ITBriefcase Exclusive Interview: Securing Cloud Based Contact Centers with Dennis Empey, Echopass Corporation
September 11, 2013 No CommentsIn the following interview, Dennis Empey, chief information security officer at Echopass Corporation, discusses the serious risks to cloud-based contact centers – and what you should be doing today to protect your customers.
- Q. What’s driving the need for cloud service providers to take such a heightened approach to security?
A. As cloud adoption expands, maintaining adequate security protection for applications managed from the cloud has become increasingly important. Dramatic market acceptance and growth rates of cloud-based applications and services are quickly colliding with an explosion in security intrusions and violations, requiring intensive and ongoing corporate vigilance to meet enhanced security standards.
Echopass Corporation believes that the threat of personal information theft will expand enormously in the future, and continued hacking and infrastructure intrusion will require significant additional allocation of resources to protect corporate assets, customer confidentiality and privacy. The well-publicized security breach incidents at T.J. Maxx and American Honda resulted in multiple millions of dollars of liability and court cases related to these intense, focused and well-organized attacks that have had significant repercussions for companies – and their customers that were on the receiving end of these malicious acts.
Source: Gartner Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q update, February 8, 2013
- Q. So where does PCI fit into these risks?
A. PCI DSS is a comprehensive set of international security requirements for protecting personal cardholder data. PCI DSS was developed by Visa and the founding payment brands of the PCI Security Standards Council (Visa, MasterCard, American Express, Discover, and JCB International) to help facilitate broad adoption of consistent data security measures on a global basis.
Customer facing contact center solutions are quickly moving to the cloud, putting additional pressure on the “front lines” for Payment Card Industry Data Security Standard (PCI DSS) compliance. That includes processes for requesting, entering and storing of personal and confidential customer information such as social security numbers, credit card numbers and CCV (card code verification) by today’s geographically dispersed contact center agents.
- Q. How serious is the threat, specifically for contact center providers?
A. Credit card data theft has exploded, increasing 50 percent between 2005 and 2010, according to the latest figures from the U.S. Department of Justice. Millions of credit card numbers are for sale for as little as $10, according to Monica Hamilton, marketing director at McAfee. (Source: USA Today April 14, 2013). And the number of malicious computer programs written to steal confidential information has grown from about one million in 2007 to an estimated 130 million today, according to Hamilton. Key elements to protect against personal information theft include awareness, security of personal devices, and the reliance on businesses to protect the use of customer’s personal information by implementing stringent security practices and conforming to strict PCI DSS requirements.
- Q. Doesn’t anyone processing or storing credit card information need to be PCI compliant?
A. In the past, and despite the growth of cyber-crime, cloud service provider companies had the option to support PCI DSS processes and confidentiality through “Self-Attestation” and a Self-Attestation Questionnaire (SAQ) to comply with the Level 2 standards required by the PCI Standards Security Council. While conformance to Level 2 “Self-Attestation” is important, today’s business and customer care environment demands a much more stringent approach. As PCI Compliance below Level 1 certification is performed on the honor system, it becomes even more critical that companies maintain their vigilance and due diligence.
Regardless of the number of transactions involved, it is essential to provide greater scrutiny and maximum compliance with PCI DSS standards to prevent ever-increasing attack efforts and the huge financial liabilities for the companies under attack.
- Q. Is that what motivated Echopass to go the full extent of Level I certification?
A. Exactly. At Echopass, we process millions of calls a month for some of the largest companies in the Fortune 500. These large organizations often require consumers to provide confidential credit card information as part of their interactions. We believe that the need to operate at the absolute highest levels of conformance to ensure both client and customer security is critical regardless of transaction volumes.
In February 2013, and in response to the current growth of cloud services, a new update to PCI DSS Version 2.0 was released by the special Cloud Special Interest Group of the PCI Standards Security Council. Although not required for every contact center, implementing and adhering to the most current set of PCI DSS security measures are critical and essential steps for any cloud provider seeking to demonstrate conformance and compliance with the latest accepted PCI standards.
The need for utmost attention and discipline around PCI DSS compliance is paramount to protect consumers and the companies that they do business with. This requires PCI Level 1 certification, complete with a rigorous audit by a QSA and ongoing periodic review of all policies and procedures to ensure continued Level 1 compliance and protection of customer data and privacy.
- Q. Looking forward, what message would you send to other cloud providers who are evaluating – or maybe not even considering – the available methods to protect their customers’ data?
A. As a cloud service provider, we strongly believe the dramatic cloud-based contact center adoption signals the need for more discipline, tools and adherence to full Level 1 PCI compliance and certification to confront the growing security threats. If they haven’t already, companies also should initiate full-time security alertness and mentoring by positions such as the recently created Chief Information Security Officer that is quickly gaining importance.
Cyber-attacks will continue to escalate over time. It is incumbent upon responsible organizations to seek suppliers and environments that conform to the highest levels of security. Managing to the highest standards of security provisioning, inspection, and diligence is an on-going requirement that dictates continued observance if organizations are to properly protect their clients, and most importantly, their client’s customers.
Dennis Empey
Chief Information Security Officer and Senior Vice President, Service Delivery
Dennis Empey is responsible for all security within the Echopass environment and for the Echopass service delivery platform, and is the senior product strategist, setting direction for all Echopass platforms, products and services. His 20 years of product management and marketing experience includes tenure as vice president and general manager for Argogroup and key management roles with Lucent Technologies’ Service Provider Messaging division including responsibility for all international markets.
Earlier in his career, Dennis also was responsible for advanced network services products as a senior marketing and product manager at MFS Intelenet, and managed enterprise ACD products and services at Nortel.
He holds a B.S. in management from Golden Gate University.