Johannesburg, 17 Dec 2010
In South Africa, the majority of call centres do not comply with the PaymentCard Industry Data Security Standard (PCI DSS). Nor are many recording business calls received by staff on mobile phones - a new requirement by the UK's Financial Services Authority (FSA) which is expected to be adopted
globally. Spescom DataVoice's Libra voice recorders can meet both requirements.
PCI DSS in short requires that:
* The credit card security code (CVC/CVV) is never captured/stored
* Safe storage of the primary account number (PAN) details are guaranteed
* Audit trails of access to card holder details are maintained.
Spescom DataVoice's Libra voice recorders offer the following solutions to this challenge - manual, operator enabled non-recording of the digits as well as automated, process driven non-recording. Spescom DataVoice keeps on addressing the PCI DSS compliance issues by continuously improving on its PCI DSS offering.
The UK's Financial Services Authority (FSA) removed its exemption on mobile phone recording on 14th November 2010 and UK financial services companies have 12 months to ensure full compliance. All FSA registered businesses must ensure that they are able to record calls made and received on mobile phones, in addition to text messages, Instant Messaging, emails and other forms of mobile electronic communication. Recorded information must be retained by companies for a minimum of six months.
Spescom DataVoice's Libra voice recorder suite offers two options in terms of recording calls from and to mobile phones. It will record all calls from mobile phones to business 'landlines' as well as calls made to and from the mobile phones of employees, aggregating these calls to allow storage, playback and management in the same way that analogue 'landline' calls are managed. Mobile phone users have the option to not save private calls.
Says Badimo: "Mobile phones are used every day to transact and the risk to business is mounting. It makes good sense to now record these calls. In the UK, the FSA made the recording of mobile calls non-compulsory in 2008 because the technology to make these recordings was immature. Today it is mature and Spescom DataVoice can assist organisations to meet these requirements."
PCI standards have evolved similarly, adapting to address risk in the business environment. These standards were developed by the major credit card companies to regulate the management of credit card data, minimise fraud and protect customer privacy. The standards address a number of different elements, including securing the network, protecting cardholder data, maintaining a vulnerability management program and implementing strong access control measures. Applying the correct levels of security is, however, difficult, particularly when it comes to voice recordings.
Says Kgabo Badimo, MD of Spescom DataVoice: "There is fine line between protection of data and negating the benefits of access. With more credit card transactions being done over the telephone with product and sales support staff in call centres, recordings are essential for risk, governance and legal compliance purposes, as well as quality assurance. For example, recordings are crucial in the event of default by the customer or if the customer disputes an order or payment. Regulatory requirements also compel recording of verbal financial transactions. And recordings can be used to measure service levels, or for training purposes, or even simply listening again to what the client said to ensure instructions were properly carried out.
"The challenge then is to strike the right balance between offering the client data privacy and protection at global standards, and securing the business against risk."
While PCI security standards are not yet legislated in South Africa, a few companies have already been audited. There are a number of drivers for getting this 'balance' right, he notes. These include:
* International standards having a way of becoming local standards, so early preparation to meet these standards is advisable.
* Early mover advantage as PCI compliance is not the norm in South AfricaCall centres hoping to acquire international clients finding that PCI compliance is a benefit that differentiates their offering - or secures the deal.
Spescom Datavoice's Libra recorder allows call centres to meet PCI standards with regards to PCI DSS compliance in a number of ways:
* Through use of a physical action by the agent - where the agent presses a 'stop recording' or 'mute' button when credit card details are given.
* By integrating the stop/start instructions into the screen application of the agent - where the recorder stops recording when, for example, a sales or bill payment interaction progresses to step three, when the agent clicks 'credit card details', then seamlessly continues recording when the agent clicks to the next screen in the application (e.g., 'deal concluded' or 'shipping details').
* By encrypting recordings when they are made - and requiring decryption keys to access the recordings. These decryption keys are only accessible by authorised staff and an audit trail is kept of access to all recordings. Encryption will be available form 2011
Says Badimo: "Consumers are generally unaware of the PCI security standards but as phishing and identity fraud continue to grow, they are becoming increasingly wary of giving away personal data. Being able to assure them that your credit card security measures meet global standards will enhance goodwill, brand loyalty and - most important of all - enhance revenues. Similarly, with the recording of mobile calls you mitigate against business risk and also offer the customer peace of mind and protection in the case of a dispute involving a voice transaction conducted on a mobile phone."
Share