Data centers routinely handle information that is of great value to potential security attackers inside and outside the organization. However, studies show that data centers often lag behind other businesses in protecting that data, which can result in high-profile breaches with severe financial and reputational consequences. The latest laws on data security in the U.S. will require many contact centers to upgrade their infrastructure in 2020 for the purpose of maintaining regulatory compliance. Regular vetting and training of staff members is essential for data centers that wish to keep their customer data secure.
Overview
Security analysts generally consider contact centers to be high risk due to the large amount of Personally Identifiable Information (PII) they handle, including social security numbers (SSNs) and payment data. This practice makes them prime targets for external attackers such as hackers and scammers. However, contact centers are also vulnerable to insiders such as customer service representatives (CSRs) and agents who may have an incentive to obtain PII. While the vast majority of contact center employees are trustworthy, it only takes one that isn’t to compromise millions of records.
These data breaches may be caused by simple human error or curiosity. However, they can also be the result of attackers who wish to obtain this information for financial gain, whether they use it themselves or sell it on the black market. Data breaches need not be technologically advanced; sometimes, they can be as simple as a staff member writing down a credit card number.
Data Protection Measures
Data security measures should begin with an emphasis on basics such as consistently locking a computer with a password when leaving the workstation. Staff members must also protect these passwords by changing them regularly and never writing them down. They should also report suspicious incidents, even if it isn’t specifically a security violation.
Technologically advanced measures for protecting data include enforcing the principle of least privilege user access (LUA). Implementing this practice in a contact center essentially means that staff members should only have the minimum access to PII that they need to do their jobs. Contact centers can also protect data by segmenting their networks. For example, payment information should be maintained on a separate network from those used to handle other information like email.
Compliance
Contact centers may be subject to compliance requirements from multiple regulatory bodies, depending on the specific type of data they process. For example, most contact centers handle payment information, which generally means they must comply with Payment Card Industry Security Standards Council (PCI SSC) requirements.
The PCI SSC released its latest guidelines on protecting telephone-based payment card data in late 2018, which was the first time these guidelines had been updated since 2011. These guidelines are a major resource for contact centers that must deal with the continuing technological and regulatory changes in the PCI. For example, the current version has been updated with critical new recommendations on performing audits to assess a contact center’s compliance with the PCI Data Security Standard (PCI DSS).
Data Breaches
A 2018 survey of contact center agents shows that data centers are particularly vulnerable to data breaches, largely as a result of outdated practices in data collection and fraud prevention. Seventy-two percent of the agents in this survey reported that they required customers to recite credit card numbers without the use of readily available technologies for securing voice transactions. Another 30 percent of agents indicated they could access customer PII without being in contact with that customer.
The number of intentional attempts to access PII was a particularly concerning result of this survey. Nine percent of agents responding to this survey reported knowing someone who had shared PII for an improper purpose. Another seven percent of respondents indicated someone within their organization had asked them to disclose PII. Four percent of the agents said someone outside their organization had asked for PII.
