Contact center regulatory compliance impacts every aspect of your business. The fact is that thousands of customer interactions happen in the contact center each and every day, many times exchanging sensitive information that could result in disputes, claims, or legal action. And unfortunately, the systems that most contact centers use are not set up to implement compliance processes and protect your business.
According to a recent survey by NICE, 99 percent of all organizations admit that they could improve their compliance tools and software, and nearly 96 percent admit that their IT team faces challenges when it comes to contact center compliance.
Regulatory compliance concerns everyone, and customer privacy and data safety are crucial to your organization’s success. Compliance breaches also open organizations to financial and reputational risk in the form of fines and the cost of breach notifications. This article will look at the importance of call center regulatory compliance, what it means, and how you can ensure that your contact center makes compliance a high priority.
Contact center data security is fraught with opportunities for agent fraud and data breaches. According to a study conducted by Semafone, 72 percent of agents required customers to read credit/debit card information or social security numbers aloud instead of using a secure voice transaction. On top of that, 30 percent of agents reported access to payment card and SSN information even when not on the phone with a customer. Agents regularly need to share personal records and account information where identification and validation is critical and often covered by consumer and data protection regulations
When it comes to taking calculated business risks, you should never risk your call compliance as it could result in steep fines—up to $100,000 a month. For example, telemarketing service Infocision—who has represented the American Heart Association and the March of Dimes—was recently fined $250,000 by the Federal Trade Association for lack of compliance.
Lack of compliance could also risk your company’s relationship with your bank. However, the greatest risk of non-compliance is how it makes you more vulnerable to data breaches and financial attacks. According to the Ponemom Institute, the average data breach costs $4 million. But—over ten years of research conducted by Verizon revealed—none of the companies breached were fully PCI DDS (Payment Card Industry Data Security Standard) compliant, meaning they didn’t follow all necessary security standards in regards to secure card transactions and data breaches.
Many call centers strive to be PCI DSS compliant; this is a set of stringent policies and procedures designed by the card companies to protect against credit card fraud. PCI compliance is a requirement for any business that stores or transmits credit card information. You must adhere to all PCI DSS security standards, including but not limited to building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, and implementing strong access control measures.
Increasingly the consumer data protection rules similar to those applied in Europe under GDPR are being adopted globally with the potential for very large fines in the event of a breach.
In 2017 hackers stole credit data from Equifax belonging to 147 millions Americans, but also British and Canadian nationals. They received a fine of $700 million. This marks the largest fine ever issued by the FTC following the $148 million fine handed to Uber following its own data breach. U.K. authorities already issued its maximum penalty of £500,000 — about $624,000. Under the new GDPR rules, which had not come into effect at the time of the Equifax breach, the credit rating agency would’ve been liable for fines of up to 4% of its global annual turnover.
As organizations have begun to embrace digital transformation, new cybersecurity issues have cropped up, particularly when it comes to accepting payments online. Companies must ensure that their customers’ data is securely protected regardless of transaction size, volume, or the type of credit card accepted. Thus, in 2006, the credit card industry established the Payment Card Industry (PCI) Security Standards Council to help regulate payment security throughout the industry.
But PCI is just the beginning of the numerous compliance and regulatory mandates that contact centers must follow. You also must consider:
As regulatory compliance requirements become more and more complex, contact centers are struggling to rise to the challenge. While almost 72 percent of organizations already keep records to make sure their contact center interactions are discoverable for audit purposes, few contact centers have the necessary sophisticated software solutions in place to ensure complete call compliance.
So, what tools can managers use to ensure call center PCI compliance and beyond?
Every conversation within your contact center is critical, which means it must be treated as such. Thus, it is important to record every call as required under the Dodd-Frank Act.
However, under PCI-DSS standards, you cannot record customer credit card information no matter what level of encryption you use. To handle this situation, it’s important to use call recording software that automatically pauses voice recording when an agent gets to a point where credit card information must be entered.
Look for an API that can stop voice recording only during the credit card payment portion of the call and then resume immediately once that portion of the conversation is complete. In this way, you can meet all compliance standards within your contact center.
Regulations vary by geography and industry. Typical areas for potential breach in the course of interacting with a customer are:
When compliance regulations are not followed, you need to be immediately alerted to the breach. QA scorecards such as those offered by Scorebuddy automatically make this happen by tracking your compliance performance and highlighting failures as they happen. Line managers are then immediately alerted, so you can deal with any risks immediately.
QA scorecards also provide an audit trail for regulators and demonstrate that the organization have processes in place.
Compliance Audit Trail: Scorebuddy keeps a record of compliance performance over time and the nature of the breaches identified.
Most CRM vendors are designed for compliance, and can be optimized based on your contact center’s privacy and information-handling needs. Set up correct, a well-designed CRM can help your contact center avoid problems when it comes to audits and inspections because they are engineered for better data safety. They are specifically created to surpass industry standards in regards to compliance rules and regulations, so you’re protected without any additional work required.
The internal IT policies and procedures must take account of the unique nature of the Call center environment, With more employees bringing personal devices to work the opportunity for a breach is dramatically increased, Employees need to understand clearly what your policies are and the removal of client data in any form is a serious breach. All customer interactions should be encrypted; this is the foundation of your call center protection efforts. Whether the customer transmits data to you over the phone, across the Internet, or through another network, encryption protects your contact center from liability. Simple restrictions such as not allowing the use of data sticks will improve your risk profile.
To help you meet the new demands of PCI compliance as well as other call center regulatory compliance standards, below is a quick call center compliance checklist.
Sensitive information must be secured behind robust firewalls and strict safety protocols.
Customer information cannot be stored without encryption—writing it down on a piece of paper is not allowed.
All software systems and applications must be updated to their latest version and protected by anti-virus software.
Cardholder data access should be restricted and agents must be assigned a unique ID for computer access.
Access to network resources and data must be regularly monitored and tested for security.
This policy must address information safety for all employees and contractors.
Call center agents must speak calmly and use nonviolent language whenever they speak to a customer.
If you have customers in the EU, you must present a compelling reason to record and store customer interactions, ask for consent before recording a call, and be able to retrieve personal customer data for no charge.
If your contact center has access to patient health information, you must protect all information, including but not limited to, social security numbers, IP addresses, photographic images, geographical identifiers, account numbers, etc.
If you have any concerns about your call center’s compliance, contact Scorebuddy today. We’d be happy to talk with you about any issues you may be facing and talk to you about how call monitoring and agent scoring can help. In just a few steps, we can help you protect your valuable data, address any privacy concerns, and help you spot compliance errors as they happen. Learn more.