Even in the Contact Center industry, the management of sensitive data is a growing issue and the number of resources allocated to compliance and risk management is increasing.
Contact Centers must carefully follow and stay abreast of the guidelines required by regulations pertaining to telephone call collection, such as PCI DSS, and must be able to ensure constant monitoring to ensure compliance.
Although PCI DSS compliance is not a legal requirement for running a Contact Center, it is mandatory for those wishing to process transactions with major card providers.
<<< Find out how AI solutions facilitate PCI DSS compliance >>>
What is PCI DSS?
PCI DSS is a set of security standards that helps companies prevent fraud and theft of credit card data, which involves both the cardholder’s personal data and authentication data.
PCI DSS emerged in 2004 from the union of the world’s largest credit and debit card companies, AMEX, VISA, MasterCard, Discover and JCB, who decided to create a single standard common to all of them, since, previously, each of these companies had their own security standards (which resembled each other), which could cause some confusion.
It includes a set of 12 mandatory standards created to protect the data that is processed, transmitted and stored during payment transactions initiated by the major credit card brands.
PCI DSS in Contact Centers
Contact Centers are required to comply with a large number of rules and regulations, depending on the industry or how it is applied.
Call records are necessary for performance evaluation, but also to facilitate the development of any legal procedures and to ensure regulatory compliance and it is for this reason that doing without call recording is not an option. Thus, the need to control and analyze 100% of calls is becoming a fundamental requirement.
One of the most worrying regulations involving call recording is PCI DSS due to the amount of sensitive credit card or transaction data that can be handled. But to ensure compliance, contact centers have used traditional methods that, in many cases, made this task difficult.
Among the traditional methods used by Contact Centers, three stand out:
- Manual Filtering: this method consists of a supervisor, once the calls have ended, manually eliminating or hiding the part of the call that contains sensitive data.
- Use of Touch Tone: this consists of including the key dial tone to cover sensitive data referring to passwords or card numbers.
- Record on Demand: the agent has the possibility to stop recording the call just before the sensitive information is about to be broadcast.
As we have said, these traditional methods bring with them numerous drawbacks that make it difficult to be 100% PCI DSS compliant. Manual screening is time-consuming and, in many cases, can be unreliable due to human error as a result of being a repetitive task. In the case of the use of touch tones, the problem is that it is easy to identify which key it is. And, in the case of on-demand recording, there are 3 key elements to consider that can be a problem for the contact center:
- The recording may not resume due to agent carelessness, losing a part of the conversation.
- The agent may be inattentive or unaware that he/she should stop recording. It is even possible that the customer may anticipate the recording stop and sensitive data may be recorded as a result.
- Improper use of the recording pause by the agent, leading to loss of important parts of the call needed for quality assessment.
New ways to comply with PCI DSS with conversational intelligence
According to PCI DSS, all payment card data that is classified as Sensitive Authentication Data, which is the full tracking data, CAV2/CVC2/CVV2/CVV2/CID codes, and the PIN block, must be anonymized.
There are some general cardholder data that can be censored, which is permitted to be stored as long as it is in a secure site with access restrictions. These include the primary account number (PAN), cardholder name, service code and expiration date. But it is highly recommended to protect and anonymize this data as hackers can use this information to take advantage of your customers.
Today, methods of ensuring PCI DSS compliance are focused on automation through conversational intelligence and speech analytics to anonymize data that qualifies as sensitive.
Anonymization techniques through artificial intelligence, such as that used by Recordia, automatically detect and remove PCI data from call recordings using a highly accurate speech recognition engine and machine learning algorithms. Credit card data is automatically erased from the recording and replaced with white noise, returning the cleaned recording and transcript with the data removed to users.
By using sensitive data anonymization, call recordings can be easily accessed and shared to reveal key customer information without violating PCI DSS compliance standards. Thanks to these solutions and technologies, contact center agents and managers do not see increased management time, efficiently detecting, redacting and deleting all PCI data from call recordings, transcripts and conversations in the background.
Want to find out more about these new methodologies to ensure PCI DSS compliance? Let us tell you all about it by clicking here!