In the realm of call and contact centres, and by extension, customer service departments, there are a wide range of areas and products that employees must receive training on. From call scripts, to software usage, to company policies, dispute handling and everything in between, a contact centre agent has no shortage of coaching when they first start.
An often-overlooked area that requires just as much training, if not more, however, is around security practices. With the threat landscape constantly evolving, and the contact centre becoming an ever-greater target for fraud, companies and their employees much remain vigilant and on top of the latest threats. For this reason, it’s essential for employers to have a robust training programme in place to meet compliance obligations. Let’s examine what it takes to produce one.
Types of Compliance Inside Call & Contact Centres
The contact centre is a hub for all types of customer information, and at any given time it may be processing personal contact information, health or medical records, social security numbers, driver’s license numbers, or even payment card information. Because of this, contact centres may find themselves in the crosshairs of a multitude of regulations that each have their own compliance requirements, depending on the type of data the company deals with.
For example, the Health Insurance Portability and Accountability Act (HIPAA) mandates data privacy and security provisions for health-related information and has stringent rules on how it can be processed, and applies to every health insurer, hospital, medical centre, or other organisation handling this type of data. In the higher education industry, The Family Educational Rights and Privacy Act (FERPA) is a federal law that maintains the privacy and security of student records and applies to virtually all institutions receiving federal funding.
Perhaps the most wide-ranging standard that spans across industries is the Payment Card Industry Data Security Standard (PCI DSS), which upholds twelve broad security requirements that are designed to protect payment card information and reduce the amount of payment fraud. It pertains to any organisation processing card payments and organisations must demonstrate compliance on a yearly basis. Many of the provisions deal with the way employees handle and store payment card information, which makes it essential to have a training programme in place.
Benefits of Having a PCI DSS Compliance Training Programme in Your Call Centre
among the obvious benefits, of increased security and a lower chance of fraud occurring, PCI DSS compliance brings about other tangible benefits for the wider organisation. For one, with its common-sense requirements and its overarching tenet of reducing the amount of personal information stored, it can serve as a great starting point for other compliance programmes. Additionally, implementing a training programme will impart a mindset of security throughout the organisation, extending beyond PCI DSS compliance into other aspects of security as well. Perhaps most importantly, it helps protect your customers, the lifeblood of your business, which in turn can improve your brand reputation. Finally, at the end of the day, you’ll have more peace of mind knowing your employees are properly trained to spot security threats, which will keep your company’s name out of the headlines.
How to Build a PCI DSS Compliance Training Programme
Once you’ve decided to move forward with creating a PCI DSS compliance education programme, it may be difficult to know where to start. Here’s some simple steps that will help you along in the process towards establishing a training plan.
Start with Educating Your Employees
At the foundation of every training programme is basic education. The PCI DSS is a fairly large and onerous standard, with twelve overarching security requirements, and several hundred sub-requirements, meaning it can quickly become an arduous task for anyone having to trudge through each one. With that being said, it’s essential to distill the facts down for your employees in a way that’s easy to understand and relevant to their everyday responsibilities. Take into account any processes or procedures that have been put into place for compliance purposes and help them understand why they exist.
Rely on the Experts
There are many experts in PCI DSS compliance who create training for companies on a regular basis and can easily adapt a programme just for your company. Search for a trusted PCI DSS consultant or Qualified Security Assessor (QSA), who have done this before to save yourself some work and ensure top quality.
Break It Down into Modules
It’s no secret that PCI DSS compliance isn’t the most engaging of subjects, especially for those who don’t have to deal with it on a daily basis. To make training easier to handle and more digestible, it’s a good idea to break down the material into smaller modules. This way, employees will find it more manageable to complete the modules one by one as they have time and won’t feel overwhelmed or get distracted having to go through one long course.
Vary Your Types of Media
The format of your training materials can vary: consider using short videos, in-person briefings, written documents, or a mixture of all three. Find what resonates with your employees, and don’t be afraid to experiment with your approaches to see what works best.
Track Progress Through Assessments
Once you’ve established your educational programme, it’s essential to track the progress of your employees through each module. Not only will it provide an objective record of an employee’s completion of the training, but it will also help you distinguish between areas where employees are truly grasping the material against the ones that might be more difficult to understand. This way, you can adjust the educational materials accordingly and create a better training programme over time.
Your Training Should Be Ongoing
To ensure your employees are always up to date on the latest developments around PCI DSS compliance and the related procedures within your organisation, your training should be ongoing. Consider implementing a quarterly or annual checkup, where everyone in the company completes a brief review of educational materials- keeping the subject top of mind.
Communicate Early and Often
From even before the roll out of your education programme you should communicate the importance of everyone completing the training and help them understand why they must do it. While no one likes having to complete a mandatory training module, they’ll probably feel better knowing there’s a business reason behind why they must.
Reduce the Size of Your PCI DSS Compliance Training Programme by Descoping Your Contact Centre
Of course, if your employees don’t have to worry about completing PCI DSS compliant payments in the first place, the amount of training they’ll have to go through could be drastically reduced. Implementing DTMF masking solutions, like Semafone’s Cardprotect, have quickly become a contact centre industry best practice—by keeping payment information from ever entering the call centre, your employees and your business infrastructure are never exposed to cardholder data, thus leading to less time, money, and effort dedicated to achieving PCI DSS compliance. With the amount of applicable PCI controls for your contact centre to comply with, the less you’ll have to train everyone!