How to Train Call & Contact Centers for PCI DSS Compliance
In the realm of call and contact centers, and by extension, customer service departments, there are a wide range of areas and products that employees must receive training on. From call scripts, to software usage, to company policies, dispute handling and everything in between, a contact center agent has no shortage of coaching when they first start.
An often-overlooked area that requires just as much training, if not more, however, is around security practices. With the threat landscape constantly evolving, and the contact center becoming an ever-greater target for fraud, companies and their employees much remain vigilant and on top of the latest threats. For this reason, it’s essential for employers to have a robust training program in place to meet compliance obligations. Let’s examine what it takes to produce one.
Types of Compliance Inside Call & Contact Centers
The contact center is a hub for all types of customer information, and at any given time it may be processing personal contact information, health or medical records, social security numbers, driver’s license numbers, or even payment card information. Because of this, contact centers may find themselves in the crosshairs of a multitude of regulations that each have their own compliance requirements, depending on the type of data the company deals with.
For example, the Health Insurance Portability and Accountability Act (HIPAA) mandates data privacy and security provisions for health-related information and has stringent rules on how it can be processed, and applies to every health insurer, hospital, medical center, or other organization handling this type of data. In the higher education industry, The Family Educational Rights and Privacy Act (FERPA) is a federal law that maintains the privacy and security of student records and applies to virtually all institutions receiving federal funding.
Perhaps the most wide-ranging standard that spans across industries is the Payment Card Industry Data Security Standard (PCI DSS), which upholds twelve broad security requirements that are designed to protect payment card information and reduce the amount of payment fraud. It pertains to any organization processing card payments and organizations must demonstrate compliance on a yearly basis. Many of the provisions deal with the way employees handle and store payment card information, which makes it essential to have a training program in place.
Benefits of Having a PCI DSS Compliance Training Program in Your Call Center
Among the obvious benefits, of increased security and a lower chance of fraud occurring, PCI DSS compliance brings about other tangible benefits for the wider organization. For one, with its common-sense requirements and its overarching tenet of reducing the amount of personal information stored, it can serve as a great starting point for other compliance programs. Additionally, implementing a training program will impart a mindset of security throughout the organization, extending beyond PCI DSS compliance into other aspects of security as well. Perhaps most importantly, it helps protect your customers, the lifeblood of your business, which in turn can improve your brand reputation. Finally, at the end of the day, you’ll have more peace of mind knowing your employees are properly trained to spot security threats, which will keep your company’s name out of the headlines.
How to Build a PCI DSS Compliance Training Program
Once you’ve decided to move forward with creating a PCI DSS compliance education program, it may be difficult to know where to start. Here’s some simple steps that will help you along in the process towards establishing a training plan.
Start with Educating Your Employees
At the foundation of every training program is basic education. The PCI DSS is a fairly large and onerous standard, with twelve overarching security requirements, and several hundred sub-requirements, meaning it can quickly become an arduous task for anyone having to trudge through each one. With that being said, it’s essential to distill the facts down for your employees in a way that’s easy to understand and relevant to their everyday responsibilities. Take into account any processes or procedures that have been put into place for compliance purposes and help them understand why they exist.
Rely on the Experts
There are many experts in PCI DSS compliance who create trainings for companies on a regular basis and can easily adapt a program just for your company. Search for a trusted PCI DSS consultant or Qualified Security Assessor (QSA), who have done this before to save yourself some work and ensure top quality.
Break It Down into Modules
It’s no secret that PCI DSS compliance isn’t the most engaging of subjects, especially for those who don’t have to deal with it on a daily basis. To make training easier to handle and more digestible, it’s a good idea to break down the material into smaller modules. This way, employees will find it more manageable to complete the modules one by one as they have time and won’t feel overwhelmed or get distracted having to go through one long course.
Vary Your Types of Media
The format of your training materials can vary: consider using short videos, in-person briefings, written documents, or a mixture of all three. Find what resonates with your employees, and don’t be afraid to experiment with your approaches to see what works best.
Track Progress Through Assessments
Once you’ve established your educational program, it’s essential to track the progress of your employees through each module. Not only will it provide an objective record of an employee’s completion of the training, but it will also help you distinguish between areas where employees are truly grasping the material against the ones that might be more difficult to understand. This way, you can adjust the educational materials accordingly and create a better training program over time.
Your Training Should Be Ongoing
To ensure your employees are always up to date on the latest developments around PCI DSS compliance and the related procedures within your organization, your training should be ongoing. Consider implementing a quarterly or annual checkup, where everyone in the company completes a brief review of educational materials- keeping the subject top of mind
Communicate Early and Often
From even before the roll out of your education program, you should communicate the importance of everyone completing the training and help them understand why they must do it. While no one likes having to complete a mandatory training module, they’ll probably feel better knowing there’s a business reason behind why they must.
Reduce the Size of Your PCI DSS Compliance Training Program by Descoping Your Contact Center
Of course, if your employees don’t have to worry about completing PCI DSS compliant payments in the first place, the amount of training they’ll have to go through could be drastically reduced. Implementing DTMF masking solutions, like Semafone’s Cardprotect, have quickly become a contact center industry best practice—by keeping payment information from ever entering the call center, your employees and your business infrastructure are never exposed to cardholder data, thus leading to less time, money, and effort dedicated to achieving PCI DSS compliance. With the amount of applicable PCI controls for your contact center to comply with, the less you’ll have to train everyone!
The post How to Train Call & Contact Centers for PCI DSS Compliance appeared first on Semafone.
*** This is a Security Bloggers Network syndicated blog from Semafone authored by Aaron Lumnah. Read the original post at: https://semafone.com/press-releases/how-to-train-call-contact-centers-for-pci-dss-compliance/
