We’ve all read about them; security breaches have happened to many large scale businesses, and even the government.  Hackers are continually looking – and finding – new ways to access consumer data.  Retailer TJX is one of the most severe examples as hackers were able to penetrate a supposedly secure network and compromise at least 45.7 million credit and debit cards.

While TJX received a lot of attention, breaches are occurring more often than many realize.  The exact number is unknown because not all states currently have laws requiring disclosure.  One thing is for sure, if a business gets breached, they’re going to pay for it - and it will be expensive.

So what has all this have to do with contact centers?  Actually, a lot.  Contact center agents, particularly those tasked with generating revenue, often have access to personal information such as credit and debit card numbers, banking accounts and social security numbers.  Therefore PCI certification is a smart decision for contact centers.  Even if your business does not involve credit card transactions, you probably have client information that you need to keep secure.  Companies that are PCI DSS certified know how to protect this information.  So, what exactly is PCI DSS Certification?

The Payment Card Industry Data Security Standard (PCI DSS) is a response by the five major credit card brands (MasterCard, VISA, American Express, Discover & JCB) to create a standard for protecting cardholder information.  The Payment Card Industry knew that if breaches like TJX continued to occur, then the integrity of their system would begin to break down, and that's not good for them or for the merchants.

PCI DSS standards require complete separation of credit card information from other company data.  PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.  This comprehensive standard is intended to help organizations proactively protect customer account data.

Hamilton and PCI Certification

Specifically, to become Certified, Hamilton had to meet twelve detailed requirements which include establishing and maintaining an Information Security Policy.  We were required to build and maintain a secure network (which included protecting cardholder data) and regularly monitor and test that network.  We also had to establish management policies and practices which include a Vulnerability Management Program and Strong Access Control Measures.

Meeting PCI standards is not easy.  Not only do you have to implement these standards, you also must to be audited and validated by a third party “Qualified Security Assessor” (QSA), and if necessary, scanned by an “Approved Scanning Vendor” (ASV).

While the financial and retail industries initially pushed for the tighter security measures, data protection should be a priority for all companies, especially contact centers.  One non-compliant company within a network exposes the other companies and their network to risk.  For this reason, many companies don’t (and shouldn’t) consider doing business with any vendor that is not PCI DSS certified. 

Hamilton’s certification is through Trustwave, (www.trustwave.com).  Trustwave is both a QSA and an ASV for the card associations.  Trustwave works with businesses of all sizes to help them validate compliance with the PCI DSS.  Trustwave offers a suite of data security solutions to ensure these businesses maintain security over time as well.  Hamilton’s network undergoes quarterly external security scans, continuous internal scans and an annual self-assessment of how we meet or exceed the security requirements.

If you’re thinking about outsourcing, make sure the company you’re doing business with is PCI DSS certified; it could save you money, and customers.