Road to Security: Our SOC2 and PCI Certifications

Data security is top-of-mind with everyone now, especially anyone who shops online. So, it is critical that call centers assure customers and business partners that their credit card and other sensitive information is safe. In order to build that trust, many call center management teams take the necessary steps to obtain Service Organization Control (SOC2) and Payment Card Industry Data Security Standard (PCI DSS or PCI for short) certifications, which offers independent third-party verification that a call center is using stringent security measures.

Here at The Connection®, we are proud to be both SOC2 compliant and PCI certified. Here is what that means for call centers like us.

What is PCI?

The Payment Card Industry Data Security Standard was created by the major credit card brands. The goal is to protect credit and debit card transactions against potential fraud or theft.

The PCI standard applies to companies of all sizes that accept, store, or transmit credit card payment data. The current version of the PCI standard includes more than 400 security controls organized into 12 primary requirements with six security goals:

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

What is SOC2?

Service Organization Controls were created by the American Institute of Certified Public Accountants. SOC2 is an audit procedure that helps service providers, such as call centers, establish and monitor data protection controls based on specific “trust service principles.” These are:

1. Security
2. Availability (performance monitoring)
3. Processing integrity of the systems used to process data
4. Confidentiality (such as encryption)
5. Privacy of the information processed by these systems

Certifications Are Not “One and Done”

We monitor numerous aspects of our PCI and SOC2 compliance requirements on an ongoing basis to ensure all protections are functioning as planned. Both certifications require ongoing security monitoring and compliance enforcement day in and day out.

However, to retain our certified status, we must also conduct an annual audit of our programs. This annual review is not merely an opportunity to check boxes off a list. Re-certification requires documentation and evidence showing various compliance activities occurring daily, monthly, quarterly, etc. We also conduct regular security training and awareness initiatives for all employees.

The annual audit involves several steps:

• First, we identify the types of sensitive data we are collecting, storing, and transmitting within our call center environment. We also identify which of our systems are involved with those processes. This helps us define the scope of our audit.
• We complete a risk analysis to determine any potential security vulnerabilities and associated threats. The best way to reduce risk is to store the minimum amount of sensitive data and remove any data we don’t need.
• We work hand-in-hand with our PCI or SOC2 auditor to map the compliance requirements to our existing controls. Mapping helps to identify gaps, so we can then develop a plan to implement or improve controls not already in place.

PCI and SOC2 both require extensive documentation of security policies, procedures, and monitoring activities.

Conclusion

Customer trust is critical for call center success. At The Connection®, we take that trust seriously, and our PCI and SOC2 certifications demonstrate that. For us, it is one more way we can ensure we are giving our clients and their customers the best possible call center experience.