By Matt Newing, CEO at Elitetele.com
Consumer trust in a business has never been so critical. Take the recent hack on Ashley Madison, for example, which saw customer data stolen from its 37 million users, leaving patrons details exposed and the businesses reputation in tatters.
This news demonstrates the need for customers to feel confident that their financial and sensitive details are safe when parting with them over the phone and online. The bottom line is, if the public does not trust your brand, they aren’t going to give you their custom.
Coupled by the fact that upcoming changes to the European General Data Protection Regulation will provide uniformity of data protection laws across all 27 EU states, businesses need to act now to educate customers on the security surrounding remote payments. They also need to review their PCI compliance in order to protect consumer data and avoid fines of up to $100,000 per month under the new EU Data Protection Law set to arrive in 2017.
Those that fail to do so could cause irreversible damage to brand reputation and result in loss of customer trust, halting the growth of the entire business.
According to a recent survey of 2,000 UK consumers by Elitetele.com, 97% consumers don’t know what happens to sensitive information they give to call centre operatives over the phone. When asked to describe what happens, over a third (36%) stated they had no idea and almost two thirds (61%) incorrectly identified what information operatives have access to and how it is stored.
Consumers also have significant insecurities about how financial information is handled, despite technology existing to guard against criminals online. Forty per cent stated they are not confident their payment details are secure from being hacked by cyber criminals, and 30% are scared operatives can secretly record their information elsewhere. Which is just another reason for customer’s to not want to hand over sensitive financial information.
But where do these insecurities derive from? The simple answer is a lack of compliancy. With a widespread adoption of compliance put in place, it would provide a more transparent and trustworthy relationship between brands and customers.
So how can businesses do their bit to make customers more receptive, while building long lasting and trusting relationships? While there is no one size fits all solution, the following steps will help any business to ensure they are PCI compliant ahead of these changes, an in turn create a safe and transparent environment for customers:
1. PCI DSS Compliance Call Recording
PCI compliance is mandatory for any business taking payments over the internet or on the phone to minimise the risk of fraud — otherwise it’s the customer’s word against the businesses, or vice versa. In fact, the Financial Conducted Authority (FCA) requires all financial companies to record and store their telephone conversations. However, it is a violation to store any sensitive authentication data including card validation codes and values after authorisation, even if encrypted. Should companies be found to violate this, penalties and fines could be enough to close a business down.
To safeguard against this, businesses must have in place a fully compliant PCI call recording system that satisfies all criteria outlined in the PCI DSS, as well as regulations from the Financial Services authority. By doing so, agents don’t hear or see any sensitive information provided by the customer and the information remains missing from stored or archived call recordings. The solution increases trust between the business and the customer, as well as improving call handling and customer experience overall by combining an intuitive IVR (Interactive Voice Response) system which provides an automatic call journey for card payments, freeing up agent time for other tasks, thus increasing business efficiency.
2. Interactive Voice Response Payment System
Research has found that 75% of consumers prefer talking to someone over the phone rather than online. With this comes the need for increased customer support and, with more agents involved in the payment process, the worry of non-compliance.
Using a state of the art IVR (interactive voice response) payment system enables customers to make payments without the need for an agent, or the need to store credit card details, making the transaction 100 per cent PCI compliant. It also provides a competitive advantage with the ability to take 100s of payments an hour, 24/7, making the business more accessible to existing or potential customers with lower overall costs to the business. This again frees up call centre staff to focus on other servicing issues, eliminating on-hold times and reducing staff errors.
3. PCI Compliant Hosting
When making payments over the phone, understandably, safety and trust is a top priority to consumers. This means a data breech can be catastrophic to a business’ reputation. Imagine calling a company, handing over your details, and having those details stolen. You would feel it was the businesses duty to help. However, with no record of the conversation, you could be left to pick up the pieces.
In this way, when becoming PCI Compliant, businesses must protect not only credit card data, but also sensitive customer data in general. A recent example of this is cyber criminals targeting Apple Pay call centre operatives in an attempt to commit fraud.
To combat this, a Unified Threat Management security platform can protect any distributed network with the fastest security technology on the market, including next generation firewalling, IPS, Data Loss Prevention, app control and vulnerability management, ensuring the business isn’t a target for cyber criminals. Customers can then spend confidently and the business can keep its reputation intact.
4. PCI — Data Governance
A Data Governance solution allows organisations to be able to keep pace with data, manage access entitlements efficiently and effectively, audit access to every file and email event, identify and involve data owners and find and classify sensitive and business critical data. This ensures Data Governance policies are in place and adhered to.
In the case of PCI, it is important to protect not only databases, but file shares as well. Customers can then rest easy that their details are secure, and out of reach of curious members of staff. When file shares contain any of the PCI-designated sensitive information, organisations need to audit access to these shared networked resources as part of their PCI compliance efforts.
Understandably, there is no one size fits all solution. Compliance levels depend on the size and nature of a business, and knowing where to start can prove a daunting task due to ever changing rules and regulations. What is clear is businesses need to seek expert advice on deploying the right solution ahead of the new EU legislation, helping them become and remain PCI compliant. By doing so, they can have the peace of mind that they will not be handed a fine which will halt future business growth, not to mention the irreversible damage it can do to a brand’s reputation.