By Rich Hamilton
You’ve made the decision. Your organization is seeking an outsourced call center to work on your behalf. Outsourced call centers are often referred to as service agencies, telemarketing vendors, or business process outsourcing (BPO). Regardless of what they are called, many factors will need to be considered, including call center size, location(s), management, technology capabilities, and experience with different types of calls such as helpdesk, customer service, or sales.
One factor that should not be overlooked is information security. How secure will your customer data be with a potential call center? Let’s look at how a PCI-Certified Level 1 call center will be able to best protect your customer data as opposed to a call center that is not PCI-Certified Level 1.
No Brainer for Credit Card Processing: If your outsourced call center will be processing credit cards, the decision is a no brainer. A PCI-certified call center should be used. What is PCI? PCI DSS stands for “payment card industry data security standard” and is an information security standard for organizations that handle credit cards from the major card providers, including Visa, MasterCard, American Express, and Discover.
There are four PCI-certification levels available. Levels 2–4 only require a self-assessment in order to receive certification. Level 1 is more rigorous and requires a third party to audit corporate governance (policies and procedures), the operations and processes, and all technology involved. Through this thorough review, along with penetration tests, the third-party qualified security assessor (QSA) is able to determine if all systems and processes are secure with the proper protocols and encryptions. Obviously becoming PCI-Certified Level 1 involves more time with a higher cost, but having a third party review all aspects of your organization ensures that your customer data will be very secure.
If your organization’s outsourced call center will handle credit card data or other sensitive personally identifiable information (PII), you really don’t want to take any chances. Depending on the volume of credit card transactions you process with your merchant account provider, being PCI DSS compliant will be a requirement, either at a low level or at the Level 1 extreme. In addition there are also other negative consequences that can result from a data breach of your customer data, including financial penalties, bad publicity, and possibly losing credit card transaction processing privileges. Taking the proper steps to become PCI-certified will help protect both your customer data and your organization’s well-being for the long term.
What About Call Centers Not Processing Credit Cards?: If your third-party outsourced call center does not need to process credit card transactions, you’re probably wondering why you would require the organization to be PCI-certified. Keep in mind that since the standards for becoming PCI-certified are so high, your customer data will be more secure.
The following items are required for a PCI-Certified Level 1 Call Center—but not for a call center that is not PCI-certified:
- Detailed policies such as password policies, physical security policies, acceptable use policies, and information handling policies
- Processes to support the detailed policies
- Secure firewalls: protecting customer data from cyber-attacks
- Proper encryption while customer data is at rest and in transit
- Yearly security awareness training for all employees
- Quarterly and yearly penetration scans to ensure that customer data is secure
Based on this, which call center do you think would be able to more securely handle your customer data? Clearly, a third-party outsourced call center or teleservices agency that is PCI-Certified Level 1 is the best choice. They have committed the additional time and money needed to ensure that the proper policies, processes, and technologies are in place (with a rigorous third-party audit) to handle customer data in a 100 percent secure manner.
Rich Hamilton is the director of marketing and product development for Quality Contact Solutions, a leading outsourced telemarketing organization. Rich works tirelessly to bring new products to the teleservices and call center market. Rich is also the creative powerhouse behind executing on a wide spectrum of marketing initiatives for the organization. In addition, Rich is a telemarketing compliance guru with a customer engagement compliance professional (CECP) certification to back it up. Rich can be reached at email@example.com or 516-656-5105.