May 18th, 2016
A primary means today of complying with PCI data privacy regulations for contact centers is to pause and resume the call recording system so as not to capture parts of the customer call in which sensitive information (i.e. credit card data, social security number, etc.) is being given. In many cases, this method works in terms of keeping personally identifiable data off the call recorder. But that is where the value stops.
Sure, the call recording system won’t have a recording of the customer verbalizing his/her sensitive information when pause/resume works, but what about the agent hearing the data live? That can be a potential failure point. And what if the pause feature on the callrecording system fails or the agent forgets to push the pause button? That’s another potential failure point.
In larger contact centers with bigger budgets, sometimes desktop analytics is added to the call recording system to trigger events based on the agent’s screen navigation, and this can also be set up to prompt a pause in the call recording. For example, if an agent navigates to the credit card payment page, the call recording system can be configured to send a pause command to the recording system. Once the agent navigates away from the payment page, the recording would then be prompted to resume.
Desktop analytics can certainly bring significant value to a contact center, but it also comes with a hefty price tag and substantial upfront and ongoing programming work to make all the triggers work properly. Add to that the fact that every time the agent’s desktop is updated, there may need to be some updates made to the desktop analytics to comply with what’s changed. This can add significant time and money to the call center’s total cost of ownership, especially when you consider that it takes a team working for months with the call recording company to configure all of the triggers. A final note here is that the desktop analytics system is far from fool proof and it can fail to send the pause trigger. When this happens, the company is at risk.
When it comes to compliance with strict regulations like PCI and HIPAA, contact centers can’t afford to play around. PCI-DSS clearly states, for example, that vendors/merchants cannot store recordings containing the verbalization or screen capture of credit card data. Each time there is a failure point with regard to pausing/resuming the call recording system, the company leaves itself vulnerable to severe penalties such as loss of merchant credit card privileges, fines and more.
A more comprehensive list of potential failure points with pause/resume call recording features includes:
Agent forgetting to pause the call
Pause/resume feature of the call recording system failing
Pause/resume trigger in the desktop analytics system failing
Quality assurance team evaluates one of these calls in number two above
Agent hears the customer verbalizing their sensitive data
Agent’s screen is showing the customer’s sensitive data as he/she enters it (passersby in the contact center can see the screen)
Agent reads back the customer’s sensitive data to verify correct entry (other agents in the contact center can hear the sensitive data being read back to the customer)
The screen recording component of the call recording system fails to pause the screen recording, and the screen capture of the credit card data entry is accidentally recorded and stored.
With the pausing/resuming of call recordings, quality assurance teams are also not able to get the full picture of the call. Supposes an agent who does nothing but capture payment from customers (via credit card) needs to be evaluated by the quality team. Every one of his/her calls will be incomplete. What happens if the agent makes a navigational error during each call which wastes a lot of time? What happens if the agent is rude during the credit card capture portion of the call? Evaluators would never capture this as those portions of the call would be erased via pause/resume.
What’s more, in a pause/resume scenario, merchants/vendors also need to make sure their contact center is equipped with CTI technology that will at least alert contact center management when pause/resume failure occurs so those recordings can be properly handled. Without such capabilities, these sensitive call recordings can put the company at risk.
A viable solution to this problem is DTMF data capture of sensitive customer data. The customer simply keys in his/her credit card number (for example) via their telephone keypad and the data is captured, encrypted in a server and never touches the agent’s desktop when captured. The data is immediately routed to the payment processor, without ever touching the call recording system. Many call centers today are starting to employ such DTMF technology. As its adoption becomes more ubiquitous, the recurring pause/resume challenge will diminish and no longer be an issue. But, until that time, contact centers need to be aware of their vulnerabilities.
Many call centers today are starting to employ such DTMF technology. As its adoption becomes more ubiquitous, the recurring pause/resume challenge will diminish and no longer be an issue. But, until that time, contact centers need to be aware of their vulnerabilities.