Is our call center compliant? That’s a question that I get asked a lot, since I’m the CISO for a company that provides cloud contact center solutions. And the sad truth is that it often only takes a few questions to figure out that the person’s call center is probably not fully compliant, at least not under their current rules of operation.
The good news is that many of these compliance traps can be addressed fairly easily, without a lot of additional resources. I always tell people that before they assume that they’re fine, they should invest in at least a short consultation with a local attorney specializing in security and compliance, but the road to compliance starts with these questions:
1. Do you record customer calls? Do you take credit information in these calls?
If you do, you need to be aware that it is against PCI-DSS standards—the Holy Grail of credit-card processing security—to store the secret CVV2 number (the three- or four-digit number often listed on the back of the card)—at any time, in any way, no matter what level of encryption or encapsulation is used. If your company regularly records the entire call, you’re probably storing this information in your recordings, unless you’re going through special procedures to stop voice recording during the part of the transaction when the customer gives out the number.
The fix: One way to handle this situation is to cause the voice recording to automatically pause when the agent’s cursor gets to the segment of your electronic form where they are inputting credit data. For instance, it’s possible to use an API to stop the voice recording just during the time the customer is saying or inputting their credit card information to the call center agent, and resume recording immediately after this part of the conversation is complete. This way, the call center agent can enter the credit card data directly into the credit card processor, so that it is not stored with the recordings.
2. Do you store credit card information for repeat billing?
PCI-DSS consultants commonly say that “nothing should stick” within your systems—meaning that credit card information and other sensitive data should not be stored. There are two types of PCI compliance PCI-DSS and PA-DSS.
PCI-DSS is for merchants who accept credit cards. It is set up to protect consumers’ credit card info at the MERCHANT level. In contrast, PA-DSS is for those who process credit card info for merchants.
Why should you care? Because merchants at the PCI-DSS level—most businesses that take credit cards—are not allowed to store CVV2 in any way. If you do, then you’re breaking the rules.
The fix: All CC data should be passed through your system to a PA-DSS-certified credit card processor, who can arrange to provide you with a tokenized unique ID that could, for instance, be the last four digits of the credit card number, which you can then use for repeat billing.
3. Are you recording your call center agents’ calls?
Many organizations announce that the call will be recorded—something like “For customer service improvement purposes, this call will be recorded.”
But far fewer organizations provide this notification when the call center is making outgoing calls. And fewer still don’t stop to think that when they record calls, they are recording and monitoring their employees’ conversations as well as their customers’.
And in most states in the US, notification of ALL parties is required before you record. Therefore, many legal sources advise that to be safe, it is important to ensure that all parties are advised that they will be recorded—and are given an option to opt out if they do not wish to be recorded.
Also, some companies assume everyone whose call is being recorded know that they hear this announcement that they know that to “opt out,” they should hang up. Some judges have ruled that you should not make that assumption. It’s a good idea to check with an attorney to determine whether or not you need to specifically inform callers as to how they can opt out, as there are also other alternatives—such as call back without recording—in addition to their just hanging up with not further contact.
The fix: Ask all your employees and contractors—including your call center agents—to sign a “notice and consent” document acknowledging your company’s notification that their conversations may be “monitored and recorded.” It’s a good idea to work this into your hiring and contracting processes.
4. Do you allow ‘barge’ and ‘whisper’ functionality? If so, monitoring might be an issue.
Some contact center software lets supervisors listen in on conversations. The whisper option lets managers speak to the agent—so the caller can’t hear the supervisor—to give directions about how to handle the call. Barge lets supervisors listen and break into the call if they feel it’s necessary.
In some places, these very useful options fall under regulation. For instance, the Californian Call Recording Statute (California Penal Code Section 632(a)) prohibits eavesdropping without consent. So it might be argued that a supervisor who listens to a call without consent, violates this law. The law covers recording or eavesdropping, and the laws of each state are open to interpretation, but there might at least be enough of an argument to support a lawsuit.
The fix: Your outgoing announcements should warn callers that they may be “recorded or monitored” for quality control purposes. Many attorneys suggest that you should be sure to add the “or monitored,” to be on more solid legal ground.
These are fairly easy, low-cost or no-cost suggestions that any contact center manager can easily implement. They put you in a much better compliance position, and can help your firm stay out of trouble. But this article only reflects my views and extensive experience as a security-and-compliance professional, and is not intended to constitute legal advice. Readers should consult with an attorney for advice on their specific situations and to evaluate overall compliance at their organizations.