Entry into new markets, expanded ecommerce and improved customer service – if any of these appear on your list of priorities for 2015, the chances are that you might also be thinking of opening a new contact center, either in the U.S. or overseas.
There are important things to consider and address before taking this step, including where your customer clusters might be, language, culture, infrastructure and skills availability.
Do you opt for physical premises or virtual ones, live call agents or automation or both, integrated multi-channel or phone only, outsourced or in-house? And what are the data protection laws of the markets you are entering? Does customer data need to be retained in-country or can it be stored anywhere?
Underpinning all of this is how to keep information and transactions secure, particularly if agents are processing payments over the phone.
Contact centers, in any market, are immensely vulnerable to payment fraud. Firstly, staff turnover is high and without adequate training and support, employees can easily become demotivated. Low levels of remuneration – especially in some emerging markets – can exacerbate this, leaving employees open to lucrative external offers for black-market card details. The severity of this risk increases in line with contact center size, according to Deloitte.
Secondly, achieving compliance with strict industry security standards is a cumbersome, complex and costly process. Contact centers can struggle to meet and maintain this day in-day out.
The global payment security standard, PCI DSS was introduced to reduce risk and keep customer payment transactions safe and secure. In January 2015, the latest edition of the standard, PCI DSS 3.0, becomes the only standard for new assessments. Requirements are both more extensive and stricter.
Physical security measures such as clear-desk policies, banning mobile devices, offline data storage, checking bags and staff supervision all help; but on their own they are not enough to achieve and maintain PCI DSS compliance. The on-premise phone infrastructure many contact centers rely can be difficult and expensive to adapt, while solutions for keeping payment card data out of the hands of the agent processing the transaction are often disruptive. If poorly implemented or maintained, they can fail in their primary goal of removing the local infrastructure from scope.
Fortunately, there is an alternative. Secure, PCI compliant, cloud-based call recording and payment processing solutions can take up to 90% of payment processing out of the scope of compliance, significantly reducing risk with minimal effort. Moreover, they can maintain these compliance-level security standards 24/7, 365 days a year.
For example, many contact centers make use of a process known as dual-tone-multi-frequency (DTMF) data entry. This involves customers being asked to input their details using their phone’s push buttons rather than by speaking them in.
New technology offered lets you mask the dial tones so the agent cannot hear the numbers and they never enter the call recording system. The conversation between the agent and customer continues without disruption, keeping the call and transaction PCI compliant, and improving both the customer experience and agent productivity.
Other security benefits of cloud-based call recording include real-time call monitoring, playback and word/text analytics. These ensure that high risk phrases, inappropriate requests for numbers and personal data etc. can be quickly identified and intercepted. Being cloud-based, standards and policies can be applied consistently across the world.
However, payment information may also reach your contact centers via email, text or social media. This needs to be equally protected, and PCI compliant, cloud-based solutions for multi-channel payment processing are in development.
A lot of this applies as much to the contact center down the road as it does to one on the other side of the world. Differences really emerge when it’s time for assessment. Not the annual, official QSA assessment by a third party that hopefully results in PCI DSS accreditation for the next 12 months; but the internal assessments undertaken by the business that ensure all its centers remain up to scratch.
In theory, a contact center could slip below the benchmark within hours of accreditation, and not pull itself up again until the external assessors return 52 weeks later. In practice, of course, this rarely happens, but resource constraints could mean that far flung locations find themselves monitored less frequently than those a few hours’ travel away, leaving them at greater risk of a security breach.
Cloud-based, centrally managed solutions can help here too. They not only remove areas from scope but can enforce parameters and permissions for any location, from anywhere in the world, at any time.
This isn’t just admin, it’s business-critical. Achieving compliance is hard. Maintaining those standards is harder. A PCI compliant cloud-based payment processing solution takes this challenge out of your hands and ensures standards never slip. Your customer payment data stays safe – as does your brand reputation.
Frank Ortiz is Global Head of Sales at Cognia.