Our panel of experts present tips and methods of combating the threat of those seeking illegal access to customer information.
1. Employ a Multi-Layered Form of Defence, like Phoneprinting
Voice biometrics goes some way in assisting contact centres when issues, such as fraudsters bypassing knowledge-based authentication (KBA) questions, arise. However, a multi-layered form of defence such as phoneprinting can provide the assistance these advisors need.
The contact centre advisor’s best line of security lies in multi-layered fraud detection technology. Where other voice biometric technologies fall short is in their inability to differentiate between devices or to identify patterns in user behaviour.
Phoneprinting can identify specific components about each call, such as the call location, device, and repeat call behaviour. This means the contact centre advisor’s role becomes more about providing a good experience, benefiting the customer experience and significantly improving security.
Thanks to Matt Peachey at Pindrop
2. Add an Audit Trail to Your Systems
It may be quite common to have an audit trail on the server that keeps track of all changes made to the systems. However, it is good practice to evolve the extent of this audit trail so that it becomes something like a logbook for the entire contact centre activity.
For example, it would record everything, from the length of each call that every agent takes, to how long it takes each advisor to reply to a customer before they have exhausted their communication channels; from which customer records were viewed by which advisors, to who has deleted or changed bank details.
This would prove an invaluable record of data because of the levels of scrutiny it would allow should something need to be considered in the future.
3. Consider Automatic Alerts
This is a simple but effective security process, which many contact centres forget about with the continual developments of technology.
It is simple in that when an anomaly is detected, rather than red flagging it within the system itself, it sends an SMS to a human – using the mobile phone network so that it is separate from the internet.
This way, any issue can be dealt with in the most efficient manner possible, rather than no one noticing it for a few days , particularly if that part of the system is not used on a daily basis.
4. Ensure Password Protection
Another simple security measure, but often overlooked or not applied extensively enough, is password protection, which can be utilised on any email attachments, reports, storage data, training notes, supervisor portals, overnight batches, etc.
The encryption on these files creates an extra layer of security, thus ensuring that it is seen only by those who have been granted the appropriate permissions.
5. Encrypt Social Media Accounts
Social media is your company’s reputation. More so than your website for some companies, as this is where customers interact with you and expect to see customer service at its best.
Therefore, having certain fields, user names and passwords encrypted is crucial for good-practice security. These can then only be opened with an access token, or hashed key, that represents the user name and password for these accounts and secures the data from being hacked.
If there was a breach of security, the access token can simply be revoked and changed, all without compromising the actual user name and/or password.
6. Check the Type of Server Your Vendor Will Be Using to Host Your Data
When choosing vendors for your software, it is important to be aware of the kind of server they are planning to host your data on.
If your data is hosted on a shared server with multiple tenants, ensure that they have some safeguards in place to protect your confidential information, so that users cannot access or exploit permissions, even by mistake. Likewise, a shared tenancy server should also have user-friendly tools that allow you to gain access to your own data at your convenience.
If, however, your company’s data is highly confidential, it is recommended that your vendor hosts you on a dedicated server.
Thanks to Susannah Richardson at mplsystems
7. Use Intelligent IVRs, Recording Applications, Analytics or In-Depth Customer Profiling
The use of more intelligent IVRs, recording applications, speech analytics or more in-depth customer profiling will certainly help to combat fraud.
Connecting customer-related data sources and presenting relevant information in a single application empowers the contact centre advisor to draw quick conclusions if something isn’t quite right.
Developments in pioneering technology are also breaking new ground, including biometrics and Artificial Intelligence (AI).
Humans are unique individuals and, as such, display patterns that can be recorded, analysed and identified. From voice signatures to retinal images, our DNA gives our real identity away.
Thanks to Teon Rosandic at Genesys
8. Create Your Own Compliance Processes
It’s no secret that becoming Payment Card Industry Data Security Standard (PCI DSS) compliant is not easy as there are lots of technical issues that need to be overcome. However, the biggest issue in a secure process is often the people involved.
