Contact centres are great for both consumers and merchants; the former get to chat in person to a friendly agent who can offer a fast, efficient, and personal service, while the latter can enjoy a cost-effective way of connecting with more customers than ever before.
However, while the benefits are plenty, there can be far more data protection challenges when using a contact centre over, say, e-commerce or taking payments online. It’s a sad fact of modern life that, when it comes to security, people are most often the weakest link in any system, including the People – Process – Technology triumvirate.
From phishing scams to social engineering, human error is more frequently becoming the reason for serious data breaches. With contact centres making use of so many people, the risk is bound to be inherently higher.
If your organisation or contact centre stores, transmits, or processes payments from any of the major card schemes – especially when taking payments over the phone via an agent – you should already know of your obligation to be PCI DSS compliant.
But while many companies are aware of the need to use and test up-to-date firewalls, servers, routers, data loss prevention tech, and other security software, the human element of PCI compliance is often overlooked.
A payment environment can often be much larger than first assumed and everything from human access points to the monitoring and restriction of physical access to sensitive cardholder data all comes under the scope of PCI compliance. In fact, there are over 200 individual requirements that contact centres need to adhere to.
The mistake many companies make is treating the annual compliance assessment as a one-off test to be ticked-off and forgotten about. Compliance is often left to compliance managers and security to security teams. This can be a costly mistake indeed…
Under the new EU General Data Protection Regulation (GDPR), a data breach at a company found to be noncompliant will soon lead to maximum penalties of up to €20 million euros or 4% of annual turnover, whichever is greater. That’s not to mention the legal fees, increased banking fees, loss of sales, cost of compensation, and the likely damage to brand reputation and consumer confidence. This can be fatal to many businesses.
That’s why it’s becoming increasingly important to foster a ‘culture of security’ in your contact centre. More than ever before, PCI compliance should be considered a year-round approach to security, rather than a one-off; the latest PCI DSS 3.2 update now enforces the need for regular testing and documentation, while clear security policies are becoming a requirement rather than a best practice recommendation.
Compliance and security are no longer the domain of compliance and security personnel alone; every team member should understand their responsibilities and take ownership of data protection protocols.
Even if you’ve decided to partner with a fully hosted secure payment solution provider to effectively descope your payment environment from the requirements of PCI DSS, encouraging a culture of security is the easiest and most efficient way to ensure your organisation is protected by a comprehensive, proactive security system all year round.
Creating a Culture of Security
Here are 3 top tips:
- Get everyone involved
As we mentioned before, it’s a big mistake to assume that compliance and security is only the realm of compliance and security managers. Employees from the top down all need to be aware of the risks, understanding the importance of best security practice as it relates to them, as well as the importance of PCI compliance. Make sure security is part of your company’s identity, not just a side note; that way all employees will know from the start that it’s integral to all roles at all levels.
- Educate and make aware
Education is crucial to a culture of security. From making all levels of staff aware of phishing scams and social engineering to more advanced training for IT and security departments, ongoing awareness programmes and education are vital for making sure employees understand and appreciate the importance of best practice. The more they understand the impact bad practice can have on the business, and therefore their own roles, the more they are likely to be willing to change.
- Invest and incentivise
Another big mistake contact centres make is to go for cheap and cheerful when it comes to data security, but when you consider the potential financial implications of a breach, investing in your security culture is well worth it. Funding and subsidising awareness courses, security training and higher education for your employees is a great way to get them interested in security, as well as ensuring that you have the most security savvy team working towards protecting your business. Rather than punishing bad practice, it’s far more efficient to incentivise good behaviour; offer recognition or prizes for the employee who spots the most phishing scams in one month, or offer a reward to any employee who identifies a vulnerability in your system. Making security rewarding and interesting is the best way to engage your employees and encourage a culture of security that does the hard work for you.