I recently had the opportunity to visit with a retailer that operates a large contact center to support its international chain of stores. The company was in the early stages of reviewing its compliance obligations and asked us to find ways to modify business practices to reduce the scope of its compliance efforts. After reviewing the company’s activities, we discovered a few small changes in the way the company handles information that could dramatically reduce its compliance burden. Organizations across industries can draw lessons from this experience as they seek to reduce their own costs of compliance.
Outsource Sensitive Activities to Reduce Compliance Risk
When we first reviewed the contact center, we discovered agents sometimes accepted credit card numbers for transactions over the phone. Each agent handled only a couple of card transactions a day, but this was enough to force the company to make sure the entire call center complied with the Payment Card Industry Data Security Standard (PCI DSS).
After reviewing this practice, management decided to outsource credit card processing. Contact center agents still handle every customer call, but if they need to process a credit card, they transfer the call to a specialized payment processor, which is then responsible for handling the transaction in a manner that complies with PCI DSS. This small change eliminates the need for the contact center to certify its own PCI DSS compliance.
Clearly Communicate Policies to Ensure Compliance
Employees at the company’s retail stores often took preorders for popular items, allowing customers to add their names to a waiting list before a product was released. The stores wanted to be sure customers would actually purchase products held for them, so they started including credit card numbers on the paper forms with the waiting list. This allowed them to run the transactions immediately on release day, but it also created a set of paper records containing personal information that was subject to both PCI DSS and local privacy laws. The company already had a policy on the books prohibiting this type of presale, but employees simply didn’t know about it. Communicating the policy to them addressed the problem.
Minimize Stored Information to Shrink Exposure
Contact center agents solicited quite a bit of personal information from customers during the course of a transaction and recorded all of that data in the company’s customer relationship management system. This information helped to build a better picture of the customer, but it also exposed the company to compliance risk. We worked with the retailer to incorporate data minimization tools in its CRM to easily anonymize those records, reducing the amount of regulated information stored.
As organizations take stock of their own compliance obligations, they should look for opportunities similar to those we discovered at this call center. Some problems can be solved with technology, while others are just checklists of activities, tried and true. Organizations able to minimize the scope of their compliance efforts will save time and money.