Identity and credit card theft are getting big attention these days, and if you go to any security seminars, you will leave with the feeling that you should just cut all your credit cards up and unplug your computer. This growing threat not only is a hazard to each of us personally, but it is a significant risk that businesses and especially call centers face daily. Call centers regularly handle thousands of credit cards and pieces of personal identification information. It is the call center's responsibility to protect their customer's personal and credit card data.
Personal identification information includes items like NAME, ADDRESS, PHONE, BIRTH DATE and SSN. It’s not that a name or a phone number by itself is usually considered sensitive data, but, when you combine a name, number, address and then if you add SSN… Man! – Now you now have some real identity theft potential.
Credit card theft is an obvious hazard. We recognize the credit card number or PAN as being sensitive, but if you combine the PAN with name, address, phone, birth date and SSN, you have a double whammy – credit card fraud and identity theft.
Relative to the subject of protecting personal and credit card data, let’s talk a bit about some do’s and don’ts. First, it’s a good idea to not store personal and credit card data together. Second, while it is permissible to store the PAN, if done correctly, there is data you should not store from a credit card transaction. One such item that must not be stored is the CVC number, which is a three digit number, often found on the back of your credit card. CVC storage is not allowed. See PCI DSS for details. Additionally, thanks to the California Supreme Court, you should now include Zip Code to the list of personal identification information, that is not to be stored with other credit card information. While it is certainly true that California isn’t the entire country, California is often a trend setter. It’s a fairly common practice to ask for a customer's ZIP code as an additional confirmation measure when processing credit card transactions, and that is still ok, but the state of California is now saying that it is not ok to collect and then store that information.
Some other suggestions for the handling of personal or sensitive data, whether you operate in California or not, would include:
- You should have legitimate grounds for collecting personal data. Do not collect data you do not need. As an example, if you do not need the person's SSN, do not collect it.
- Only use personal data for the purpose that it was initially intended. If you collected data for the purpose of selling a widget, you should not then take that data and use it to market other products.
- Once the transaction or reason for the data collection has completed, you should remove that data from your systems.
- Provide CPNI and other security related training to your staff.
- Stay abreast of laws, regulations and requirements for the handling of credit card and personal identity information.
Data protection is a concern for all of us. The internet has brought the world into our homes, whether we live in a large city or small town. None of us can afford to be casual about how we treat our personal and financial information or that of our customers. inContact recognizes that and is working to ensure its products support the safe and secure operation of your call center. In a coming story, I will be talking about our efforts to not only stay informed on the subject of cloud security, but to also contribute to its future.