Global data security expert offers advice for simplifying compliance with international, federal, state and industry regulations – from the GDPR to PCI DSS
Boston and Guildford, U.K., May 30, 2018 — Semafone, the leading provider of data security and compliance solutions for contact centers, shares advice for navigating the ever-changing regulatory landscape. The company urges contact centers to be alert and aware of the long list of evolving international, federal, regional and state regulations in order to protect customer data, avoid fines and reduce the risk of a brand-damaging breach. To jumpstart contact centers’ compliance efforts, Semafone breaks down the top regulations, laws and standards bodies to know, in its new guide available for download here: https://hubs.ly/H0bYKPm0
“Contact centers handle, process and store vast amounts of personally identifiable information (PII), such as credit card numbers, social security numbers, bank account details, birthdates and addresses, making them prime targets for hackers and fraudsters,” said Tim Critchley, Semafone CEO. “With data breaches on the rise, compliance must be an integral part any organization’s security strategy – although that is often easier said than done.”
The challenge, according to Semafone, is the lack of a single, all-encompassing global data security and privacy mandate. While the European Union General Data Protection Regulation (EU GDPR) is a step in this direction – as it applies to any business that handles an EU citizens’ data, no matter where the company is located – organizations must still adhere to a patchwork of other regulations. This becomes even more complicated when call recordings are involved. For example, the Payment Card Industry Data Security Standard (PCI DSS) prohibits the recording and storing of Sensitive Authentication Data (SAD) for credit and debit cards. Yet, in the U.S., the Electronic Funds Transfer Act (EFTA) requires the recording and retention of telephone conversations that authorize electronic funds transfers.
Such complexities lead contact centers to adopt “pause and resume” or “stop/start” solutions which allow agents/customer service representatives (CSRs) to pause a recording while PII is read aloud and resume it once the information is captured. However, these systems are prone to failure. A CSR may forget to pause the recording, capturing PII on a recording that may then be breached; or, they could forget to resume the recording, leaving out vital information for mitigating potential transactional disputes.
“The enactment of the EU GDPR signals a new era for data security and privacy regulations,” Critchley continued. “While we will likely see more countries follow in the EU’s footsteps, we are still years away from a truly global mandate. In the meantime, contact centers should seek new ways to simplify compliance, protect customer data, avoid fines and keep their names out of the news headlines as victims of a major cybersecurity incident. This begins with treating all PII as ‘toxic’ and removing as much of it as possible from their business’ IT infrastructure.”
Semafone encourages contact centers to simplify compliance through descoping technologies, like dual-tone multi-frequency (DTMF) masking solutions. These technologies allow callers to enter numerical PII (like credit card and bank numbers) directly into their telephone keypad. The keypad (DTMF) tones are masked with flat tones, so CSRs and even eavesdroppers are never exposed to the sensitive data, nor is data captured on call recordings. This eliminates the need for pause and resume solutions and allows contact centers to record full conversations when needed.
Unlike interactive voice response (IVR) systems, DTMF masking solutions can allow agents to remain in full voice communication with callers, ensuring a positive customer experience. Once PII is captured, it is sent directly to the appropriate third party (such as a payment processor), bypassing the contact center’s network. As a result, the entire contact center is out of the scope of compliance for the PCI DSS and many other regulations. More importantly, PII no longer resides in desktop applications and call recording systems where it is vulnerable in the event of a breach.
To learn more about today’s most important data security and privacy regulations, download Semafone’s free e-book, “Navigating the Challenging Regulatory Landscape in Your Contact Center,” here: https://hubs.ly/H0bYKPm0
For more on this topic, check out Semafone’s on-demand webinar, “PCI DSS & Data Security for Contact Centers: Navigating the Regulatory Landscape,” here: https://hubs.ly/H0b_jf90