How to Improve PCI Compliance for Customer Operations Teams and Call Centers

Any data theft is serious, but the loss or theft of payment card data can be especially devastating. Beyond the potential for millions of dollars in expenses, such data breaches can cause severe reputational damage, generating negative publicity that drives away customers and hurts revenues.

Furthermore, as a recent ComputerWeekly article noted, payment card data is also linked closely with other personal data such as names and home addresses. In some jurisdictions, such as the EU, failures to protect personal information could run afoul of GDPR regulations, which can lead to fines of up to 20 million euros or 4% of annual revenue.

To enhance global payment account data security, the Payment Card Industry Security Standards Council developed a Data Security Standard (PCI DSS). Compliance with PCI DSS cannot guarantee absolute protection from cyberattacks and data breaches. Nevertheless, any company that stores, processes, or transmits cardholder data is expected to be PCI compliant, meaning that they fulfill the technical requirements of PCI DSS. Many companies need to comply with PCI DSS, but the issue of PCI compliance is particularly important in industries such as retail and financial services where employees often handle sensitive financial data.


PCI Compliance Gets Harder

Before the pandemic, most customer service agents worked in highly controlled and monitored environments such as call centers where companies had certain built-in advantages that made it a bit easier to ensure PCI compliance. In call centers, companies can strictly manage which computers and other equipment gets used, forbid employees from bringing their personal devices into the workspace, and monitor for any insider threats or improper behavior that could lead to data leakage.

The COVID pandemic amped up the challenges of running PCI-compliant support operations to a whole new level. Suddenly, customer support teams that had been working side by side in call centers were scattered in work-from-home settings without any close supervision. 

With established routines suddenly scrambled, many companies turned to Fin to assist with data security and PCI compliance process monitoring. Fin’s Work Insights Platform runs as a Chrome extension. That means companies can roll out Fin’s technology quickly and easily across their workforce without having to worry about integration requirements. 

Fin’s Work Insights Platform enables companies to both record agent actions and perform retroactive audits to make sure that customers’ personally identifiable information has been properly handled. At the same time, the platform allows companies to conduct quality audits in order to improve every aspect of the customer experience. 

These capabilities motivated cryptoeconomy leader Coinbase to deploy Fin’s technology in 2020. “When our contact center agents started working from home last year, we looked for new solutions to understand productivity and maintain the high level of security that customers expect from Coinbase,” said Will Zhou, Director of Technology and Analytics at Coinbase. “Fin has provided critical insights into how we can enable a remote team during a period of rapid growth. We’ve since deployed Fin more broadly across our CX workforce.”

Boosting BPO Oversight

In a sense, the PCI compliance challenges posed by widespread adoption of work-from-home arrangements during the COVID pandemic are familiar to any company that relies on business process outsourcing (BPO). Here too, companies can be liable for any data breaches that occur due to mishandling of customer data by their BPO vendors, even though they may have limited oversight and control over the BPO providers who are controlling and securing that payment data. Fin’s Work Insights Platform can help companies improve BPO oversight in ways that strengthen PCI compliance and improve performance management.

Painting an Audit Trail

Data loss occurs when customer data – including payment card data – leaks out of secured systems. This can happen due to a cyberattack, but it can also be the result of a company’s own agents copying and pasting information from one application to another. Agents can engage in this behavior for multiple reasons. They may copy-and-paste as a shortcut or workaround, or they may have more nefarious intentions.

Either way, it’s a serious problem when customer data gets moved in insecure ways. Companies can guard against data losses, improve information security, and reduce PCI compliance risks by instituting better workflows and using APIs to facilitate safer data transfer among multiple applications.

But they won’t know where to focus their efforts unless they know where the leaks are occurring. That’s where Fin comes into the picture.

Fin provides an audit trail of what agents are doing during the workday. Fin’s Document Object Model (DOM) monitoring capabilities enable companies to identify and set triggers for specific activities that might be associated with data theft or leakage. 

