Subscribe
Share
Share
Embed
A conversation with Darren Gill of PCI Pal about what PCI is, how to be PCI compliant, and how PCI Pal can help your organization remove payment liability when having to deal with credit card transactions.
In this series we will discuss Contact Center industry trends and best practices, as well as sharing success stories and pain points with some of the most innovative professionals in the industry. Join us as we learn and grow together in order to provide world class customer service to each and every one of our clients.
"Timestamp Speaker Transcript",,,,,,,
"00:00.00 Dave Hoekstra Welcome to working smarter presented by calabio where we discuss context center industry trends and best practices as well as sharing success stories and pain points with some of the most innovative professionals in the industry. we' glad you're joining us to learn and grow together in order to provide world-class customer service to each and every 1 of our clients. My name is Dave hookkstra product Evangelist for calabrio and my guest today is Darren gill darren is the chief revenue officer for pci pal and we are really thrilled to have him as part of the. Podcast today. Thanks for joining us today darren how are things. Yeah", we are very excited because 1 of the things that we have noticed is that there seems to be a strong misunderstanding or at least misinformation about how pci works now I'm going to.,,,,,,
"00:38.83 Darren Gill Great. Thanks! dave.",,,,,,,
"00:55.57 Dave Hoekstra Personally admit that I am a little bit of a pci nub as it were but that's why we've brought you on today to kind of help us educate and learn more about what pci is and why anyone should care. So ah. I'd say let's let's start off a little bit to tell us a little bit about what you do for pci pal.",,,,,,,
"01:13.00 Darren Gill Sure So I'm I'm the I'm the Chief revenue officer for pci call I'm responsible primarily for sales and presales ah globally for the organization and you know pci Pal provides a secure payment solutions.",,,,,,,
"01:30.26 Darren Gill Particularly in the context of Context Center to help provide an overall better customer experience but also ensure that data is secure.",,,,,,,
"01:36.53 Dave Hoekstra So we've already thrown around the acronym pci quite a bit and maybe we should take a step back and talk about just for a minute what exactly is pci and what does pci compliance mean and maybe a little bit of the history too. So I'm sure you've. Probably given this spiel a number of times before. So let's ah", let's start at the beginning what is pci and where did it come from.,,,,,,
"02:03.50 Darren Gill Definitely so so first we'll address the the acronyms so pci dss is is the payment card industry data security standards and. Back in 2000 7 the major credit card vendors got together in almost a self-governing fashion and they came up with some some guidelines and that is 1 of the points of confusion. They're guidelines not law. It's guidelines as to how. Credit card information should be handled and again the the original guidelines were published in 2000 seven and there's been various various updates since it really lays out you know 12 key areas around which you know credit card information should be. Treated or handled and 1 of the big areas that continues to be a bit of an issue for organizations is ticking payments by phone.",,,,,,,
"03:01.61 Dave Hoekstra Right? So you know the the kind of classic Can you read your credit card number to me over the phone and I'm going to input it for you that kind of thing.",,,,,,,
"03:10.29 Darren Gill Correct yeah", and there's a lot of confusion around that today in that um in order to address the issue of of handling credit card information securely. Over the years there have been a number of what we call compensating controls that have come about and 1 of the more popular compensating controls is what's called pause resume also referred to sometimes as secure pause. It's a it's a feature within the within the the telephone system or the context center platform. Allows an agent to pause call recording when that credit card information is is taken. The reason that's important is that 1 of the guiding principles under pcidss is that credit card information should not be stored in any way shape or form by a merchant and obviously if you're recording calls. And the agents are taking credit card information the net credit card information may find its way into the recorded call database which could be a a serious point of concern potential point of data breach. In fact, so best practices not to store that information in order to do that the the. The best that many organizations have been able to do up up to this point is to have ah in some respects a manual pause resume process where the agent will pause the call recording of the call in order to take that credit card information that the challenge though is that doesn't translate into compliance. Under the current pci dss guidelines. The reason it doesn't is because the agent in in most cases still hears that credit card information. Um, that credit card information is also still hitting the network.,,,,
"04:50.54 Dave Hoekstra Right? And so so what I'm hearing you say is that back when I was first starting to take calls in the call center the piece of paper that I wrote down everyone's credit card number on and threw away in the trash after a week was probably not pci compliant correct.",,,,,,,
