Contact centers: Protecting sensitive data with critical security controls
by Erina Suzuki | Published On November 26, 2021 | Last Updated November 26, 2021
Contact centers continually generate user data through various media channels. Therefore, it is essential for cloud-based contact center providers to establish and maintain industry-standard security controls to support the handling and storage of sensitive information. Maintaining a secure contact center environment is crucial to minimize the risk of data breaches which may result in damaged reputation, hefty fines, and loss of clients' trust.
This blog will discuss specific security standards a contact center can implement to protect sensitive information.
A cloud-based contact center service provider concerned with data security measures and the protection of personal data should achieve and maintain at least one industry-standard certification focused on data security. Two common certifications are PCI-DSS compliance and SOC 2 Certification. Let dive a little deeper into these two.
Payment Card Industry Data Security Standard, also known as PCI-DSS for short, is a set of security requirements designed to ensure payment card information
is transmitted and maintained in a secure environment. PCI-DSS was established and is managed by an independent entity representing payment card brands like Visa, MasterCard, American Express, and Discover. PCI compliance is validated annually
by qualified third parties through a process called Report on Compliance (ROC), which is filed with the Payment Card Industry Council and results in a formal Attestation of Compliance.PCI-DSS in action: In a contact center environment, agents may be required to process payment card information, raising an important question: are they processing data according to PCI Standards? Making payments over the phone increases the risk of exposing sensitive data such as your credit card information. One PCI-compliant method of counteracting this risk is to transfer customers through a secure web portal instead of allowing agents to hear and manually record the information. Callers may then input their data in an environment separate from the agents' call system, minimizing the exposure of cardholder information.
Contact centers host conversations where sensitive information is transmitted and stored, so PCI compliance is essential to mitigate the risk of disclosing personal data.
Service and Organization Controls Type 2, also known as SOC 2, evaluates a cloud service provider’s organizational controls for processing customer data securely and reliably. The certification process involves evidence-based technical and operational audits by a certified third party. SOC 2 certification has three stages. First, a readiness assessment is conducted to allow an organization to introduce additional controls required under SOC 2. Second, an initial Type 1 audit is performed to determine whether the vendor's system and organizational controls meet the requirements of relevant trust principles. Third, roughly six months later and typically annually after that, a Type 2 audit validates the ongoing operational effectiveness of those systems and controls over time. A contact center typically handles large volumes of customer data, some of it containing personally identifiable information (PII). SOC 2 certification confirms that a contact center service provider can keep its clients' sensitive information secure.
Third-party information security certifications allow cloud service providers to better support increasingly widespread and stringent legislation addressing the secure handling of personal information. Such certification includes the Health Insurance Portability and Accountability Act, Personal Information Protection and Electronic Documents Act, and Personal Information Protection Act. Below, we will discuss each of them:
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, also known as HIPAA, is a United States federal government legislated set of security frameworks that govern the handling and processing of sensitive patient information. Such information may typically include names and birthdates, medical record numbers, and more. Organizations that handle such information undergo a rigorous security risk assessment to be HIPAA compliant in one of two ways- internally or externally. If internally, HIPAA compliance reviews should be performed by someone independent from the process with supporting evidence. If externally, the assessment is performed by a third party appropriately certified. The procedure addresses the controls listed in the HIPAA Privacy Rule, which covers the standards contact center providers should comply with to protect and securely store individuals' medical records.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act, also known as PIPEDA for short, is a Canadian data privacy law involving organizations collecting, using, and disclosing personal information. This information includes age, name, ID number, opinions, comments, and more. To be PIPEDA compliant, an organization must follow ten fair information principles.
One of the many functions within a contact center is the call recording feature. Contact centers with call recording functions allow organizations to evaluate agent performance and accurately retrieve contact record information. Trusted contact center vendors work with each organization to ensure that the storage of call recordings that may contain PII is handled in a fashion that meets the organization’s information privacy requirements.
Personal Information Protection Act (PIPA)
Personal Information Protection Act, also known as PIPA for short, came into effect on January 1, 2004. This act applies to provincially regulated private sector organizations in Canada, specifically British Columbia and Alberta. It is in place to protect personal information and provide an individual with the right to access their data. Similar to PIPEDA, this legislation provides for individuals to have autonomy over their data, ensuring transparency and control over their information collected within contact centers. Contact center vendors’ cloud services must provide both the tools and support to ensure that organizations can meet the requirements of this legislation.
As security concerns continuously evolve, making sure your contact center vendor is PCI-DSS and SOC 2 compliant is a must. In addition, following privacy legislation in your region ensures customer information is handled appropriately.
Take a look at our ‘Slice of ice Recap: Security and Standards- Mitigating Security Risks’ to learn more ways to protect against security risks.