The world has done a spectacular job of embracing remote work in response to the COVID-19 pandemic. Thousands of jobs – and millions of workers – that previously seemed to be anchored to the workplace or workstation have been liberated. The upsides include freeing up employees from commuting time to make more room for family and friends, as well as a more flexible approach to working hours.
Even as the worst of the pandemic has (hopefully) subsided and some markets return to the workplace, many of these habits will endure. Workers have a taste for remote work and these expectations are unlikely to recede, while companies see an opportunity to re-evaluate the costs of commercial real estate.
Still, despite all the success stories, there remain some benefits to keeping work in the workplace. This is especially true for contact centers, which handle sensitive customer data such as personally identifiable information (PII) and payments information. In this line of work, creating a managed environment – both physically and digitally – is a vital aspect of data privacy and security. Regulations in this regard are only increasing; the primary concern is no longer only losing money through misappropriated payment details. The fines for compromising customers’ privacy can be significantly higher.
In short, right at the point where the lines have blurred between work and home, the regulatory position has clarified around strict obligations for handling customer data – and stiff punishments for not living up them.
Research reveals growing risks of remote customer service representatives (CSRs)
ACI Worldwide’s latest ACI Speedpay Pulse research shows that bill payments by phone are on the rise, as 10.4 percent of consumers preferred to make a one-time payment by phone in late 2021, up from 7.7 percent earlier in the year. Meanwhile, a growing number of agents are working remotely, and are no longer in a controlled environment where billers can closely monitor activities.
Other research illustrates just how vulnerable payment data is in this situation. For example, 72 percent of agents who collect credit/debit card information over the phone still require customers to read numbers aloud. 30 percent of agents who collect credit/debit card information over the phone have access to card numbers even when not on the phone.
Some agents have reported more worrying practices. Take the 7 percent who admitted that someone inside the organization asked them to access or share payment card information or other sensitive data. And then there’s the 9 percent who personally know someone who has unlawfully accessed or shared customers’ payment card information.
Re-tool to de-risk the remote call center
To adjust to agents working remotely long term, call center leaders must re-tool to ensure that they are handling payment data compliantly no matter where an agent takes a call.
However, there’s no single silver bullet for truly securing the remote call center, so the interplay of people, process and technology will be as important as ever. In this context, requirements and best practices broadly break down into two categories. The first is user privileges, systems and access management. The second is agent oversight.
Let’s start with user privileges, systems and access management. At a minimum, processes should be in place requiring staff to regularly change their passwords. And these must be accompanied by stringent controls on applications that can and can’t be installed on CSR devices, with any approved applications patched and updated consistently. At the technology level, identity access management should cover single sign-on and endpoint management. User privileges should also be restricted in line with the data and systems needed to perform their role.
In terms of agent management, the lack of in-person contact with managers and agents in the remote call center increases the risks of inexperienced, distracted or disgruntled personnel making mistakes, errors of judgement or engaging in malicious actions. To mitigate against this, regular training and supporting communications should be rolled out to keep risks and related security policies top of mind. Any related documentation should also be well organized and readily accessible. DTMF masking, and CSR audio and screen disabling when customers provide payment information provides a strong layer of protection around some of the most sensitive customer data. Leading solutions such as Agent Card Assist Plus go a step further here, ensuring card details never even enter the contact center, and that calls and screens can still continue to be recorded 100 percent of the time.
Remote call center security is a wide-ranging, fast-changing challenge so these best practices are far from exhaustive. But, it is clear that with the risks of remote CSRs already high for billers, they cannot afford to be reactive when it comes to compliance. Instead, it’s time to get proactive about understanding what this new normal means for their data security and governance best practices.
For more information on ensuring security in remote call centers, join the experts from ACI Worldwide and Semafone for our upcoming webinar The Future of the Contact Center: Formulating a Strategy for What’s Ahead