"05:09.13 Darren Gill Definitely not and that and and david be surprised how many organizations we find are still doing that today and and it's just natural for an agent in order to you know to move quickly to want to jot down that information down on a post-it note or on a scratch pad and. The other risk though is that in in a context center particularly some of these larger environments is that you may occasionally have a bad actor as well and that represents a security concern or risk and that they might be you know maliciously jotting this information down and then you know taking it home or or selling it for that matter on the on the on the. The dark web in order to in order to you know", do something that's that's not not compliant or not appropriate. So yeah, it's it's definitely a security risk. And it's been less of an issue in many of these manager supervised contact centers. They may have cameras you may have a supervisor or manager that's walking the floor but 2 years ago enter pandemic and what happened because of social distancing and other requirements these contact centers now immediately. Almost overnight became work from home and that has introduced another major security concern for a lot of these organizations.,,,,,
"06:21.40 Dave Hoekstra Yeah", and just I mean I don't know if you have any data on how many credit card transactions actually happen in the Context Center industry. But the sheer probability of bad actors has to be higher than than a neg Ah, a negligible amount. Right? You've got you got the agents themselves and if in your scenario you're talking about if them having to manually push a button to record but they can still hear I mean that it doesn't take a big logical leap to know that that something's probably happening somewhere. But then you also have all of the recordings that are available if they're not doing the pause and resume you have the you know the information being entered into various billing systems and key loggers and all kinds of number of potential issues that come across with that and so. You and I talked about something that I kind of want to make sure we is that a lot of organizations think that they're pci compliant but in likelihood are not is that correct.,,,,,
"07:27.25 Darren Gill Ah", yeah, that's correct. So the the learning over the last few years in In fact, there's been some clarifications on this from the from the council from in in the pcds guidelines in the last few years the clarification is that the best practice is to fully descope as we refer to it. And by that we mean that you should implement a solution whereby not only does the information not find its way into the recorded call database. But your agent doesn't hear the credit card information and for that matter the credit card information. Never even hits your network if it doesn't hit your network then. It's a whole lot easier to to you know pass ah a self audit and confirm that you're fully compliant because there's no exposure whatsoever and that's actually the best practice.,,,,
"08:14.76 Dave Hoekstra Got it? Okay so I think we're gonna talk about that in a little bit of exactly how we accomplish that. But I'm interested to know for an organization that maybe is not hitting that compliance recommendation as well as they should what kind of potential liability does ah does an organization face. On being able to hit that compliance.",,,,,,,
"08:36.90 Darren Gill Yeah", good good question and there there are a number of number of outcomes. Potentially 1 is the the cost for them to become compliant internally. it's it's significant it's not um, not a not a light undertaking and and. Larger the organization the more exposure there is the the greater the cost if they are not compliant then the potential outcomes are that they could be fined the the credit card companies will find organizations that are not compliant. The other issue is that they could see if they're a repeated offender. They could see an adjustment to the rates that they pay so these credit card. You know the processors they they charge fees as you know and those rates you may get a less favorable rate. Or the rate may shift North if you're considered a greater risk as an organization so you could yeah exactly so if you if if your risk profile if you if as an organization is such that you know you're you're a repeat offender or you're not compliant then that could certainly affect your rate.,,,,,
"09:33.19 Dave Hoekstra A credit score for credit if you would right.",,,,,,,
"09:49.43 Darren Gill Um", but I'll tell you the biggest risk of all is is the impact that it could potentially have on your brand your business. If. In fact, there were a breach so the best thing to do is just to head it off the pass and ensure that you're compliant and put appropriate ah appropriate take appropriate measures and put put systems in place. That you can ensure and be confident that you're compliant and not put your brand or company at risk and we've all seen the headlines ah particularly coming out of europe right now in in the eu. They do have much more strict date to privacy laws gdpr which some may have heard referenced. Gdpr is a is an overall set of more comprehensive set of data privacy laws that are in effect in the eu and we've seen headlines data breaches at major airlines or data breachers at retailers and they've been fined in the order of tens of millions of dollars in some cases. With these data breaches. So you know the best best best remedy to that is to completely avoid that in the first place and descope and ensure that your business is not at risk.,,,,,
"10:54.48 Dave Hoekstra And and when we say data Breach What what kind of range are we talking about I mean obviously we've got the you know maybe the 1 individual agent who's taking down a credit card and then ordering themselves a playstation 5 or something like that and hoping to get away with it. But we're probably talking about. Much larger like what? What do those data breaches look like for those organizations that are kind of putting themselves in danger.",,,,,,,
