Security for Contact Centers

Tech Gurus, John Romeo and Jim Bowers, explore how security plays into your customers’ contact center solutions.

Security is front of mind for a lot of organizations these days, especially due to the 400% increase in cyberattacks since the pandemic started. Notable and alarming attacks include those on the federal government with nation-state threat actor using existing 3rd party tools as vehicles for intrusion. Your customer’s contact center is no exception – they’re facing standard cyber security attacks, such as DDOS attacks, but are also seeing an increase in attacks targeting customers’ personal data. If they are using a cloud-based contact center managed and maintain in a data center, these threats can increase; even more so if they outsource contact center agents, increasing points of access and areas of liability.

Determining the best option for your customer and their organization can be difficult, but this article is designed to give you some modern concepts and best practices that should be applied, regardless if their contact center is staying on premise or in the cloud.

PCI compliance

No amount of contact center technology will guarantee that your customer is in full PCI compliance, since the scope of compliance goes beyond contact center to ensure no sensitive financial data is ever made available to inappropriate or malicious parties. Limiting access by agents and securely storing call center records helps keep data protected and mitigates PCI concerns.

One way to accomplish this is to create an interface that agents can transfer callers to take the customer’s payment data, process it, and then transfer the caller back to the agent once the transaction is complete. If this can be done by an independent outsourced agent it is best so that data is never stored with the customer, only shared with the financial institution facilitating the payment. This is preferred over having the caller share their information with your customer, and then your customer is involved in the direct handling of sensitive data. This also prevents agents from writing down sensitive information offline and other employees, including IT admins, having access to log files showing private financial information.

May21-BLOG-Security-Contact-Centers[45]Data Management

The data that your customer is storing and transmitting should always be encrypted, an important layer of security. This makes it more difficult for sensitive data to be viewed without the encryption keys, further demonstrating the business’ commitment to keeping customer data protected. The best practice is to avoid storing or transmitting sensitive customer data if possible; if you must store it, try to set for short durations and then permanently purge it or find a way to move another secure location for long-term archival. It is important for a business to evaluate if data needs to be stored – do they need to keep the customer’s social security number on file or can they instantly purge sensitive data?

Many businesses have a CRM integration capturing this information in real-time, making it unnecessary to store. Additionally, if call recording is mandated for security purposes, find a way to transcribe these recordings to isolate sensitive data. Then using an automated or manual process, delete or relocate this data on a continual basis. Businesses should also see if they can identify if there is a more secure want to acquire this data, such as having the customer submit the data in a secure system or only provide limited digits, versus providing all information to a live agent.

Firewalls – Sometimes a Contact Center’s Worst Enemy

Firewalls are a good security measure and contact centers can benefit from using them, but as a cloud communications architect supporting contact centers for the past two decades, I have seen first-hand how many support tickets are caused by these security measures – at least 30%. It is not uncommon for security personnel or an automated security application to shut down critical service. The unfortunate truth is IT security staff and contact center engineers typically do not run in the same circles. IT security for the most part are experts on standard network and UC technology. If you have an IVR doing a database dip to an external database or an agent recording a greeting using a web-based desktop client, security might be unaware of the access required and can disrupt these services without even knowing what they have done. Another best practice is that when changes are made to security policies or configurations on security appliances, these changes are conveyed to contact center support. It is much easier to then draw a correlation between the change and a disruption in service.

 Treating Contact Center Security Like Any Other Application

 One of the biggest mistakes an organization can make is to not have the same security controls or posture in place for their contact center or CCaaS as they do for other applications. Contact centers have sensitive data needing protection, just like a CRM/ERP system or a database. With that in mind, organizations should take a defense in depth approach, incorporating the below minimum key elements for contact center or CCaaS environment: 

  • Proper physical controls
    These are controls that include security measures that prevent physical access to the IT systems that are part of the contact center. If leveraging a CCaaS solution, the managed service provider would be responsible for maintaining this and providing documentation detailing what physical controls are in place.

  • Proper technical controls
    Technical controls include security measures that protect network systems or resources the contact center or CCaaS solution utilize. This would include NGFWs, IPS, IDS, ACLs, etc.

  • Proper administrative controls
    Administrative controls are security policies or procedures directing the organization’s employees on using solutions, such as instructing users to label sensitive information as “confidential” within the contact center or CCaaS application.

  • Proper access control measures
    The appropriate access control levels should defined within the contact center or CCaaS solution. Access controls can be enforced by such solutions as zero trust, software defined perimeter (SDP), biometrics, 2-Factor Authentication, etc.

  • Endpoint protection
    Ensure ALL endpoints utilizing a soft phone or contact center/UCaaS application have endpoint detection and response/antivirus/advanced malware protection installed.

  • Security event monitoring
    Ensure that contact center security information and security events are being logged and correlated within a SIEM or MDR solution.

Implementing the above elements won’t make your customers’ contact centers invincible, but by taking a defense in depth approach, your customer can protect, detect, mitigate, and isolate an attack quicker, giving them greater control over threat actors.


John Romeo brings 25 years of experience and has worked with Fortune 100 companies to provide Unified Communications and Contact Center solutions that allow them to establish business continuity and improve business processes. He’s an accomplished Solution Architect, US Patent holder and his experience involves many years of Product Management, technical sales and design. You can reach John at or connect with him on LinkedIn.

An accomplished and seasoned security expert, Jim Bowers brings 20+ years of in-depth knowledge in engineering powerful security solutions. Having worked with notable companies in finance, healthcare, manufacturing, technology and more, he advises on complete security infrastructure, from assessments, vulnerabilities and risk management to phishing training/simulation, DDOS mitigation, endpoint protection and Managed SOC. You can reach Jim at or connect on LinkedIn.