We have had PCI compliance as part of the discussion in many of our projects over the last few years, focused on the technology requirements for data protection and vendor’s abilities to comply. However, we recently heard an unusual – I hope – situation that raised concerns for me.
A client who is undergoing a PCI audit and working on compliance strategies discussed the issues they are addressing, which go way beyond technology. Some of the examples the auditors have suggested include:
- Raise cube walls
- Wall off areas of the center where agents handle credit cards
- Badge agents with different colors based on access levels
- Transfer calls when a credit card number needs to be taken to a “locked down” group solely for that purpose
- Other concerns such as how to handle remote service observing, use of outsourcers, and home agents are entering the discussion
I believe these types of things could have a significant impact on our industry – both centers and customers – if they proliferate. Longer handle times, physical facility changes, stricter and more involved hiring and training, greater skills segmentation, and the risk of not being able to use alternative sourcing strategies all could have significant impact on contact center costs, without commensurate benefits. These changes seem to not address the real risks, and could divert scarce time, money, and resources from higher value initiatives. In addition, such changes impact the customer with greater “level of effort,” more transfers, and longer contact times – all potential dissatisfiers in an era when everyone is focused on optimizing the customer experience and minimizing level of effort.
Is this situation an anomaly triggered by overzealous auditors or lawyers, or an indicator of things to come as companies get more serious and the standards “mature?” I don’t believe (nor does the client) that such changes or restrictions inherently reduce the risk of compromising information such as credit card numbers. I am not a PCI expert by any measure, but from what I’ve read, I can’t see that the standards dictate such measures. In checking with a few of my respected and similarly experienced colleagues in the industry, I found they too have experienced companies raising their zealousness about these types of changes, as well as more cumbersome authentication procedures (even when the IVR has already successfully done that!). I also found they agree with my level of concern and suspicion that the changes don’t achieve net positive results. At the same time, we see some companies heading down these paths without critically evaluating the costs, benefits, and risk reduction.
And here’s the kicker – when I did get to a security expert through one of the other contact center industry gurus I know, the reaction was strong: These examples are extreme and concern themselves with the wrong issue. While such changes might help reduce the risk for an individual action on a few pieces of data, they do nothing to address the real concern behind PCI and other regulations: Avoid theft of millions of records. I’ll add my two cents to that perspective: Even with those changes, short of strip searches of agents coming and going, you can’t really count on such measures to prevent even the theft of a few records.
The good news is we may be early in the evolution of these changes. Now is the time to carefully assess these types of actions and balance the realities of contact center operation and delivering a good customer experience with complying with data protection. Systems, policies, processes and procedures, monitoring and reinforcement seem like stronger tools in the fight to keep data secure.