"11:19.64 Darren Gill Yeah", typically it involves in many cases, a situation where credit card information has been stored at at a wholesale level by that merchant and that's why the the recorded call database is such a concern and we we talked to companies all day long that. They have ah you know they have a recordings that go back. You know 10 years or more and and they've they've kept these files and that that that's a major major point of risk any database that might contain Pi type data is is of Concern. So yeah, it's it's it is Ani. It's becoming less of a problem as companies learn to become compliant but that there's there's still some legacy systems and infrastructure out there that that puts organizations at risk.,,,,
"12:06.62 Dave Hoekstra So what would you suggest? Ah do you do you suggest? Audits do you suggest a review of your of the policies before kind of taking on this pci journey to understand where a company might be.",,,,,,,
"12:20.93 Darren Gill Yeah", a lot a lot of companies do Employ. What's called a Qa which is an independent auditor that comes in and will will evaluate will evaluate you know Pci Dss as as 1 of the facets of being being compliant and in fact, usually it's when those Qas flag. The issue or concern particularly and in in the in the in the context of the context center and delivering customer service. It's usually a Keysa a qsa that will flag that issue and that that's when we often get a call.,,,,,
"12:49.53 Dave Hoekstra Right? Yeah",, That's that's that's a good. That's a good jump for pci pal there. So Let's let's kind of paint a scenario here from an organization that maybe has completed this Qa and they realize there are some data breaches. Um I Want you to talk a little bit about.. What a company would kind of traditionally up to prepci Pal would take and I know we've talked a little bit about pci pause and resume. But I think ah you know for maybe our listeners who haven't really started that Journey. What does the start of that journey look like and then at what point does pci Pal. Typically come into the conversation.,,,,,
"13:29.48 Darren Gill Yeah", well, the key is not not to be misled by by a fairly standard feature and a lot of these cx platforms being pause resumed because that that again, that's what we what we've learned particularly over the last few years is is that that's not good enough and it's easy to. Kind of be trapped a bit by the fact that well we're doing something and and you know at least we're at least we're not storing the credit card information in our recorder call database. But again, you've got potential points of breach and and security concerns. If you have agents that are hearing that information. The other thing that. You need to be careful about we we see other compensating controls for example, customers will will use a clean room what we call a clean room approach or strategy which is where when a payment needs to be taken. They'll actually transfer the call to a more secure team that might be locked down a bit more in order to take payment and. Process it so we see strategies like that. So so again, those those all fall into the category of what we call compensating controls another thing we do see often is the concept of transferring a collar when a payment needs to be taken transferring a collar to ibr. And and there are there are secure ivr solutions. In fact, we we provide those solutions as well. Having said that there there there is there is limited applicability of of a secure ivr solution when you're wanting to do automation the idea of taking a live collar and actually having to. Transfer them to a secure ivr and or in order to take payment is typically not the best overall customer experience.
"15:05.57 Dave Hoekstra I I was thinking that myself I haven't done a lot of credit card payments online ah over the phone in a while but I I would honestly as a customer I would rather just read my credit card number over to um and and take the risk of it getting stolen then being transferred to another department or. Through ah through a complicated Ivr system where I have to enter in numbers and things like that. So I I agree with you but go on.",,,,,,,
"15:31.10 Darren Gill Yeah", so so the key really in that journey and and as as customers look at becoming compliant again with the look to to full descope that the the best solution is to keep customer experience top of mind that's important to any context in our organization. And then when you look at taking payments in the context center more broadly cx payments as we refer to it then what we're looking to do is is do that in a secure secure and compliant manner. But but to the best of our ability keep the agent in the collar connected so that it's ah it's a a guided process. Right? Which which is much much more positive much better and you know quite frankly if you're if it's if it's a matter of revenue you also ensure that you know the payment's taken the the credit card is good that it goes through and then then only then and only then do you do you let the customer off the hook right? So there's some added value and in that. And that being more of a a guided guided process. You'll end up having higher close rates if you're concerned about you know revenue generation across a team for example and you're providing an overall better customer experience. So the key the the way to do that is to implement a secure payment solution. That will allow that full descope to occur and and the best way to do that is to implement a a lightweight cloud-based service that would layer in on top of the and integrate. So the layer in on top of and integrate to the context center platform that's being used today and it would allow the agent to say to a caller. Um. Okay, Mr. Customer using the touch tone phone. Please enter in your credit card information and they actually use the touch tone phone then to enter their credit card details and any other any other pi data for that Matter. So if you're if it's a matter of giving out a social security number For example that can be secured.,,,,,
"17:23.61 Dave Hoekstra Um.",,,,,,,
