As more financial institutions and other companies turn to cloud-based services to maintain customer contact centers, Echopass Corp. says it has strengthened its position to assure data handled in those centers remains secure.
Echopass has achieved the highest level of the newest Payment Card Industry data security standards certification for cloud service providers, the Pleasanton, Calif.-based company stated this week.
Echopass sought the PCI certification to better serve its high-end corporate clients that handle significant amounts of personal customer data in call centers, but also because it didn't want to be a part of a highly visible data breach, says Rod McLane, director of solution marketing for Echopass.
"A lot of companies in our space do self-attestation, or their own security checks, so to speak," McLane says. "That level of security would be OK with some, but as data breaches make the news and fines are levied, we don't want that to happen to us."
Echopass provides applications for web-based telephone and Internet customer support services, as well as text chat, e-mail and Web call-backs, among other contact-center services.
Security compliance is complicated at contact centers because corporations store personal billing and contact information to expedite transactions and provide better customer service, McLane says. When those companies begin to turn to cloud service providers, it becomes even more essential to protect data during those migrations.
Call centers present a number of different threat factors for potential breaches, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"An agent in a call center is always accessing customer data needed to come to a resolution on whatever issue they are dealing with," Conroy says. "Card numbers, e-mail addresses, log-in credentials, these are things that are sometimes more valuable to the bad guys because they can do a lot of damage with those mechanisms."
Getting PCI certification is important because it establishes that Echopass has done all of the tasks required to provide secure cloud-based services, Conroy says. "It's a positive step because the larger companies are aware of the risks," she adds.
Companies want a services provider to guide them through the various security aspects of operating a call center, McLane says.
"Echopass is getting a mandate from companies to move to cloud services because these companies don't want to do the security assessment themselves," McLane says. "There are tons of different cloud apps and a contact center lends itself well to the cloud environment."
Echopass provides applications for data security for call centers with live agents or for a completely automated call center, McLane says. "Our service can run the whole gamut, from core data routing pieces to the customer interaction recordings, and how to manage that securely," he adds.
PCI's new guidelines for cloud services clarify the various different types of cloud models, and outline the security responsibilities of the client and provider in cloud scenarios. Those responsibilities range from installing and maintaining a firewall to protect personal and cardholder data, to the creation of unique IDs and a process for consistent monitoring and tracking all access points to networks and cardholder data.
Large companies may deploy a hybrid model, with only part of the center's data stored in the cloud, McLane says. Generally, Echopass will store personal customer information, while the client continues to store payment card data on its own system.
"We work with what customers have in place and we go beyond PCI in looking at all facets of security," McLane says.
Ultimately, Echopass is doing everything it can "to make sure there is no hacking into the data center," McLane says. As such, the company will incorporate two-way authentication and various other security layers "that cover all of the bases," he adds.
Call centers are becoming "increasingly attractive" to smaller companies as well, Conroy says. As such, a company like Echopass could offer services as a shared resource among smaller companies, "especially amongst the smaller merchants who really don't know what to look for or what questions to ask," Conroy adds.
Prior to PCI revealing cloud-services guidelines, McLane says Echopass was only at "level two" and doing its own testing and assessments.
"As we worked with our customers, we realized that security concerns were growing and we wanted to offer the best security available," McLane says. "We took it upon ourselves to certify at the highest level and reach for that top tier of PCI protection."