Is our call center compliant? That’s a question that I get asked a lot, since I’m the Chief Information Security Officer for 8x8, which provides enterprise cloud contact center solutions. And the sad truth is that it often only takes a few simple questions to figure out that the asker’s contact center probably doesn’t fully comply with major laws and regulations, at least not under their current rules of operation.
The good news is that many of these compliance problems can be addressed fairly easily, with relatively few additional resources. I always tell people that before they assume that they’re fine, they should invest in at least a short consultation with an attorney specializing in security and compliance, but the road to compliance starts with these questions:
If so, did you know that it violates PSI-DSS standards—the Holy Grail of credit card processing security—to store the secret CVV2 number (the three- or four-digit number often listed on the back of the card)—at any time, in any way, no matter what level of encryption or encapsulation is used. If your company regularly records the entire call, you’re probably storing this information in your recordings, unless you have special procedures to stop voice recording during the part of the interaction when the customer gives out the number.
How to fix it: One way to handle this situation is to pause the voice recording automatically when the agent’s cursor gets to the segment of your electronic form where the credit data is entered. For instance, it’s possible to use an API to stop the voice recording only during the time the customer is saying or inputting credit card information to the call center agent, and resume recording immediately after this part of the conversation is done. This way, the call center agent can enter the credit card data directly into the credit card processor’s system, so that it is not stored with the recordings.
PCI-DSS consultants commonly say that “nothing should stick” within your systems—meaning that credit card information and other sensitive data should not be stored. There are two types of PCI compliance: PCI-DSS and PA-DSS.
PCI-DSS is for merchants who accept credit cards. It is set up to protect consumers’ credit card info at the MERCHANT level. In contrast, PA-DSS is for those who process credit card info for merchants.
Why do you care? Because merchants at the PCI-DSS level—most businesses that take credit cards—are not allowed to store CVV2 in any way. If you do, then you’re breaking the rules.
The fix: All CC data should be passed through your system to a PA-DSS-certified credit card processor, who can arrange to provide you with a tokenized unique ID that could, for instance, be the last four digits of the credit card number. You’d then used the tokenized ID for repeat billing.
Many organizations announce the start of a recording—something like “For customer service improvement purposes, this call will be recorded.”
But far fewer organizations provide this notification when the call center is making outgoing calls. And fewer still don’t stop to think that when they record calls, they are recording and monitoring their employees’ conversations as well as their customers’.
And in most states in the US, notification of ALL parties is required before you record. Therefore, many legal experts advise that to be safe, it is important to ensure that all parties are told that they will be recorded—and are given an option to opt out if they do not want to be recorded.
Also, some companies presume that everyone whose call is being recorded knows that to “opt out,” they should hang up. Some judges have ruled that you should not make that assumption. It’s a good idea to check with an attorney to determine whether or not you need to specifically inform callers as to how they can opt out, as there are also other alternatives—such as calling back without recording—in addition to just hanging up with no further contact.
The fix: Ask all your employees and contractors—including your call center agents—to sign a “notice and consent” document acknowledging your company’s notification that their conversations may be “monitored and recorded.” It’s a good idea to work with your company’s human resources organization to incorporate this notice into your hiring and contracting processes.
Some contact center software lets supervisors listen in on conversations. The whisper option lets managers speak to the agent—callers can’t hear the supervisor—to give instructions about how to handle the call. Barge lets supervisors listen and break into the call if they feel they have to.
In some places, these extremely useful options fall under regulation. For instance, the Californian Call Recording Statute (California Penal Code Section 632(a)) prohibits eavesdropping without consent. So it might be argued that a supervisor violates this law by listening to calls without consent. The law covers recording or eavesdropping, and the laws of each state are open to interpretation, but there might at least be enough of an argument to support a lawsuit—not something you want to drag your organization into.
The fix: Many attorneys suggest that you should be sure to add “or monitored,” to be on more solid legal ground. So, your outgoing announcements should warn callers that they may be “recorded or monitored” for quality control purposes.
These are fairly easy, low-cost or no-cost suggestions that any contact center manager can easily implement. They put your organization in a much better compliance position, and can help you stay out of trouble. However, this article merely reflects my views and extensive experience as a security-and-compliance professional, and is not intended to constitute legal advice. Readers should always consult with an attorney for advice on their specific situation to evaluate overall compliance at their organizations.
For more on compliant contact center solutions and enterprise communications, click here.
Editor’s note: CIO.com published an earlier version of this article in September, 2015, and this article appears here with permission from CIO.com.