"17:26.96 Darren Gill That's considered Pi data and it sensitive information so you can use the touch tone phone to input input that information and when that when that happens or occurs the other key thing is that the the touch tones get masked the agent can hear that those. Those touch tones are occurring but can't interpret those in any way shape or form or those can't be recorded in any fashion form fashion. It. They're just flat tones and then at that point I'm also providing the agent at the desktop with with real time feedback as to the fact that the credit card information's being entered. And then once everything is confirmed including Lum check to make sure the credit card is good verifying you date and other type format data then clicking submit processing the payment right? there on the spot Now the whole time. The agent and the caller remain connected.",,,,,,,
"18:21.33 Dave Hoekstra So there's no gap in the recording. There's no pause where an agent might say something that you have no record of or the customer says something you have no record of it's completely seamless from the recording perspective.",,,,,,,
"18:22.68 Darren Gill So it's ah again", it's.,,,,,,
"18:35.43 Darren Gill That's correct so you don't end up with potentially like 2 different recorded call segments. There's no need to implement a pause resume approach that that recorded call you know remains intact and. There's no need to.. There's no need to even use pause resume at that point so you're able to evaluate Actually the the overall experience when the payment's being taken as well which you know before if you hit pause Resume. You know there could have been some level of interaction that's not captured there and in the in the recording.",,,,,,,
"19:07.63 Dave Hoekstra So I think if I can gather what you're saying that the traditional method of pci compliance the pause and resume whether it's manually triggered by the agent.",,,,,,,
"19:08.91 Darren Gill Recording stuff.",,,,,,,
"19:20.77 Dave Hoekstra Or it's done through some sort of automation where you enter a particular field on your billing system and it triggers the system to pause while those can be effective. They're not foolproof and it doesn't get you all the way to what is recommended to be pci compliance but with. The way that pci pal The Cloud based layer provides that in a sense. Can we say that it's foolproof. Can we go so far as to say that there is it completely removes liability of Data security.",,,,,,,
"19:47.88 Darren Gill Yes.",,,,,,,
"19:54.18 Darren Gill Yeah", definitely and and the reason for that is that a solution secure payment solution like pci pal ensures that that credit card information in no way shape or form is hitting the customer's environment the network. It's not not not going to show up in a recorded call database. But for them. It's not even hitting the network. So in many cases. This allows the customer to qualify for a simpler level of audit and self-certification as Well. What? what? a company like ours would provide to the customer is what we call an attestation of. Clients and by virtue of that Aoc Then that's typically the the get out of Jail card if you will with the Qa when when these audits are being conducted and it makes life a whole lot simpler.,,,,,,
"20:39.28 Dave Hoekstra So your pci and your qsa go to the well sorry what was the aoc and we'll we'll make sure that we we cover all that in the in the data dictionary of today's podcast",,,,,,,
"20:50.86 Darren Gill Yeah", yeah, So yeah, Aoc is the attestation of compliance and it's It's a document fairly simple document that that that basically it's it's it's the service providers attestation of being fully compliant and by virtue of using that service service then. The customer is considered fully compliant when when an audit's being conducted.,,,,
"21:12.14 Dave Hoekstra Any any great success stories from a customer maybe around an ah roi or some you know a good story there of a customer that that really recognized the potential of what you guys can provide.",,,,,,,
"21:24.22 Darren Gill Oh yeah", we we have a number of of case studies and it depends on the the segment the the industry segments where we see the most need typically are like retail travel and leisure utilities. But we also do we get involved in opportunities with government health care insurance. So we have a number of of case studies that we published that highlight you know the the benefits of ah of a secure payment solution. The key is though that. Ah, from an ah roi point of view that these organizations can save an exhaustive amount of cycles and effort around trying to be compliant themselves because it's not easy. In fact, there's a there was a a white paper published by verizon a few years back that highlighted the fact that. 50 over fifty five percent of organizations that are in fact, attained full pci compliance in the first year fail to be compliant by the second year it's it's it's a major undertaking and it's very difficult to to be.,,,
"22:29.90 Dave Hoekstra Right? Because it's just basically a constant struggle to stay on top of the process right? It's just you know oh well we we we tweaked our ivr we tweaked we tweaked our billing system. Let's bring in 10 It resources to make sure that the code is defined appropriately.",,,,,,,
"22:35.46 Darren Gill Correct. Yep.",,,,,,,
"22:49.19 Dave Hoekstra But whereas you guys come in and just layer that in as now how does how does the? Ah how does the agent trigger the pci pal process during the call.",,,,,,,
"22:57.47 Darren Gill Good good question. So typically when let's say it could be desktop based with an integration. So let's say they're using salesforce they can when they get to the point where they're ready to take a payment they click a button and then once they do the call is secured. And that's a very good point dave because there are different approaches out there but 1 of the 1 of the key things that that we do for most of our integrations is that for the pci Pal solution. We're only a part of the call when the payment is being taken. Otherwise you know there's no need for us to be a part of the call. So. By by clicking that button that sends a message to a pci ipal in the cloud that oh we need to secure this call and ensure that a payment can be made securely and then when the payments approved and closed out the agent acknowledges that on the desktop and then then we're no longer part of the call. So. That that's what makes the solution solution relatively lightweight as well.",,,,,,,