For example, let’s say a company typically masks credit card details on a customer account page, but gives agents a way to unlock or copy the credit card number by clicking on a button. Using DOM monitoring capabilities, Fin can produce a report showing when agents click that button and let managers quickly jump to a video recording of that agent’s activity to confirm the behavior was necessary and PCI compliant. Fin can also highlight statistically anomalous behavior. For instance, perhaps agents typically only need to unlock a customer’s credit card details 1% of the time. Fin can alert managers if a certain agent clicks on that unlock button during 10% or 25% of customer interactions. This type of granular oversight can be vital in maintaining and proving PCI compliance. 

Fin not only has the power to identify potential instances where agents breach PCI compliance rules, it can also lower the level of noncompliant activity simply by running in the background. Our clients report that when agents know Fin is monitoring their behavior and flagging inappropriate workarounds, they are more likely to follow proper procedures and adhere to PCI compliant standards.

Three Key Ways that Fin Improves PCI Compliance

While Fin alone cannot ensure compliance with the full set of PCI DSS requirements, Fin can help companies strengthen their PCI compliance in three important areas:

  1. Protect stored cardholder data: As mentioned above, Fin helps companies protect customer privacy and prevent data loss through insights into processes and audit logs. Fin gives companies full visibility into agents’ desktop activities, which can help prevent malicious actions, as well as careless behavior that could also lead to data losses. Fin lets companies create custom alerts that can be sent instantly to both managers and agents – for instance, when webpages are viewed that contain sensitive data such as customer credit card details. 

    By analyzing tens of millions of hours of agent data, Fin found that more than 15% of call center interactions could involve leakage of sensitive customer data. These behaviors are not necessarily nefarious – they could involve agents copying data from one secure system onto a clipboard in order to transfer it to another system as a workaround – but they still contravene PCI compliance and increase the risks of data theft or losses. This can also alert companies to inefficient workflows. By revealing when employees handle data in unauthorized and insecure ways, Fin can help managers identify which agents need more training on how to follow PCI-compliant workflows or which workflows and toolsets need to be revised to eliminate the need for agents to use workarounds.
  1. Develop and maintain secure applications and systems: Fin gives companies the power to record and review live examples of how agents use systems and applications. This not only allows companies to monitor for vulnerabilities or abuse, it also helps them to track technical system performance and identify anomalies over time.

    For instance, these recordings could reveal that one particular agent with poor productivity actually works diligently, but that applications take an unusually long time to load or refresh on her machine. Her manager could then investigate further to see whether a faster Internet connection or more powerful hardware would allow the agent to bring her productivity up to speed.
  1. Track and monitor all access to network resources and cardholder data: In order to maintain PCI compliance, companies are supposed to regularly monitor and test their networks. Fin can help by capturing browsing behavior and generating reports on which resources were accessed and viewed by which agents at which times. Even better, companies can set Fin to issue alerts in case of suspicious or inappropriate agent behavior. For instance, whenever a critical resource such as a payment-info page is accessed, Fin can log the activity and even send data about the incident to a manager via email.

PCI Compliance Self Assessment

To evaluate your company’s current PCI DSS compliance requirements and capabilities, consider these questions:

  1. Does your firm store, process, or transmit payment card data?

  2. If so, do you have a way to identify when customer agents handle payment data in insecure or unauthorized ways?

  3. Do your current systems and processes provide DOM-level monitoring capabilities to flag unusual agent behavior that could be associated with PCI noncompliance?

  4. Do you have processes that enable close monitoring and oversight of PCI compliance even among agents who may be working from home?

  5. Do you have the ability to build a durable audit trail that can demonstrate your company’s adherence to PCI DSS requirements?
Protecting Patient Privacy

The compliance monitoring elements of Fin’s versatile Work Insights Platform extend far beyond PCI compliance. For instance, Fin can also help healthcare companies monitor the access and use of patient data, enabling providers to assess compliance with the HIPAA Privacy Rule in the United States and with similar patient privacy protections in other countries.

May We Suggest