John Greenwood

Why contact centres must prioritise the security of customer data

By John Greenwood, Head of Technology & Payments, CCP

Contact centres, call centres and telemarketing agencies are under pressure right now to get their houses in order when it comes to the security of sensitive customer data. Under normal circumstances, the telecoms and IT systems that enable agents to handle calls, emails, chats and social communications are protected within the secure corporate perimeter. Covid-19, however, has forced a rapid exodus from physical offices and agents are working remotely on devices, many of which are not suitable for combating cyber crime.

Lock down happened quickly and for insurance and banking contact centres, still heavily dependent on legacy systems, the remote working model is not generally supported. This has meant that all too many of their agents have been using laptops, tablets, home PCs and personal smartphones that have either no up-to-date security, or software that is not designed to protect customer data and therefore compromising organisations obligations under the DPA 2018 and the PCI DSS.

Cyber criminals have seized the opportunity

Research from numerous security organisations and government agencies confirms the rise in cyber crime activity since March and for companies holding digital data on customers, there will have been a higher than average likelihood of being hit.

Attacks have come in a variety of insidious ways from phishing and ransomware through to key logging, which is malware that tracks every key as it enters the system. Human fallibility is a factor in whether these attacks succeed, however, it is endpoint devices – laptops and smartphones for example – that put companies and their data most at risk. According to the 2019 Endpoint Security Report, 70 per cent of cyber breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. When it comes to smartphones, the risk is not so much malware, but data leakage, but regardless of how the breach happens, once a customer’s personal data is exposed, there are serious implications for those involved.

Working within the PCI DSS requirements

There is an additional pressure for organisations taking card payments, who are obliged to meet the Payment Card Industry Data Security Standard (PCI DSS). This protects customer credit card data over landlines, mobile phones, through Chat or use of apps. Contact and call centres use processes, technologies to manage this, ensuring that wherever agents process cardholder data, the transactions are monitored, logged and secured, however the supporting processes and technology are within their physical estates.

Not every organisation is fully meeting its PCI DSS obligations, and adherence has become more sporadic over the last few months, but the contact and call centre industry needs to take this seriously. Any chink in their armour could result in data being stolen within seconds. While compliance to the PCI DSS is a contractual obligation with the acquiring bank, payment card data is treated by Data Regulators as personal data. Which means that in the event of a data compromise organisations should expect  payment card scheme penalties (up to €18.00 per card exposed) as well as fines from the Information Commissioners Office (ICO) and the potential of unlimited ‘class actions’ from card holders. As payment card data is more attractive to criminals than other common forms of personal data, having card data present in unsecured systems represents a significant risk as data breaches are commonly reported, there is the potential for serious brand and reputation damage that no company would welcome. All the more reason, therefore, for agents working remotely to be equipped with technology that protects them and their customers, and this includes secure endpoints.

Put in place comprehensive protection of data

Remote working is likely to continue for the immediate future, so the smartphones, tablets, home PCs or laptops that are being used by agents to process and access customer data should have, at the very least, the same security posture as the managed devices that reside within the company perimeter. This includes making sure that SaaS applications are isolated or ‘containerised’ from any potentially compromised unmanaged machines or endpoints.

The vulnerability of endpoints means that solutions have to specifically protect data entry, particularly into remote access apps, web browsers and Microsoft Office applications. Browsers that access the corporate network should be locked down, including URL whitelisting, enforced certificate checking and enforced https.

Whilst this is a comprehensive approach, it is neither time-consuming or costly. A simple download and install from pre-configured software will provide an effective and rapid resolution to the threat. Call centre IT managers can select proven anti-key logging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing customer credentials, payment and sensitive personal and credit card data and be sure that they are compliant with PCI.

Covid-19 is no longer an excuse for sub-standard service

As we begin to get back to a ‘new normal’, banks and insurance company customers will be looking for the highest standards from their financial services providers, regardless of whether the agent they speak to is working in a physical call centre environment, or at home. Covid-19 will no longer be an acceptable reason for not delivering a secure, compliant service. The contact centre industry must address areas of weakness and put in place the necessary procedures so that agents and customers can be confident that they, and their data, are fully protected.

Need help protecting your customer data?

If you would like to know more about the technologies that are available to help protect your customer data, the team at Contact Centre Panel can help. We have built a technology network to help businesses to source the ‘right fit’ providers, who can best meet their needs. This is a free of charge service and includes expert advice and guidance from our technology experts. If you would like to find out more :-

Get in touch