Are you PCI Compliant? - David Rastatter - ContactCenterWorld.com Blog
If you are taking credit card orders; or, if your customer service reps are exposed to your customers' credit card information, chances are you will have to take a real hard look at your contact center vendor and your processes to be Payment Card Industry Data Security Standard (PCI-DSS) compliant.
Recordings: When your customers give their credit card information over the phone to your reps, chances are your contact center software is recording those calls. Now, if you happen to use a cloud based call center, these calls are recorded on some server in the cloud and the recordings are then stored in the cloud. How do you know if these recordings are secure in the cloud? What kind of security measures has your cloud vendor taken? Is your cloud vendor PCI compliant?
There are a couple of ways to handle this. One way is to record the calls locally as close to the rep as possible and then never have those recordings leave your premise. In fact, what if you could record these calls with an encryption key locally on the rep's desktop, and then as soon as the calls is finished, the recording is transmitted to a secure server that is resident on your premise. This way, the recordings are never transmitted on any external network, they never reach the cloud, and you don't have to worry about your cloud provider being PCI compliant.
Unfortunately, that approach may not be good enough to be PCI compliant if the requirements are that the call recording should be stopped as soon as the customer starts giving her credit card information. However, this can be accomplished by having the customer service repnavigate to a different tab within the contact center system user interface which would trigger a switch to stop recording the call, and as soon as the rep navigates away from the tab, the recording can start again.
There could be environments where the requirement is that the sales reps or customer service reps should not be exposed to a customer's credit card information at all. In this case, the call can be transferred to an automated IVR and the the IVR interacts with the customer, takes the credit card information, and then transfers the customer back to the rep. This may not be the most efficient solution because while the customer is interacting with the automated IVR, the rep is twiddling their thumbs and hoping that the customer successfully gets transferred back to them when they are done entering the customer's credit card information.
Instead of transferring the customer to an automated IVR, the contact center system should be able to do a three-party conference call among the rep, the customer, and the automated IVR. This way the rep is always on the call with the customer, holding their hand while the customer enters their credit card information using their phone's key pad.
To make the above totally secure, it may be required that in the three party conference call among the rep, the customer, and the automated IVR, the contact center rep should not be able to hear the tones that are generated when the customer is entering their credit card information. The contact center software should be smart enough to suppress the DTMF tones so that the rep does not have access to these either. Remember, during the three party conference, the rep is talking to the customer and helping them finish the transaction without the fear of losing the customer towards the end of the transaction or having to worry about the customer being transferred back to them.
What's more, all this has to be done by the contact center system that is running in the cloud if that's what you have subscribed to.
Raj Sharma, President and CEO of 3CLogic
Publish Date: December 28, 2012 5:39 PM