Echopass enhances security of cloud-based contact-center platforms

Despite these successes, cloud-based services still suffer from negative perceptions regarding access and security.

“The number-one hurdle standing in the way of migration to the cloud is security,” Farris said.

While Echopass has taken security seriously—it always have been compliant with Level 2 of the data-security standards from the PCI Security Standards Council that was created by credit-card companies in 2006—the company recognized that it needed to do more, Farris said.

“As we moved up to the large-enterprise space, it became very apparent that we needed to focus on providing an even higher level of compliance, for a couple of reasons,” he said. “One is that PCI mandates that, if you handle more than 300,000 transactions as a service provider, you must be Level 1 compliant. Second, there is so much in the way of news in the marketplace, and fear in the marketplace, about security issues.”

As evidence, he cited claims made by Internet-security solutions provider MacAfee that the number of malicious computer programs has increased from 1 million to 130 million during the last five years. Over the same period, 610 million breaches of confidential information of individuals have occurred, Farris said.

“That has everybody attuned and sensitive around that,” he said.  “You have to be able to assure your clients that everything has been done, as much as humanly possible, to ensure that that infrastructure, that cloud-provisioning … is scrubbed and validated by a third party.”

In February 2013, PCI issued new cloud-computing guidelines. According to Farris, there are about 15,000 points that must be satisfied in order to gain compliance. For example, compliant service providers must be current in terms of malware protection, network monitoring and intrusion detection. Despite the challenges, Echopass was able to achieve Level 1 compliance in six months—far less than the 12-18 months it typically takes—largely by modifying its existing platforms, rather than creating something from scratch.

 For contact centers, a key security issue concerns call recording, particularly when credit-card transactions are involved.

“You absolutely have to make sure that data is secured—when it’s captured, when it’s transmitted throughout the network and when it is stored—because the calls are [are subject to] later playback,” Farris said.

The idea is to make sure that people who shouldn’t have access to sensitive information have no way of getting to it. An example would be a contact-center supervisor who wants to use call recordings for training purposes.

To that end, Echopass announced an enhancement to its platform last month that automatically pauses the call as soon as the call-taker begins to take credit-card information, regardless of whether it is verbal or on-screen.

“As soon as they start putting in the credit-card number, we can provide the facility that effectively stops the recording at the data-entry phase and then resumes it, as soon as the data-entry phase is complete,” Farris said. “So, you effectively block out that information from any retention at all.”