Call Center Security 101: Security Needs in your Call Center
Call Center Security 101: Security needs in your call center
We get a lot of questions about what kind of security a call center needs. Most security is nowhere near where it needs to be for American customers. Most of our security protocols are based upon being PCI compliant. Payment Card Industry (PCI) compliance is required by credit card companies to protect their customer’s data.
We want to protect all personal data of our customers, not just credit card numbers. To do that, there are certain security profiles that need to be set up to make sure the organization, associates, and customers are all safe. There are week-long seminars on PCI compliance that don’t cover every scenario. The list below is not exhaustive but carries information that all call centers should be thinking about.
All call center doors should be locked. Whether you are using number pads, swipe cards, or biometric locks, only the people who work on each floor should ever be there. This can be hard to control in a big center, so every rep wears a name badge. Ours have their photo, ID number, and area that they work in. A glance at the name badge lets a supervisor know if someone is where they shouldn’t be because they are also color-coded.
Your technical spaces that house your switches, wires, and servers should be locked down, with only very specific people having the ability to enter. Computer stations should also be locked down, make sure that USB and other access points are unavailable, and that your reps can only get to certain websites.
Background checks are a necessity when hiring most agents. You need to know if your potential agents have previously committed fraud, robbery, or identity theft. You most likely would not like those potential hires to have direct contact with sensitive personal information.
Designate a specific cell phone usage area in your building. You cannot be PCI compliant while also allowing cell phones or wearable technology on the call center floor. Too much confidential information is available and anyone with wearable tech could easily steal it. At Expivia, if cell phones are seen or heard on the floor, it is an automatic suspension for that agent.
We have cameras everywhere as protection for the associates and the organization. There needs to be the express written acknowledgment of the recordings; check your state laws pertaining to video recording in your center. Upon being hired, most centers require signatures from employees stating they know that their calls will be monitored and recorded, be sure to include video recording through all non-private areas of your building in that as well.
Surely you have firewalls and protections set up at the network level, but, each computer should also have enterprise virus protection software. Enterprise virus protection software can save your business. Don’t go for the free version. Pay for it. There also need to be firewall protections, too, to protect from any outside forces.
Do you use a single sign-on for the workstations in your organization? You probably have a username and password for your telephony system and customer relationship management system. But, when logging into a computer, does everybody use the same login? They shouldn’t. It can be a hassle to create and assign hundreds of agents their own sign-on information, do it anyway. We do it programmatically with our telephony platform. Our NICE InContact login is the same as the computer login.
Depending on your size, you may need a helpdesk to document any problems along with the IT ticketing system, we use Slack to keep it organized. Helpdesk ticketing goes along with your change management information. Any changes that are made programmatically, need to be documented for PCI compliance. New software and new implementations of integrations all need to be documented. It must be a regimented process that you can look at later when something goes wrong.
Updates must be done regularly on your computers. When an update gets pushed out, it needs to be installed quickly so there isn’t a huge backlog of updates to be done.
Third-party firewall penetration testing should be done periodically to be sure outsiders are unable to breach your network. Becoming PCI compliant comes with a price tag, but it is a necessary expenditure.
We are trying to protect our customers, clients, associates, and overall organization from the many things that can go wrong from a security standpoint, you need to do the same for your organization. There are phishing schemes that come along every day. One thing you can do to help combat that is to set up certain categories in your speech analytics platform. Speech analytics can be used for so many things, including one of our main uses for it, fraud protection (Why I am such a big fan!)
A client of ours had fraud within their center. One of their reps was scheming with a cousin who did not work there. The cousin would call in, using information the employee provided and ask to “update her address in the system.” She would also ask to have a new debit card sent to the new address. They would use the card for fraudulent charges. This went on for months before it was caught.
The company then came to Expivia and asked how we could help stop it. One of the first things we did was program our speech analytics to flag any call requesting an “address change” and/or a “new debit card”. There are people who look at those specific flagged records every day if they come through.
Voice authentication can also add a huge layer of fraud protection. A customer will call and opt-in for voice authentication. Servers will listen to them and are able to be certain it is the same person calling the next time. If you are any type of financial service, you need to look into this.
One basic method of fraud protection anyone can do is to look into multiple ANI (automatic number identification) being called into the center. When the same number calls 45 times in a month, look at the ANI and the reps that are listed to see what’s going on.
Using all of this technology will save you from headaches in the long run.
On-call or Real-time Production Security
Most call centers record 100% of our calls. Many of those calls include sensitive personal information like account or social security numbers, credit cards, addresses, or birthdates. When on a call that requires that information to be shared, you need to mask all but the last four digits of those sensitive numbers. If your telephony platform cannot mask, you are opening yourself up to security issues.
In some centers, the agent has to physically push a button to mask the information, but there are also platforms that will mask it automatically. Not masking this information is opening your organization up to a lot of problems. You also need to try to scrub as much personal data from your servers as you possibly can for your customers. When accepting payments, those need to be processed immediately, not batched out later that day.
Two-factor authentication is being used to prevent phishing attempts. When a customer forgets their password, two-factor authentication helps to get them information safely. We will send them a text or email to be sure it is the actual person requesting the information, and THEN we go through another security protocol to get help them.
Policies and Procedures
We really suggest going to a website that discusses PCI compliance. Look at the mandatory policies and procedures that need to be used and on file to get certified. There are many things you need to think through. Once you understand what needs to be done, get your management involved and write your own policies and procedures, then begin implementing it in your call center as soon as possible.
There are other security protocols like HIPAA (Medical Data) and SOC2 Compliance that you could put in place to add another level of security to the mix. All need to be looked at depending on your vertical.
As soon as you begin to think that nothing will happen to your organization, you will get nailed. Do not get complacent. Do your homework to keep your organization safe. Security is not something you can be lazy or cheap with. Make it your goal for 2020 to improve your security to the highest level, your clients and customers will appreciate it.
Want more call center operations content? Head over to our weekly call center operations podcast “Advice from a Call Center Geek!” at expiviausa.com/call-center-geek-podcast/