How Technology and AI Are Transforming Security in Contact Centers

The increase in frequency and intensity of cyber fraud—particularly the involvement of organized crime in stealing sensitive information from contact centers—forces us to find new ways to protect processes, transactions, and data.

There is evidence of organized crime participating in data theft. They pay agents twice their daily wage for each valid card detail provided, supply agents with recording and spying tools, invest in contact centers to extract additional information from two or more non-sensitive customer data points, and use bots to make automatic charges to multiple cards before they are reported or blocked.

Global security certifications are necessary but not sufficient to protect information and financial transactions. The only way to truly prevent fraud and data theft is to implement processes such as:

• Candidate screening

• Robots that listen and alert about abnormal behaviors

• Transactional IVRs to avoid human contact with sensitive data

• Speech and text analytics to analyze thousands of daily conversations for protocol breaches

• Complementing PCI-DSS and ISO 27000 physical and logical security standards

• Protecting all systems and internet access

1. The Key to Selecting, Investigating, and Evaluating Contact Center Candidates

The most important factor in any company is its people. Using AI to select and investigate candidates, along with multiple integrity and honesty tests based on their level of information access, discourages individuals or organizations planning to commit fraud—they will seek centers with less control and fewer risks.

It is essential to develop bots that not only ask initial questions and filter candidates but also verify information online using IMSS and CURP data to identify:

• Geographic location for commute times

• Criminal records via judicial databases

• Possible labor lawsuits through the Labor Bureau

• Salary and job tenure via IMSS

This ensures the accuracy of candidate information and reduces legal risk. After passing these filters, candidates should undergo tests according to the potential risk of handling sensitive data—from behavioral and axiological tests to iris-based polygraph tests for honesty.

Combined with strict monitoring protocols and consequences, these measures make individuals seeking to commit fraud abandon the process and move to less secure centers.

2. Real-Time Actions Supported by Robots and the Command Center

Traditional disaster recovery plans (DRP) with interconnected systems in high availability solve many issues if backup centers are located at least 100 km apart. However, national or global contingencies lasting longer than expected cannot be ruled out.

To ensure real operational continuity in a contact center, the following conditions should be met:
a. Implement robots that listen to conversations in real time and alert the command center when detecting prohibited words like expiration dates, birth dates, email addresses, passwords, etc.
b. The command center, connected to all operators, monitors performance and detects abnormal behaviors. For example, if average handling time (AHT) is consistently higher than the script allows, it may indicate repeated information requests and should be investigated.

3. Speech and Text Analytics for Contact Center Security

Whether in real time or at the end of each day, speech and text analytics systems can process thousands of calls or text pieces in minutes to detect conversations outside the script. This enables early intervention and provides evidence for labor and criminal processes, which discourages improper practices among agents.

In addition to recommended measures (shown in black in Chart 2), additional actions (marked in blue) are required. A security committee should manage annual internal and external audits, regardless of written security policies.

Physical security must include metal detectors and one-on-one checks by security personnel to prevent access with cell phones or recording devices. Closed-circuit systems should enforce clean desk policies—no papers or storage devices. Platforms must cover the entire organizational environment and external contact points, with monitoring tools to immediately detect contamination, attacks, or abnormal access behaviors, ensuring protection against external threats and safeguarding clients.

This security framework must extend to all clients and suppliers interacting with the contact center.

Conclusions

The involvement of organized crime in data theft—impacting cyber fraud, finances, and corporate reputation—forces internal and external contact centers to make significant investments in technology and processes to minimize these risks.

Global certifications are a major step but insufficient given the scale of the problem. Security cannot be guaranteed without automated candidate screening to hire honest individuals. Without bots listening or platforms analyzing thousands of conversations online and offline, tokenization systems and transactional IVRs alone cannot detect agent misconduct.

PCI-DSS and ISO 27000 standards are important but must be complemented with additional infrastructure and processes to work effectively. Internal security should rely on protection and monitoring systems that shield the contact center from external attacks and theft, extending these measures to all external participants to ensure a comprehensive solution.

Security requires investments of time and money, but given the impact of fraud, misuse of information, or attacks on organizations, this internal investment or provider selection is unquestionable.