Contact centers and BPO providers in the Nearshore and throughout the world are struggling to meet data protection guidelines, such as those issued by the Payment Card Industry (PCI), as literally millions of employees attempt to turn their homes into makeshift offices.
Scaling to meet the demand by issuing hardware to workers is one thing, but ensuring that companies are completely in line with PCI compliance – especially those with “level one” certification – is turning out to be a much more complex undertaking.
At the beginning of March the PCI Security Standards Council (PCI SSC) issued a series of updates on the risks that the COVID-19 pandemic poses to PCI-compliance, as well as recommendations on how to maintain policies in remote work environments.
“All staff should receive security awareness training that emphasizes the importance of data security and be knowledgeable in the organization’s security policies and processes that apply to remote working. For example, policies and procedures should clearly prohibit any unauthorized copying, moving, sharing, or storing of payment card data in remote environments. Remote staff additionally need to be aware of their physical surroundings, taking care to prevent sensitive information from being viewed by unauthorized persons,” recommended the PCI SSC last week, while recognizing that some controls might be challenging to implement.
Nearshore Americas spoke with three BPO providers and an industry analyst to understand how the industry is adapting to this new reality and the potential security risks that come with it.
“In the operations that are not directly managed by banks, it is very possible there are PCI violations going on because there is remote access from other locations. This is something that needs to be revised,” said Alejandra Romero, a Mexico City-based industry analyst with over twenty years of experience, including a 16-year run as a chief operating officer at Qualfon.
For Romero, the pandemic has led to a tidal wave of disruption and a level of disorganization that had never really been considered as a possibility for many BPO operators. Because of that, most Business Continuity Plans (BCPs) were developed without imaging the current scenario where huge volumes would have to be migrated to remote sites in a very short period of time. The high volume of agents that have been moved to work-at-home introduces a series of IT, security and monitoring challenges that are acutely important for contact centers with clients who require PCI adherence.
Basic PCI Security Measures
In an ideal scenario, contact centers and BPO providers that move agents to at-home locations should be providing those agents with company-issued equipment, which should already include updated security software to protect against privacy breaches. The companies’ local networks should also be designed to support those off-site connections.
Hui Wu-Curtis, President and COO at World Connection, said that her company moved all of its 700 agents to their homes. World Connection has sites in Guatemala City and Boise, Idaho. In Guatemala, the government has implemented hard social distancing measures and has closed contact centers that didn’t follow them. “Before this, we didn’t offer a work-at-home option, but we had the infrastructure ready to go, which is why we were able to do it within two days,” Wu-Curtis said.
“We didn’t want any of our employees to use their own equipment, so what we did, we inventoried and sent home company-issued equipment to all of our employees. It has the same security protocols. It’s still a lockdown, we still have monitoring capability. So, everything is the same, systematically.” she added.
One of the world’s largest providers, Sitel, faced similar challenges when deploying Nearshore agents to at-home environments. With presence in Mexico, Nicaragua, Colombia, and Panama, Sitel took advantage of its experience with work-at-home in North America.
Pete Weaklend, Senior Vice President of Solutions and Innovations at Sitel, told Nearshore Americas that leaders implemented work-at-home both with company-issued equipment and with agent devices that pass a requirements test. As of last Thursday (March 26th), Sitel transitioned 47% of agents in Panama to work from home, and 53% in Colombia. The goal is to reach 70% and 75% of agents working from home, respectively, within a week.
“When agents take home a PC from our site, we establish a secure VPN connection, which ensures that it provides the security and controls we need from a PCI standpoint,” Weaklend said.
“For the agent’s PC solution, we use a Linux bootable USB that completely locks down the agent’s operating system, drivers, ability to print, everything. It opens up a new OS on that PC. It becomes a dumb terminal that is now connected to our network,” he added.
Everise also benefited from having a work-at-home infrastructure built to scale. As the pandemic measures became more stringent around the world, the company’s priority shifted to deploying work-at-home for agents in Kuala Lumpur, Manila, and Guatemala. “As of today, we moved home roughly 71% of our agents globally, the goal for phase one is to reach 82% of the agent population, and then for phase two it would be the remaining positions,” said Amy Grisham, Senior Manager of IT Governance & Compliance at Everise.
Grisham says that the pandemic caught the company in the middle of its PCI-compliance assessment, so the topic was fresh in the minds of leadership. The work-at-home platform is based on recently developed requirements. Some of the IT security measures include multifactor authentication and data privacy procedures, handled through network segmentation techniques.
The Physical Challenge
Some industry observers have worried that broadband connectivity would become a big challenge for Latin American and Caribbean-based workers, however so far those concerns seem to be unwarranted. Most BPO providers are located in metropolitan areas where the telecommunications infrastructure tends to be reliable and pervasive. Many in the industry are watching carefully to see whether demand for network resources erodes performance. Additionally, some question whether the electrical grid in various locations will endure added strain.
Aside from the broadband and equipment provisioning issues is the biggest worry of all: physical security. PCI-compliance requires very specific physical accommodations. Desk are expected to be clean and uncluttered. “Entry controls” are expected to add an extra dimension of protection that – in the real world of the call center – typically includes security personnel, checking bags and using badges to verify the identity of those entering the floor.
The topic of data protection inside Nearshore call centers is, understandably sensitive. There have been actual breaches, most notably when two call center agents servicing AT&T in Monterrey, Mexico were found in 2015 to have sold personal customer data to an outside third-party. The personal details of almost 280,000 U.S. customers, including “full or partial” Social Security numbers was compromised. (The investigation also resulted in the discovery of violations in the Philippines and Colombia.)
The U.S. Federal Communications Commission (FCC) ordered AT&T to pay a $25 million fine because of the breaches.
How can providers guarantee their agents will not write down credit card information, or snap screen shots on a mobile device, in an environment over which they have no control?
“The physical environment within which an office worker or home worker is taking card payments over the telephone should be effectively monitored, and access controlled,” recommended the PCI SSC on their website last week.
World Connection is considering providing their at-home agents with webcams that could detect unusual activity at the desk level.
“We would try to live stream monitor, or, if the network can’t handle that, then we are going to bounce in to monitor their activity periodically, so they know that at any moment they are going to have random monitoring throughout the day,” Wu-Curtis said.
However, for Alejandra Romero, monitoring via webcams, particularly live streaming, poses a broadband issue everywhere, particularly in a moment where residential networks are strained due to the increased traffic.
For his part, Weaklend recognizes the constraints potentially existing in the “last mile,” an element that is hard for companies to control directly.
“We are using all of the security and confidentiality waivers that the agents sign, the equipment waiver that they sign, all the background check pieces where we can. All those standard things to make sure the employee is aware of this issue,” Weaklend said.
“All of our at-home processes are designed with the same controls that have been certified for us in the US. As far as the actual at-home environment, the ‘can they write something down?’, that has to be covered by the controls that we have around the employee, the trust in the employee. And that goes for all time, including everything we deployed for work-at-home in the US,” he concluded.