How to Secure an Omnichannel Contact Center in 2020


Omnichannel contact centers are the modern-day equivalent of the call centers and switchboards that previously comprised customer-service hubs around the world. Now, instead of housing only phones and call operators, these centers support multiple channels for customers and service agents to communicate and exchange information. However, despite the added convenience and efficiency of centralizing acceptance channels in omni call centers, these environments can be painstakingly difficult to secure, especially when attempting to comply with regulatory obligations for the handling of sensitive data.

Offering a multichannel call center that allows customers and agents to complete omnichannel interactions is an integral part of business operations for many merchants—both in terms of maximizing revenue and offering the best customer experience possible. But maintaining multiple channels for accepting payments and other operations greatly complicates the already complex task of compliantly protecting internal systems that process, store, and/or transmit sensitive data. Because call centers sometimes accept manually entered payments, not only do they expose additional channels to sensitive cardholder and personal data, but they also introduce the individual employees responsible for overseeing those operations to that same sensitive information.

Securing an Omnichannel Contact Center

Omnichannel contact centers are a preferred payment platform for customers who wish to talk to a live agent rather than interact with robotic operators or digital interfaces. Typically, contact centers collect both cardholder data and personal data to update account information, troubleshoot technology issues, provide customer service, and complete financial transactions. As these centers evolve in how they serve their customers, they also evolve in how they secure the sensitive data that enters their environments. However, this evolution toward easier use and greater flexibility can also expand an organization’s attack surface and potential for a data breach. Organizations also have to contend with the previously mentioned compliance concerns, which can be substantial. This is where security providers and data protection technologies can safeguard an organization’s environment and help it achieve company-wide compliance. 

Cloud-based tokenization, such as that offered by TokenEx and our Cloud Security Platform, can secure and desensitize nearly any data element, including those ingested by an omnichannel contact center. In doing so, we can reduce the compliance scope of a multichannel call center and satisfy the security controls mandated by many industry requirements and international regulations. When utilizing cloud tokenization to secure an omnichannel contact center’s internal systems, sensitive data never reaches its multichannel call center environment, resulting in significant risk reduction and a simplified compliance process for the omni call center.

Here are a few examples of commonly used omnichannel contact center technologies with which tokenization can integrate to secure sensitive data.


Point‐to‐Point Encryption (P2PE)

The most common solution for protecting the data of omnichannel contact center customers is point-to-point encryption (P2PE) via a PIN-pad device. These devices (from Magtek, Ingenico, Verifone, ID Tech, and other manufacturers) connect to the USB port on a desktop computer and have a keypad for entering payment card data, which is also known as payment card information (PCI) and cardholder data (CHD). The TokenEx P2PE service integrates with omnichannel contact center applications in conjunction with the encryption PIN-pad device to accept the payment data. The PIN-pad device reads the encrypted primary account number (PAN) as it is entered and then transmits the encrypted data directly to TokenEx’s Cloud Security Platform, where it is decrypted, tokenized, and stored for future transactions. Only the token is returned to the omnichannel contact center for additional processing and storage, keeping the original, sensitive data from entering the call center environment.

Interactive Voice Response (IVR)

Another commonly deployed component of omnichannel contact centers is an interactive voice response (IVR), or speech-recognition software package. IVR technology enables customers to utilize self-service payment options 24 hours a day, seven days a week by allowing them to manually enter data by speaking into a phone. The IVR software recognizes the speech and then transposes it digitally to record the information necessary for the interaction. TokenEx’s omni call center customers utilize our web services API to tokenize sensitive data at the boundary of the IVR environment to prevent other applications and systems from encountering sensitive data. As a result, everything downstream from the point of acceptance is effectively removed from compliance scope.

Dual-tone Multifrequency (DTMF)

Many organizations that operate a multichannel call center also leverage dual-tone multifrequency technology to accept sensitive data. Whether the DTMF module is part of a larger internal software package or outsourced to a third party, compliance and security concerns can still be an issue. Similar to TokenEx’s IVR integration, DTMF solutions allow omni call centers to make an API call to TokenEx to tokenize the sensitive data after they digitize the data entered by a customer. TokenEx then returns a token for additional processing and storage, supporting seamless, secure transactions in the future.

Desk Agent Solutions

Once the sensitive data traversing an omnichannel contact center is secured, perhaps the most difficult task from a compliance perspective is removing an omni call center agent’s desktop from scope. The problem that exists today with the omnichannel contact center’s desktop setup is the tremendous amount of overhead the device introduces due to technical and process controls driven by compliance obligations such as the Payment Card Industry Data Security Standard (PCI DSS). For example, the PCI DSS requires an omnichannel contact center agent’s desktop that is being used for accepting payment card data to be patched regularly, have numerous activities logged and reported, have activity timeouts enabled, and undergo many other maintenance-related items. This results in a cumbersome, labor-intensive compliance process.

Additionally, an organization must implement internal processes to ensure the individuals manually operating these desktops and accepting payments through them are not also viewing or collecting payment card information outside of the parameters of their job duties. The more desktops and agents employed in an omnichannel contact center environment, the more complicated and difficult it becomes to manage this risk.

Learn how you can compliantly secure your omnichannel environment via a combination of TokenEx solutions. 

See Case Study


Tokenization for Omnichannel Contact Centers

Most organizations, regardless of size, need an omnichannel strategy to provide them with the flexibility to maximize their business capabilities. Whether their primary acceptance channel is an ecommerce web store, mobile application, or call center, they need to be able to accept payment and personal data in the form their customers prefer, while simultaneously keeping that sensitive data out of internal systems. TokenEx provides flexible products and solutions for securing and desensitizing data via any acceptance channel.

The process of tokenization exchanges a sensitive data element—credit card account number, date of birth, Social Security number, etc.—with an indecipherable, nonsensitive placeholder called a token and then stores the original, sensitive data outside of an organization’s internal systems. Tokens are irreversible and cannot be returned to their original form without additional information. As a result, tokenization virtually eliminates the risk of data theft. In the event of a breach, no sensitive data will be exposed—only nonsensitive tokens—and in some instances, breach notifications might not be required. 

Our Cloud Security Platform can safely and securely remove sensitive data from omnichannel contact center environments without significantly altering an organization’s existing business processes, resulting in nearly frictionless flexibility in how an organization stores, accesses, and uses its sensitive data. To remove contact centers from PCI scope, we leverage Syntec's CardEasy secure contact centre payment solution.

Learn more about our tokenization solutions for contact centers by requesting a demo today.


Topic(s): compliance , data security , tokenization