A recent article in PaymentsSource caught our attention. The piece discussed how PCI compliance is not enough for breach prevention, but rather businesses should focus on chips and tokens as a best strategy. The author’s argument is that “while PCI compliance is necessary and useful, it’s not always sufficient to be fully secure. To counter this, independent software vendors (ISVs) must adopt a layered security approach that uses EMV, encryption technology and tokenization in addition to keeping up with PCI compliance requirements.”
In general, we agree that encryption technology and tokenization are invaluable security tools. Not leaving data on your system waiting to be easily stolen is obviously a good idea. Even better if it’s tokenized, making it nearly impossible to use.
However, these solutions won’t be 100% effective in a contact center environment. The use of Point to Point Encryption Solutions in a contact center still exposes an organization to massive PCI compliance risks. While the data might not be stored in their system using this technology, there are holes when it comes to agent activity. Agent conversations are recorded, leaving room for hackers to steal recordings. Additionally, this also still leaves internal employees the ability to steal information with the agent’s ability to see and hear a customer’s PII.
Think about the last time you said your credit card number or social security number out loud to an agent on the phone. It probably felt unsafe–and it is. But what’s the best way to solve for this issue?
On top of tokenization and encryption, contact centers need these calls to be descoped from PCI DSS. Using a solution like Agent Assist masks Dual Tone Multi Frequency aka touch tones, to provide companies with a solution to receive payments by phone without agents seeing or hearing the PII and without the recording software picking up the information and storing it.
With the most recent Verizon 2018 Data Breach investigation report finding that almost a third of breaches are executed by an internal employee, this is not a risk that companies should be taking. Even if they completely trust their workforce, it’s not worth it.
If you have any questions about Dual Tone Multi Frequency or how to better secure your contact center, get in touch with our secure payment specialists today.