"23:56.15 Dave Hoekstra Interesting and you know I would sure that the agent experience is probably a lot easier too. No more having to did. Did you say 39 or 35 right? and you know a lot of ah lot of verification steps. It probably makes the process a lot cleaner. For the agent as well. I would imagine So the final question I kind of had for you is 1 of the interesting Topics. We kind of chatted about the ability for companies to avoid potential legislation that might be coming Up. We talked a little bit about Gdrp but.",,,,,,,
"24:14.34 Darren Gill Yeah", definitely.,,,,,,
"24:32.23 Dave Hoekstra That can't be the only legislation that's either in place or being planned around the you know protecting Pi information any insight into Maybe what's upcoming and why somebody might want to make the call sooner rather than later.",,,,,,,
"24:45.70 Darren Gill Yeah", so on on the on the legal landscape you're right gdpr only governs eu organizations. Although it does it does have pretty far reach in that it it also applies to any eu citizens. Now the enforceability of that is is questionable of course ah in in other other regions and markets. But what we find is that companies particularly global companies have kind of adopted gdpr as kind of a least common denominator and they they they do their best to to be compliant under gdpr and if they adopt that then. They know that they're good pretty much in any other market that they serve. Um, now there are other data privacy laws in other regions. So for example, Canada they have data privacy laws at the national level that are fairly robust. Um and here in the us we do have some fragmented. National laws but not to the over overarching and holistic approach that we've seen the eu take with gdpr and we expect that that will be coming in the meantime though California have enacted ccpa which is a which is a data privacy set of data. Data privacy laws specific to state of california and then we've also seen other states more recently colorado and Virginia have for example, enacted similar legislation that will be taking effect here soon. So we expect that we'll continue to see states adopting more rigorous data privacy laws. And then that will likely lead up to national legislation at some point.,,,
"26:24.72 Dave Hoekstra Yep", very likely and so I think the the takeaway from from this is that don't wait until it's too late to start to address some of these issues and I think that's exactly what pci pal is set out to do is to. Allow you to not have to think so much about your data security process and and kind of make sure that the customer experience is managed but also the data privacy side is managed as well and I think I think this has been really informative for a lot of people. Um. And so I guess the the final question for you. Darren is ah how would how would someone reach out to to pci pal and and maybe ask some questions and maybe set up a demo.,,,,,,
"27:03.94 Darren Gill Sure? Well we would invite invite listeners to to our website pcipal Dot com we have a lot of good information. We have white papers that are there that you can download on the topic and then those case studies that I mentioned as well. So depending on your industry segment or vertical. You can you can. Probably get a more relevant case study that will will give you an example of similar organization that has has implemented this type of solution and then the other key is to to reach out to our partners. We're a partner first organization calabrio is is a key partner. So. Ah", for those listeners that that use calabo certainly you know, reach out to your collaborato representative and and be sure to inquire ask about pci pal and we'll be happy to help.,,,,,
"27:51.92 Dave Hoekstra That's great. Yeah", and you know, kind of the the lead to this is that if you are taking any sort of payment over the phone. You probably need to at a very minimum. Ask some questions here because make sure that you've you've at least gone through the the appropriate question process. To do this? Well I Certainly do really appreciate you spending some time with us Darren. It's been very informative and I learned quite a bit. This is not my area of Expertise So which is really fantastic that we we have somebody on that can give a little bit of insight into new areas and I think are are. Listeners are going to be really excited to hear some of the information you provided So I'll give you final word anything you want to? we want to tell the masses before we get on out of here.,,,,,
"28:35.51 Darren Gill No I just appreciate. Everyone's time today and look forward to helping and remember the most important thing is to be respectful and mindful of your customer's data. That's that's really the the most important.",,,,,,,
"28:53.74 Dave Hoekstra Fantastic. Well thank you darren and to those of you listening as always I appreciate you giving us a little bit of your time during the day. Hopefully you found today's discussion informative and we certainly want you to reach out to pci pal if there's anything they can potentially provide for you.",,,,,,,
"28:54.34 Darren Gill Most important element.",,,,,,,
"29:12.62 Dave Hoekstra On your pci journey as always from Calabria We appreciate all the time and energy that you guys give to us and we look forward to speaking you to speaking to you guys really soon? So everybody have a great day and we will see you on the next episode. Thanks from Calabrio and pci Pal Bye everybody.",,,,,,,