By Mandy Pattenden, Marketing Communications Director
Overlooking the sparkling blue Boston Harbor, Semafone hosted an insightful and engaging Lunch and Learn roundtable discussion last Wednesday on “Securing the Contact Center: More than Just a PCI DSS Issue.” The event, held at Legal Harborside, brought together thought leaders and data security experts from in and around the Boston area to discuss new state regulations, compliance challenges and the importance of securing payment transactions in the call center.
And, attendees agreed – the regulatory and data security landscapes are rapidly changing. Although recently enacted laws, like Massachusetts’ Data Breach Notification Law and New York’s Department of Financial Services’ Cybersecurity Regulation are steps in the right direction, greater education and a holistic approach to risk are key to protecting sensitive customer information from the increasing threat of data breaches.
Following a welcome from our CEO Tim Critchley, guests sat down to a lively discussion over a lunch featuring some of New England’s signature seafood dishes! Global insurance consultant, Daniel Doherty, kicked off the proceedings, as participants including Joe Meyer, QSA with NCC Group; Shannon Desmond, Director of Consumer Education for the Massachusetts Office of Consumer Affairs and Business Regulation; and an executive from a large insurance company, drew from their different backgrounds to shed light on call center security.
Meyer explained how there is no blanket process for protecting data and complying with industry and state regulations. Although PCI DSS exists, it is not a legally required framework. Therefore, organizations, especially smaller merchants, are often “faking it until they make it,” with many seeing compliance as simply ticking off a checklist. Meyer noted, “You are not secure because you’re compliant, you are compliant because you are secure.”
To emphasize this point, he added that security must come first and foremost in an organization. With data breaches at an all-time high (there have been 312 breaches comprising 1.3 million records in the U.S. so far this year), merchants cannot sit around to wait for other states to follow New York and Massachusetts who have implemented laws to enforce data security. Moreover, those who do not comply with these laws face additional repercussions. For example, according to Massachusetts’ law, non-compliance could result in penalties of up to $5,000 for each violation that impacts a Massachusetts resident. This is along with injunctive relief, attorneys’ fees and the reasonable costs of investigation and litigation – so the costs can quickly and substantially add up.
Desmond pointed out that in 2016, 1,999 data breach notifications were made to the Office of Consumer Affairs, affecting 194,864 Massachusetts residents. She said that data protection is not just about securing credit card numbers; a breach exposing social security numbers, addresses, birthdates and other personal information can lead to identity theft, not just monetary theft. Call centers should treat all personal information as “toxic,” Meyer added, and even educate employees on social-engineering tactics that could lead to a breach.
Another topic of discussion was the ineffective practice of “pause and resume” or “stop/start call recording,” whereby a call recording is paused when a customer reads out his or her sensitive payment card information and resumed afterwards. Those who use stop/start for PCI DSS purposes and must record 100 percent of their calls to demonstrate compliance are actually no longer compliant with other regulations. This means companies are audited against a broken process and sensitive information still flows through their infrastructure.
Semafone’s solution helps companies do away with stop/start, which allows callers to discreetly enter payment card numbers via their phone’s keypad. Touch tones are masked from the agent and replaced with a flat tone, and card numbers go straight to the payment processor. Meanwhile, the agent can remain on the line to assist the customer as needed. The insurance executive added that its customers routinely express appreciation of the security aspects of the Semafone solution. At the same time, they enjoy receiving better, more efficient customer service.
In closing, Meyer noted how a solution, like the Semafone product, can help reduce the scope of compliance in the call center, or as PCI prefers to call it, “the reduction of applicable controls.” By removing sensitive data from the call center and letting a company like Semafone host it, compliance is much simpler and less costly. This notion reflects our favorite company mantra, “They can’t hack the data you don’t hold!”
Semafone would like to thank everyone who participated in this discussion and supported the event. It is up to us – security thought leaders, compliance experts, state regulatory advocates and proactive merchants – to drive call center data security, protect customers and reduce the reputational risk associated with a breach. Ongoing dialog and education, like we showcased at our Lunch and Learn, will go a long way in helping these efforts.