Data protection is indeed a hot topic at the moment. GDPR raises the temperature significantly in the UK and the rest of Europe from May this year, whilst similar legislation is in effect in the USA and was recently introduced in Australia too. All but two states in America require organizations to notify individuals of any data breach affecting their personal data and in Australia the Notifiable Data Breaches scheme has just been introduced, requiring all businesses to notify both affected clients and the Australian Information Commissioner of any significant data breaches. This is similar to GDPR in the EU, which of course affects organizations from any other country who have dealings with EU customers too, with tighter rules on customer permission as well as higher fines for non-compliance.
So what we’re seeing is governments, legislators and other regulatory bodies around the world effectively aligning data protection standards with the new realities of data security in an increasingly digital environment.
Consider for a moment how much the world has changed since the 1998 Data Protection Act in the UK. It’s clear that a revision of data protection legislation is long overdue to take into account the exponential growth both in the volume of personal data that is being generated and the rise in attempts to access that data through hacking, malware and other methods. This all combines to create a perfect storm for any organization that’s currently handling customer data (or PII, personally identifiable information, to use the more legal term).
The organizations that we speak to are only too aware of the difficulties inherent in protecting their customers’ data. Rarely a week goes past now without another story of a high profile data breach. Uber, Target, Yahoo, Verifone, Kmart, Verizon and Equifax are just a few of the big name companies known to have had a data breach recently. Cyber-crime is on the rise and the methods used are getting ever more sophisticated and harder to detect. If you’re holding customer data, then you’re always at risk of having it stolen – and the potential consequences of a breach can be extremely serious and long term, both financially and in terms of your organization’s reputation.
Protecting customers’ payment card data in call centers and contact centers
As fast as organizations are putting security systems in place to protect their data, criminals are finding ways to breach those systems. The only way you can be sure that sensitive data is not vulnerable to being hacked is not to hold the sensitive data on your systems in the first place. That’s certainly the approach that we recommend when it comes to sensitive card payment information. Hackers and data thieves tend to concentrate their efforts on the cardholder data environment (CDE) as the data held here is the most valuable to them and to others who pay them for the data. Looking at the list of big data breaches in 2017, the majority involved an attempt to gain access to data in the CDE. So more and more organizations are coming to realize that the only way to be safe is not to hold this data at all.
Call centers are often seen as a particularly difficult environment to secure, due to the complexity of their various systems, the sheer numbers of staff and relatively fast staff turnover and therefore training and monitoring challenges too. Successfully protecting card data in the contact center environment where live agents, telephony, payment service providers, call recordings, back office systems and remote sites all interact is a technical minefield in a business-critical environment and one that is therefore often put aside in the ‘too complex’ pile. Merchants often tell us that having sorted out PCI DSS compliance in their retail and e-commerce environments, they’ve left the issues of card data protection and secure payments in their contact centers until last.
However, the solution to the twin problems of securing payment card data and integrating solutions with existing infrastructure has now become more straightforward. New DTMF touchtone payment technology such as our CardEasy ‘keypad payment by phone’ system solves this major data security issue by keeping sensitive card numbers out of the merchant environment altogether. Card numbers can’t be seen or heard by agents and are not included in call recordings or screen recordings, so cannot be accessed by hackers as this data never enters your contact center environment in the first place. This concentrates on avoiding the possibility of data being available to be compromised in the event of a breach, rather than the burden and costs of compliance with endless regulatory controls to protect the card data if you do hold it.
Simply put, ‘No card data here’ means no risk of it being compromised. With customers entering their card numbers via their telephone keypads, the sensitive DTMF tones are masked so they can’t be heard by the call center agent and can’t appear in any recording of the call, or enter your internal networks. This use of DTMF can also be used to collect other kinds of PII, such as passport numbers, social security numbers, date of birth and so on – so the applications of such DTMF masking technology go beyond payment card data security.
As far as deployment is concerned, CardEasy is a managed service with on-premise and cloud options including hosting in the AWS cloud, so can be rolled out globally and consistently at enterprise-level scale. It’s agnostic to phone system and payment service providers and also back office systems. Furthermore, tokenisation allows for repeat use of the customers’ card without any need for the full card numbers again, so customer service and UX can both be improved through the use of such regulatory-compliant systems in your contact centers, as well as improving customers trust as these processes are manifestly more secure in their eyes.
This may not resolve all of your data protection worries, but at least in the contact center environment there is now an easier way to protect card data from the bad guys – and to keep the data protection regulators and auditors off your back in this particular area too.