It’s no secret, the holidays are a wonderful time of year for retailers. This holiday season, Deloitte predicts that retail sales will grow as much as 5.6 percent from last year, topping $1.10 trillion. In parallel, retailers’ contact centers can expect to see spikes not only in customer inquiries, but also phone payment transactions.
To accommodate for these high-volume times and ensure customers have the best shopping experience, many retailers, big and small, hire seasonal contact center agents. For example, Gap Inc., plans to hire 65,000 seasonal workers this year, many of whom will be stationed in contact centers. Similarly, Macy’s is hiring 1,500 seasonal agents at its contact centers in Florida and Arizona. While extra hands on deck can help retail contact centers thrive during the holiday season, temporary employees also come with a few weighty risks.
Because contact centers process and store a host of Personally Identifiable Information (PII) – including payment card data – they are prime targets for fraudulent activity. However, outside threats (like hackers and phone scammers) aren’t the only ones eyeing the contact center’s PII goldmine, as those inside the organization can also put sensitive data at risk. These “insiders” include contact center agents and customer service representatives (CSRs) who may copy down payment card data, eagerly read aloud by a customer making a seasonal purchase over the phone. An agent could also coerce or bribe a colleague (or be bribed) into sharing PII, or even accidentally leak data by falling victim to a phishing attack.
While we have reason to believe that most agents are good, honest people, it takes just one bad actor to expose or steal payment card data and tarnish a brand’s reputation. Therefore, retailers must take extra caution when it comes to hiring seasonal or temporary agents, for several reasons.
Weighing the Risks of Seasonal Agents
First, temporary or seasonal employees may feel as though they have no real allegiance to the company or employer – they often see this job as just another short-term opportunity. Whether they jot down credit card numbers as a customer reads them aloud, or illicitly access CRM databases housing unencrypted payment information, temporary agents may find this PII all too tempting. Moreover, these agents may falsely believe that their nefarious activity will go unnoticed, assuming that they’re less likely to face any serious consequences because they’ll be gone in a few months.
Second, retailers are increasingly bringing on seasonal staff in the form of remote or “work from home” agents. While this model can help lower overhead costs and streamline the hiring and onboarding process, it comes with much higher risks. Remote agents (whether or not they are seasonal or temporary) intrinsically have less supervision and security. They may also use personal computers and other unmanaged devices to collect and process customer payments. This makes it nearly impossible for a retailer to ensure agents abide by strict data security practices, and more importantly, comply with the Payment Card Industry Data Security Standard (PCI DSS).
Lastly, the hiring, vetting and training processes are often rushed or less stringent for temporary seasonal agents. Agents with malicious intentions or a complacent attitude towards data security can inadvertently slip through the cracks during the onboarding process – and later come back to bite the hiring organization.
How to Secure Your Contact Center Amidst the Seasonal Employee Surge
As data privacy and security remain top-of-mind concerns for consumers, it’s imperative that retailers take the necessary precautions to mitigate data theft and keep their brand names out of reputation-damaging headlines. While retailers may be in a rush to fill positions with the holidays looming, best hiring practices and proper security protocols shouldn’t be sacrificed for headcount. Here are six steps to take in securing your contact center during this holiday season’s seasonal agent surge:
- Vet all potential hires: Perform thorough background checks – and, don’t accelerate the process for any reason. Your customers’ data and your brand’s reputation are too important.
- Spend time to train employees: Implement specialized training and hold seasonal employees to the same security practice standards as full-time employees. Run through real-world scenarios and describe the ideal response, as well as the repercussions of a breach.
- Emphasize security basics: Reinforce security best practices, including locking computers when leaving a workstation and frequently changing passwords. Roll out clear steps to report breach attempts, security incidents or anything suspicious to management.
- Enforce the principle of least privilege user access (LUA) on all systems: This principle means that employees should have the minimum level of access to PII to perform their jobs at any given time.
- Segment networks to protect payment data: For instance, accept payments on systems that are entirely separate from day-to-day business activities, such as email.
- Focus on compliance: Perform a PCI DSS audit, or at the very least, a self-assessment – do your due diligence and inspect your information security infrastructure and plan before major hiring efforts.
How Technology Can Help Secure the Contact Center
There’s only so much that employee training and security best practices can do to protect your contact center from every security threat, including rogue seasonal agents. Here’s where technology can fill in the gaps, especially “descoping” solutions that remove sensitive data from the business environment entirely.
For example, retail contact centers may use dual-tone-multi-frequency (DTMF) masking technologies to eliminate the security threat seasonal agents pose to payment card data. As recommended by the PCI Security Standards Council, DTMF masking technologies allow customers to discreetly enter payment card data directly into their phone’s keypad. The DTMF sounds are masked with flat tones so the agent on the line, call recordings and nearby listeners cannot decipher the numbers. While agents remain in full voice communication with the customer, the data is sent directly to the payment processor. This eliminates the opportunity for agents – including temporary or seasonal workers – to access sensitive information. And, from a compliance perspective, contact centers can more easily comply with the PCI DSS and other stringent regulations using these descoping technologies, while empowering agents to provide the best possible customer service without fear of exposing PII.
While the holidays may add an extra layer of risk in the retail contact center due to the influx of seasonal and temporary staff, data security must be a continual and evolving year-round effort. Using a combination of proper hiring strategies, employee training techniques and descoping technologies will best help you safeguard payment card data, protect your brand and ensure a frictionless customer experience.