That’s important because agents sometimes take consumers’ credit card numbers.
Increasing numbers of technology providers offer their products via the “cloud”—or hosted on the Internet rather than as software a retailer licenses and installs on its own machines. But keeping consumer data secure while it moves around the web, rather than between a merchant’s own servers, presents new challenges for merchants and vendors alike, according to the PCI Security Standards Council.
The council is a global forum founded in 2006 by payment card companies American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Its mission is to develop and maintain rules for protecting consumers’ payment card data. In February, it released a new set of guidelines for data security in cloud computing, which outlines the responsibilities of both a vendor and a merchant sharing data over the web, among other things.
This month, Echopass Corp., a cloud-hosted contact center, announced it has updated its technology to meet the new standards. Although the vendor is not a payments processor, it works to comply with PCI standards because customer service agents sometimes handle sensitive customer data, says Dennis Empey, chief information security officer at Echopass. For instance, agents may take Social Security or credit card numbers by phone, he says.
“We believe incidences of personal information theft and hacking will expand enormously in the future,” he says. “There is nothing more important to us than our customers’ security, so taking these extra steps to provide the highest level of PCI compliance was vital.”
The vendor updated all its internal processes and policies, as well as its technology architecture, Empey says. Then, in order to be awarded the top level of PCI certification (Level 1), Echopass also needed to have a qualified security assessor audit its data security. FishNet Security did the job. As a Level 1 provider, Echopass will continue to undergo security assessments quarterly, Empey says.
“The fact that Echopass was able to perform these significant changes to their infrastructure and processes, and get through an assessment in six months, demonstrates commitment to the PCI standard and the security of its customers’ data,” says Bernard Batang, vice president of professional services for FishNet Security.
The external audit, which the PCI Security Council requires only for service providers that handle more than 300,000 transactions per year, should reassure large e-retailers that Echopass is keeping its security systems and practices up to date, says Drew Kraus, research vice president, enterprise communications applications, at technology consulting firm Gartner Inc. “To my knowledge, Echopass is the only cloud-based contact center provider that offers Level 1 service provider PCI certification,” he says.
Echopass caters to large organizations, including e-retailers such as Overstock.com Inc., according to Empey. Pricing starts at $145 per customer service agent per month. Overstock is No. 31 in the 2013 Internet Retailer Top 500 Guide.