Contact centers deal with a deluge of customer information on a daily basis. These interactions are recorded, transcribed and stored. A substantial part of the recorded information is sensitive such as a client’s credit card details, address, social security number, and others. As a result, putting in proper compliance workflows to mask this information before storing it in your internal repository is absolutely essential.
What is Redaction?
Redaction is the process of censoring sensitive information from audio recordings and transcripts to prevent fraud.
The main objective of redaction is to prevent unauthorised access and minimise any chances of a data security breach leading to fraudulent transactions or misuse of information.
Why is redaction important?
The most common use cases of contact centers for using sensitive information such as name, address, social security numbers, birthdays, assets and property, is for either customer verification or financial transactions.
This information, if accessed by unauthorised people, could be susceptible to misuse. Being unable to effectively protect client information is a compliance breach and almost always leads to financial lawsuits, imposing of penalties, and loss of brand reputation.
These legislations and penalties for data protection vary from country to country and so do the penalties. In a world driven by data, there is very little room for compromise when it comes to data security. Compliance, data security, and fraud prevention, are therefore the top-most concerns for contact centers, making redaction absolutely essential to workflows.
In 2004, the world’s then largest credit card companies collaborated to create a set of security regulations to protect personal information of customers during a transaction. These regulations, called PCI DSS (Payment Card Industry Data Security Standard) compliance, are necessary for any contact centers handling financial transactions.
Other compliance standards to protect data privacy are GDPR (General Data Protection Regulation) (General Conditions for imposing administrative fines) in the European Union and Freedom of Information Act (FOIA) in the US of A. Besides, more local legislations such as California Consumer Protection Act (CCPA) also have important clauses emphasising data protection via redaction.
To put things in perspective, non-adherence with GDPR is a punishable offence with a fine of up to $25M. Similarly, violation of CCPA can lead to a fine of up to $750 per consumer depending on the scale of damage.
Redaction must therefore be in line with both local as well as global compliance standards.
Data Security and Fraud Prevention
The average cost of a data breach is $3.92M (source).
Contact centers dealing with sensitive data everyday automatically increases their vulnerability to data fraud. In case of unauthorized access, one data breach can branch off into banking and financial fraud, hacking and Denial of Access attacks, etc.
Complete censorship of critical information is the only way to prevent such serious attacks and safeguard the wealth of client information.
Information to be redacted: PII and PCI
So, what is the exact information that needs to be protected and how do we identify it?
Personal Identifiable Information (PII) and Payment Card Information (PCI) are two categories of information that must be handled carefully and censored effectively.
- PII: Information used for identity verification such as name, age, date of birth, driver’s license number, Social Security Number (SSN), biometric records, email ID, and birthday, fall under PII.
- PCI DSS: A cardholder’s information like primary account number, expiry date, and CVV code. Merchants, vendors, or contact centers that handle credit or debit card information have to be PCI DSS compliant.
How does redaction work?
A number of tools and techniques suited for contact centers are used for redaction, each with its own features, benefits and shortcomings.
- Agent-initiated recording pause
- Desktop analytics
- Speech analytics
- Call redaction software
- Contact Center AI
Let’s try to understand each of these in detail.
1. Agent-initiated recording pause
This is the most rudimentary technique of redaction, not entirely approved by PCI DSS. Here, the agent manually pauses the recording when the customer is sharing PII or PCI data. During transcription, this information does not exist, thus precluding any chance of data breach or fraud.
But the manual nature of the stop and resume method is prone to human errors—. An agent may forget to pause the recording or the customer may provide details before the agent pauses. Agents can also misuse the manual pause feature to censor undesirable parts of the calls like escalations and prevent quality assurance (QA) teams from reporting the same.
Another disadvantage of agent-initiated recording pause is that redaction issues are caught after they’ve occurred. By the time QA, compliance, fraud teams manually identify it, the breach would have already escalated.
2. Desktop analytics
A slightly more advanced method of redaction, desktop analytics packages monitor cursor fields and automatically pause recordings when the cursor falls into a regulated field. But this practice is dependent on the timely reaction of the agent and their typing speed— the call may record the PCI or PII details, even before the agent has moved the cursor to the regulated field.
3. Speech analytics
The moment a call recording is stored, a speech or voice analytics software runs a redaction routine to identify and automatically remove PII and PCI.
Some speech analytics softwares allow you to define a list of sensitive keywords and replace it with a more generic term or phrase in the transcript. Access to recordings are allowed only after the redaction process is complete.
4. Call redaction software
Using an algorithm, redaction software automatically removes sensitive data on a call transcription. This algorithm identifies the data using criteria such as two or more numbers found in a sequence, or numbers found around a specified keyword. Additionally, redaction software is also used to remove numeric data from text-based communication with the client such as email and SMS.
5. Contact Center AI
In contact center AI, redaction allows contact centers to select sensitive data entities and censor (redact) them on both call audio and call transcripts.
AI-powered redaction begins with entity detection, where the AI service identifies the type of named or numerical entity that should be automatically redacted. Being able to accurately identify the type of entity is key, as contact centers need to accurately specify the entities they desire redact.
Once the entities are detected, AI takes the redaction a step further with selective redaction— here parts of an entity are redacted, while remaining portions are still transcribed and visible.
This solves the issue of over-redaction or under-redaction, speed, and is independent of agent errors while also allowing contact centers to customise automated redaction to their unique needs.
With remote work and a massive volume of sensitive client information, it is becoming increasingly difficult to protect sensitive information and prevent fraud using traditional, manual-oriented methods. Being proactive with measures against data breach and security threats, contact centers should explore and invest in technology like AI and automated redaction to help them save tens of millions of hefty fines, protect brand reputation, and help withstand the changing economy.