Callzilla recently renewed our certifications for the year, which is an accomplishment to brag about! PCI, Soc 2 Type II, CCPA, and HIPAA certifications… check, check, check, and check. We’d love to celebrate with you, but you may be thinking… that’s great, but what does that mean??
This is a great opportunity for us to celebrate our hard work, while also explaining how exactly our team keeps your customers and their data safe.
PCI DSS (Payment Card Industry Data Security Standard)
Perhaps the most common certification, this is important if your contact center is collecting credit card information from your customers. Referred to as PCI for short, it’s an industry standard designed to make it safer to use credit cards online by making sure that business collecting credit card data transmit and store it securely. If you keep your systems secure, customers can trust you with their sensitive payment card information. As the Security Standards Counsel enhances its requirements, Callzilla renews their certification to ensure the standards are up to date with best practices.
How exactly does PCI help protect your customers’ data against theft? Here are the 3 steps provided by PCISecuritystandards.org:
- Assess — identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
- Repair — fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
- Report — documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
SOC 2 Type II (System and Organization Controls)
System and Organization Controls (SOC) is a suite of service offerings in connection with system-level controls of a service organization. SOC helps users to assess and address the risks associated with an outsourced service. There are different levels and types, but Callzilla specifically holds the SOC 2 Type II certification.
SOC 2 follows a series of Trust Services Criteria (TSC). These control criteria are used to evaluate and report on controls over information and systems within your company or outsourcer. These are the TSC categories:
- Security- Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability- Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity- System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality- Information designated as confidential is protected to meet the entity’s objectives.
- Privacy- Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The one key difference between SOC 2 Type I and Type 2 is the time period of the report. Type I attests to the control factors at a certain period of time, whereas Type II is an attestation over a period of at least 6 months. Both report on the description of controls provided by management and attest that they are properly designed and implemented, but Type II also attests to the operating effectiveness of those controls.
CCPA (California Consumer Privacy Act)
The California Consumer Privacy Act was implemented in 2018 to give consumers more control over the personal information business collect from them. CCPA regulations were created as a guideline for the act, which are the guidelines that Callzilla adheres to. While only California residents have rights under the CCPA, these guidelines are widely implemented as a company policy.
The CCPA defines personal information as your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics. However, any publicly available information from government records (like professional licenses or property records) would not be protected under CCPA.
Rob Bonta, the Attorny General in California, summarizes the privacy rights as:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
HIPAA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act is a federal law implemented in 1996 to specifically protect one’s sensitive health information. Under this national standard, this sensitive health information cannot be shared without a patient’s knowledge or consent.
Callzilla is HIPAA compliant, which means we adhere to the HIPAA Privacy Rule and Security Rule. The Privacy Rule safeguards protected health information (PHI) with a list of standards that address the use and disclosure of individuals’ health information. This covers healthcare providers, health plans, healthcare clearinghouses, and business associates.
According to the CDC, the Privacy Rule does not apply in these cases:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions
- Workers compensation
The HIPAA Security Rule protects a subset of that PHI, specifically any PHI received in electronic form. To be complaint, Callzilla complies with the following standards outlined by the security rule:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by our workforce
In summary, we respect and value our customer’s privacy. It’s important to us to reenforce these standards on a yearly basis, so we work hard to implement these practices company-wide to earn our certification renewals each year. If you have any questions on these standards and practices, feel free to contact us!