According to the Post Pandemic Contact Center report, 76% of contact center leaders believe that compliance is the biggest challenge of remote work in 2021.
Contact centers deal with a deluge of customer information on a daily basis. These interactions are recorded, transcribed and stored. A substantial part of the recorded information is sensitive such as a client’s credit card details, address, social security number, and others. As a result, putting in proper compliance workflows to mask this information before storing it in your internal repository is absolutely essential.
What is Redaction?
Redaction is the process of censoring sensitive information from audio recordings and transcripts to prevent fraud.
The main objective of redaction is to prevent unauthorised access and minimise any chances of a data security breach leading to fraudulent transactions or misuse of information.
Why is redaction important?
The most common use cases of contact centers for using sensitive information such as name, address, social security numbers, birthdays, assets and property, is for either customer verification or financial transactions.
This information, if accessed by unauthorised people, could be susceptible to misuse. Being unable to effectively protect client information is a compliance breach and almost always leads to financial lawsuits, imposing of penalties, and loss of brand reputation.
These legislations and penalties for data protection vary from country to country and so do the penalties. In a world driven by data, there is very little room for compromise when it comes to data security. Compliance, data security, and fraud prevention, are therefore the top-most concerns for contact centers, making redaction absolutely essential to workflows.
Compliance
In 2004, the world’s then largest credit card companies collaborated to create a set of security regulations to protect personal information of customers during a transaction. These regulations, called PCI DSS (Payment Card Industry Data Security Standard) compliance, are necessary for any contact centers handling financial transactions.
Other compliance standards to protect data privacy are GDPR (General Data Protection Regulation) (General Conditions for imposing administrative fines) in the European Union and Freedom of Information Act (FOIA) in the US of A. Besides, more local legislations such as California Consumer Protection Act (CCPA) also have important clauses emphasising data protection via redaction.
To put things in perspective, non-adherence with GDPR is a punishable offence with a fine of up to $25M. Similarly, violation of CCPA can lead to a fine of up to $750 per consumer depending on the scale of damage.
Redaction must therefore be in line with both local as well as global compliance standards.
Data Security and Fraud Prevention
$161 is the average per-record cost of a data breach, including PCI/PII or sensitive data (source).
Contact centers dealing with sensitive data everyday automatically increases their vulnerability to data fraud. In case of unauthorized access, one data breach can branch off into banking and financial fraud, hacking and denial of access attacks, etc.
Complete censorship of critical information is the only way to prevent such serious attacks and safeguard the wealth of client information.
Information to be redacted: PII and PCI
So, what is the exact information that needs to be protected and how do we identify it?
Personal Identifiable Information (PII) and Payment Card Information (PCI) are two categories of information that must be handled carefully and censored effectively.
- PII: Information used for identity verification such as name, age, date of birth, driver’s license number, Social Security Number (SSN), biometric records, email ID, and birthday, fall under PII.
- PCI DSS: A cardholder’s information like primary account number, expiry date, and CVV code. Merchants, vendors, or contact centers that handle credit or debit card information have to be PCI DSS compliant.
How does redaction work?
A number of tools and techniques suited for contact centers are used for redaction, each with its own features, benefits and shortcomings.
- Agent-initiated recording pause
- Desktop-based Redaction
- Keyword-based Redaction
- Numeric redaction
- Contact Center AI
Let’s try to understand each of these in detail.
1. Agent-initiated recording pause
This is the most rudimentary technique of redaction, not entirely approved by PCI DSS. Here, the agent manually pauses the recording when the customer is sharing PII or PCI data. During transcription, this information does not exist, thus precluding any chance of data breach or fraud.
But the manual nature of the stop and resume method is prone to human errors—. An agent may forget to pause the recording or the customer may provide details before the agent pauses. Agents can also misuse the manual pause feature to censor undesirable parts of the calls like escalations and prevent quality assurance (QA) teams from reporting the same.
Another disadvantage of agent-initiated recording pause is that redaction issues are caught after they’ve occurred. By the time QA, compliance, fraud teams manually identify it, the breach would have already escalated.
2. Desktop- based Redaction
A slightly more advanced method of redaction, desktop analytics packages monitor cursor fields and automatically pause recordings when the cursor falls into a regulated field. But this practice is dependent on the timely reaction of the agent and their typing speed— the call may record the PCI or PII details, even before the agent has moved the cursor to the regulated field.
3. Keyword-based Redaction
To make this redaction work, you maintain a list of keywords in speech analytics software. The algorithm identifies those words and phrases from call and redacts them from transcripts and recordings. However, it requires additional bandwidth to update the keyword list regularly as per changing organization or market needs. Due to its human dependency, it is unscalable and error-prone.
4. Numeric Redaction
The redaction software automatically removes all kinds of numeric data from the calls and transcripts, like time mentions, price, CVV, etc. This algorithm identifies the data using criteria such as two or more numbers found in a sequence or numbers found around a specified keyword.
5. Selective Redaction
Selective Redaction leverage entity detection and attention-based deep neural networks to accurately identify sensitive named and numerical entity from customer conversations. Once the entities are detected, AI starts redacting only sensitive entities of your choice while the remaining portions of the conversation are still transcribed and visible.
This solves the issue of over-redaction or under-redaction and is independent of human errors while also allowing contact centers to protect sensitive customer data with high accuracy without losing any contextual information required for intelligent business decisions.
Once the entities are detected, AI takes the redaction a step further with selective redaction— here parts of an entity are redacted, while remaining portions are still transcribed and visible.
This solves the issue of over-redaction or under-redaction, speed, and is independent of agent errors while also allowing contact centers to customise automated redaction to their unique needs.
Conclusion
With remote work and a massive volume of sensitive client information, it is becoming increasingly difficult to protect sensitive information and prevent fraud using traditional, manual-oriented methods. Being proactive with measures against data breach and security threats, contact centers should explore and invest in technology like AI and automated redaction to help them save tens of millions of hefty fines, protect brand reputation, and help withstand the changing economy.