees, to obtaining card numbers that are read aloud or scribbled down on paper. People's homes aren't always secure spaces and mistakes can happen easily too. It's an uncomfortable reality."
To eliminate these risks, Eckoh is recommending its patented Secure Payment solution for handling customer card payments — one that prevents agents from seeing, hearing or recording card details.
Eckoh is also encouraging companies to go a step further and offer more empathetic services to their customers via leading-edge Chat and Chatbot technology, where PCI compliant, secure payments can be made within the Chat or Chatbot window. This is a big helping hand for remote or on-premise contact centers who are trying to handle an increasing number of customer enquiries. Having a Chatbot that can take secure payments also means that organizations can be available to customers 24x7 and for those who prefer to self-serve.
"It's another good example of how brands can be more supportive of customers at this time without compromising security. In the understandable rush to maintain customer service, it's essential that organizations get it right — even if that takes a few extra days. Customers need trust and confidence, now more than ever." says Nik.
The background story: How secure are work-at-home contact center agents?
The Coronavirus has presented huge challenges for organizations. Some have closed their contact centers — mindful of a potential backlash of negative comments1 from customers who can no longer talk to someone about an order, booking or complex enquiry.
Other organizations tried to maintain business continuity by mobilizing their workforce to work from home. But in the rush to ensure business continuity and good customer service, Eckoh is questioning whether adequate security measures are in place to ensure customers' personal details are safe.
Gartner reports that globally some two million customer service agents are now working from home, and this number has undoubtedly increased massively during the current crisis. But cyber-criminals are taking advantage of organizations’ weakened state by targeting them. In April 2020 alone, there were 49 data breach incidents globally, with a total of 216,141,421 affected records2.
While speed has been of the essence in getting contact center agents to work home, Eckoh's concern is that organizations may have cut corners by opting for the cheapest or fastest route.
"In an office environment, contact center agents are governed by internal policies, processes, procedures and security access. But what happens in the home environment? How do you keep sensitive details private?" says Nik.
The last thing a customer wants is to be relaying payment card information over the phone to someone who is not in a secure, controlled environment using a secure payment tool. Similarly, it's a big ask to make agents responsible for streams of sensitive card data coming their way, when they're not security experts.
Finding the right answers
"In any engagement, the point where payment card details are given out is the most vulnerable to attack, so this area needs to be locked down fast and effectively. This is the reason data security standards like GDPR and the Payment Card Industry Data Security Standard (PCI DSS) exist.
"Compliance and security do not pause for a crisis, and if anything, they need to be more rigorously upheld as customer service becomes more dispersed. Fortunately, technology exists to make this possible, acting as a shield around the home-worker as it did for the contact center employee," says Nik. "This may take a little more time than some other solutions promise, but the peace of mind in having a water-tight security system will be time and money well spent in the long-term — and you’ll maintain customer confidence.”
Eckoh’s recommended approach is to remove the risk of fraud by preventing sensitive data from entering the contact center environment, something that can be replicated for the home-working environment. Put simply, the technology sits between the customer and the agent, preventing sensitive payment details from ever entering the agent's home environment, but still allowing the communication between the two to continue uninterrupted and for the payment to be concluded successfully. As a result, it removes the whole environment from the scope of PCI DSS.
As an effective interim measure, a similar solution can be used that removes just the agent, their screen, and any call recordings from the scope of PCI DSS. This simpler approach allows the customer to effectively type their own payment information into the agent’s payment screen, using a patented process, but with the details being shielded from view of the agent. It’s simple, but highly effective.
Whichever new working practices organizations adopt, security should remain at the heart of the operation, ensuring the business, the customers’ data and the contact center agents are protected, secure and compliant.