Avoiding the Breach: Taking the Next Step Beyond PCI-DSS Compliance to Minimize Contact Center Risk
Presented By: Eckoh
Whether a company is selling products, providing services, or making reservations for dining or travel, taking credit card information on the phone or in chat sessions is an integral part of customer interactions. While maintaining compliance with PCI DSS requirements in transactions is obviously a critical element, it does not ensure total protection from data breaches.
“A company may think it’s safe by putting a compliance process in place, but if someone takes their eye off the ball, there can still be considerable risk involved,” says Tony Porter, Head of Global Marketing for UK-based Eckoh whose mission is to help make contact centers convenient and secure for consumers to use. “In many cases, a compliance methodology is not the same thing as a security methodology.”
The four greatest areas of risk for contact centers are:
- A contact
center agent (or someone nearby) hears sensitive card data as it's read aloud
- An agent
sees visible card data on their screen
- Card details
are recorded and stored within a call recording system
data is transmitted through networks and systems
“The best way to avoid these risks is to insulate the contact center from exposure to credit card information, make sure no card data enters the environment. We call this descoping. It allows businesses to continue to take payments without having to continually monitor their activities to maintain compliance,” said Porter. “Some providers claim to descope but only address individual parts of the problem. We believe Eckoh’s CallGuard solution provides comprehensive descoping that protects businesses and their customers' cardholder data in a unique, cost-effective manner.”
“With our solution the phone call comes across our network and the transaction is still processed by the customer’s payment service provider, but the card never enters the customer's environment,” said Porter. “The customer stays connected to the agent at all times, but the agent doesn’t hear sensitive data, the call recording doesn’t contain it, and the contact center systems never receive it. Eckoh advises the agent when the payment is approved. This provides an excellent customer experience as there is no interruption to the call and the agent never loses touch with the caller. There are no changes necessary to business processes or workflow. We consider this far superior to awkward ‘pause and resume’ solutions where recording is turned off for part of the call, and it is far more comfortable for agents than expensive clean-room approaches.”
With Eckoh’s ChatGuard solution, organizations can achieve the same level of security in online chat transactions. “Customers get to the point in a chat interaction when they’re ready to buy something,” said Porter. “In many cases, they are told to go back to the website or call in to the contact center to complete the purchase, or worst of all, just enter their card details in an open chat window – even if secure - and send it to the agent. This is an extremely unsatisfactory customer experience as it requires the customer to move from the channel by which they were assisted, thus creating a barrier to sales.” ChatGuard removes this barrier by providing a seamless checkout experience for consumers through secure payment options within the web chat window. The agent can answer consumer questions throughout the chat session and stay with them throughout the purchase, avoiding the risk of cart abandonment that occurs when the customer is forced into another channel.
As well as delivering a smoother, more personal journey, ChatGuard completely secures the payment with no cardholder data reaching the Contact Centre or agent and also helps upsell and cross-sell opportunities and send it to the agent. This is an extremely unsatisfactory customer experience and is a barrier to sales.” ChatGuard removes this barrier by providing a seamless checkout experience for consumers through secure payment options within the web chat window. The agent can answer consumer questions throughout the chat session and stay with them until the purchase is completed, avoiding the risk of cart abandonment that occurs when the customer is forced into another channel. As well as delivering a smoother, more personal journey, ChatGuard also help agents to upsell by pointing out additional or alternative products during the chat interaction.
Porter emphasized that Eckoh doesn’t store any cardholder data. “We show placeholders to indicate progress of data entry by the customer, and we delete the true card data once the payment service provider has processed the transaction.” The solutions work in harmony with all existing technology platforms. “We designed the solution to wrap around our clients’ environment as opposed to needing to be embedded in their systems,” noted Porter. “Whatever changes they make in future, whether in their database or their CRM system, it doesn’t really matter because there is no heavy integration to be modified after such changes.”
Eckoh carries out almost all development and implementation for its clients; the company is aware that most businesses don’t have a great deal of IT bandwidth. These solutions only require what Porter terms “a very light touch” of integration. The real challenge for Eckoh is understanding the environment of each individual client to make it as lean an integration as possible. These solutions also solve the age-old problem of “work at home” agents taking payments securely and give contact center managers the freedom to use home workers or outsourcers, and to adapt their environment as business needs change.
Porter also points out that the system is the only one with the ability to accept Apple Pay payments over the phone. This feature has recently been extended to include Google Pay, PayPal and other new payment methods.
Some hosted contact center vendors claim to have a PCI DSS compliant payment solution, but this is often an IVR platform and once the call goes through to an agent, companies are still exposed to risk. Porter believes that this is a common source of confusion since many organizations don’t realize that it is their responsibility to ensure that customer data is secured throughout the call or chat session.
Among the verticals that are gravitating to Eckoh in large numbers are insurance, retail, travel, leisure, and transport. Although large BPOs would seem like an obvious niche, Porter noted that not many of them operate secure payment solutions. There is a gap in responsibility between the BPOs who are not fully responsible for customer data, and the enterprises or retailers who assume that an outsourced process is no longer their responsibility.
While Eckoh has had tremendous growth over the last 3 years, many businesses have not employed this methodology because they often mistakenly believe that they are fully compliant and that being compliant means they are secure. The two don’t equate at all. He sees compliance as being a “grudge purchase” for many organizations, akin to car insurance or home security systems for consumers. One of Eckoh’s key goals for this year is to help companies understand the limitations of the protection provided by many existing payment solutions, and why it makes both economic and operational sense for them to upgrade to a descoping solution.