Can contact centre homeworking operations be compliant with FCA, PCI DSS, Ofcom and other industry regulations? Of course they can. Here are ten things your contact centre operation should consider when creating an information security policy for homeworkers:
1. What regulations do you need to consider? If you do not have an internal compliance or information governance officer, research what is required by each regulator. PCI-DSS obligations, for example, vary depending upon the number of payment transactions a Merchant makes and the methods they use to take them (e.g. mail-order, telephone, online e-commerce etc. A Merchant processing over 6 million transactions annually, for instance, needs a full validation audit by a third party QSA (approved assessor). Merchants with lower volumes can perform and submit an annual self-assessment – which includes security testing and confirmation that any third party suppliers who can impact the security of cardholder data also comply. So if necessary, engage specialist resources.
2. Perform a security risk assessment. Identify, analyse and evaluate relevant risks, taking into account information assets, threats, existing controls and vulnerabilities. Determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’. ISO 31000 is the international standard for risk management and ISO/IEC 27001 and its companion, ISO/IEC: 27002 are the international standards for information security management. Use this best practise guidance to assess risk, identify controls recommended to mitigate those risks. If Personal Data is involved, combine your security risk assessment with a privacy impact assessment.
3. Establish Policy/Strategies to mitigate risk. What do your existing controls look like? Are they working effectively? Are they optimised? What more could you do to mitigate risk? This will determine what your homeworking policies will need to say. Also, you will need to write one Policy for homeworkers and one for the technical controls that underpin your homeworking policy.
4. Consider how these policies will affect your homeworking operation. You can’t stop homeworkers bringing phones into their home office, so how can you ensure they don’t photograph, record or steal confidential customer information? Consider appropriate policies and processes.
5. Consider how risks may materialise through the use of customer contact outsourcers – some of which may use homeworking personnel. How will you pass your compliance obligations down the supply chain to a third party and their staff? As an outsourcer, do you have contractual commitments that satisfy your clients’ obligations?
6. Consider all types of controls that are required. These may be physical, policy, procedural, people, (e.g. HR screening, education etc.) and technical. Regulators will often specify encryption standards. Ascertain what regulations you need to comply with regarding the storage and retention of call data? Where is your data geographically accessed from? Where is it stored ‘at rest’? How is this affected by the recent Safe Harbour ruling? What are the regulations regarding telephony infrastructure?
7. Understand how and why regulated data is collected. How does it flow through the organisation? How is it used within your business processes? Who is authorised to access it and what technologies are used? Consider all your technology options. For example, technical options for taking over the phone card payments include:
a. Utilising call recording pause/resume or stop/start technology
b. Passing customers to an external IVR
c. Using of DTMF clamping techniques (that prevent agents seeing or hearing card details)
d. Cloud solutions (versus on-premise solutions)
The alternative option of creating a ‘white room environment’, often seen in fixed location contact centre operations, where agents are prevented from taking phones or notepads to their desktops, is much more difficult (if not impossible) to implement in a homeworking situation.
8. Weigh up the pros and cons of your preferred technology options. One downside of using pause/resume card payment handling technology in a customer contact environment is that you can’t record the whole of the customer call – and therefore you may miss out on vital information that the customer says. Another downside is that many pause/resume solutions rely on the individual call handler to activate the function manually. With the external IVR method, what if the customer doesn’t come back to the agent at the end of their transaction but before the conversation has finished?
9. Consider all customer contact channels. Credit card details are not only passed over the phone. Sometimes they are inserted into emails and web chats too. Ensure compliance is covered from all angles.
10. Consider all aspects of your compliance. While technical solutions exist to help HomeAgents take over-the-phone payments securely and effectively, organisations still need to consider the lifecycle of the cardholder data (i.e. including storage, processing and transmission) to be fully compliant with PCI DSS.
By Michael Gray, Marketing Specialist, UK HomeAgent Forum and Richard Stone, Ultima Risk Management