The more you can limit the number of people who are exposed to sensitive data, and the amount of data they can see, then the more secure you are going to be.
The ideal solution to this is if your people are never exposed to cardholder data in the first place. If you don’t have the data, then you can’t lose it.
Technology such as a mid-call IVR allows companies to offload the cost and risk of providing PCI compliance to a SaaS provider.
In addition, you could create your own PCI DSS compliant processes and get your contact centre advisors to handle the credit card payments. However, it is very easy to underestimate the complexity, cost and risks of doing so.
Thanks to Ashley Unitt at NewVoiceMedia
9. Use Cloud to Meet PCI Compliance
PCI compliance can be simpler with advanced cloud-based applications. The whole advisor conversation can be recorded without interruption, but without having any card information being stored on business systems or heard by advisors.
The telephone keypad is used to enter card details in a secure mode with masked tones that cannot be identified. All payments are secure and the agent remains on the call to assist the customer throughout the process.
Using a specialised cloud contact centre takes the issue of compliance out of your hands, making the job of PCI-DSS compliance an all-round easier prospect for you and providing a better experience for your customers.
Thanks to Enda Keneally at West Unified Communications
10. Use Divert Detection
Divert detection takes into account a redirected call or a forwarded SMS message, to help boost security assurances.
By conducting a real-time check at the network level, completely transparent to the consumer, which doesn’t require any additional software, divert detection allows advisors to detect if fraudulent activity is being carried out. The transaction can then be immediately cancelled.
So, divert detection is a powerful service to indicate whether a fraudulent activity is about to take place, rather than responding reactively after an incidence of fraud has occurred.
The difficulty with secure mobile transactions is that much of this is based on trusting the device, through ‘peer-to-peer’ methodology relying on the phone being secure in the original owner’s possession. This should not stop contact centres from deploying multiple layers of security to ensure that the device remains in the possession of the owner.
Thanks to Keiron Dalton at Aspect Software
11. Ensure Your Entire Network System Is Compliant with PCI Guidelines
When it comes to customer data in the contact centre, a secure computing environment resistant to breaches and attacks is essential. Cybersecurity experts make it clear that it is impossible to keep hackers out of the network if it is connected to the outside world.
The most important job is to monitor network traffic continuously, so that any anomalies can be identified and dealt with quickly. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the internet.
The key here is to have IT security policies and procedures that provide total visibility of the entire network, all its connections and who is entitled to do what. Without this visibility the network will be prone to weak links that can be exploited by cybercriminals and hackers.
12. Introduce Strict Role-Based Security
In any contact centre environment, advisor and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data. This will ensure that individual staff members only have access to what they need to do their job.
For example, a sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisors) should not be able to view sensitive customer data.
13. Protect Your Customers’ Data with Physical Security Measures
In addition to infrastructure, staff, and user security, contact centres should also take physical security measures to restrict access to sensitive customer and payment data.
These access control measures may include: limiting access to key areas of the building by adopting an RFID card system; ensuring access passwords are strong (e.g., a mix of numbers, and lower- and upper-case characters) and changed regularly.
Additional security measures may include surveillance cameras, as well as security staff with suitable background checks.
Thanks to Frank Sherlock at CallMiner
14. Deploy a Secure Cloud-Based Solution
Reports indicate that 80% of organisations are still not PCI DSS compliant, with four out of five failing at the interim assessment stage and opening themselves up to fines in the future.
Therefore, it makes sense to work with a PCI DSS compliant technology partner to build a robust and secure infrastructure.
The main danger points for contact centre security fall within three areas: storage, people and infrastructure. The ability of dishonest or careless employees to access call recordings or write down card details should not be ignored.
The deployment of a solid, secure cloud-based solution is one way of increasing security levels that aid organisational data security and compliance to protect sensitive customer data at all times.
Thanks to Colin Hay at Puzzel
Do you have any other tips for improving security in the contact centre?
If so, please leave them, along with any other thoughts, in the comment section below.