How to retain customer’s trust: the importance of compliance
October 2015 | EXPERT BRIEFING | RISK MANAGEMENT
Consumer trust in a business has never been so critical. Take, for example, the recent hack on Ashley Madison which saw customer data stolen from its 37 million users, leaving patrons’ details exposed and the business’ reputation in tatters. This news demonstrates the need for customers to feel confident that their financial and sensitive details are safe when parting with them over the phone and online. The bottom line is, if the public does not trust your brand, they aren’t going to give you their custom.
Coupled by the fact that upcoming changes to the European General Data Protection Regulation will provide uniformity of data protection laws across all 27 EU states, businesses need to act now to educate customers on the security surrounding remote payments. They also need to review their PCI compliance in order to protect consumer data and avoid fines of up to $100,000 per month under the new EU Data Protection Law set to arrive in 2017. Those that fail to do so could cause irreversible damage to brand reputation and result in loss of customer trust, halting the growth of the entire business. As you can imagine, this is the absolute worst case scenario and can certainly be avoided. Looking at the industry today, it appears some businesses still have a long way to go to gain this trust.
In fact, according to our recent survey of 2000 UK consumers, 97 percent of consumers don’t know what happens to sensitive information they give to call centre operatives over the phone. When asked to describe what happens, over a third (36 percent) stated they had no idea and almost two-thirds (61 percent) incorrectly identified what information operatives have access to and how it is stored.
Consumers also have significant insecurities about how financial information is handled, despite technology existing to guard against criminals online. Forty percent stated they are not confident their payment details are secure from being hacked by cyber criminals, and 30 percent are scared operatives can secretly record their information elsewhere. Which is just another reason for customer’s to not want to hand over sensitive financial information.
But where do these insecurities derive from? The simple answer is a lack of compliance. With a widespread adoption of compliance put in place, it would provide a more transparent and trustworthy relationship between brands and customers.
More so, the scale, frequency and evolution of security threats mean that consumer confidence in the ability of businesses to store their data securely has taken a huge hit. However, this does not need to be the case. By seeking specialist advice and guidance, organisations can ensure PCI compliance and thus the security of customer’s information.
So how can businesses do their bit to make customers more receptive, while building long lasting and trusting relationships? While there is no one size fits all solution, there are a number of steps which businesses should follow which will help to ensure they are PCI compliant ahead of these changes, and in turn create a safe and transparent environment for customers.
PCI DSS compliance call recording
PCI compliance is mandatory for any business taking payments over the internet or on the phone to minimise the risk of fraud – otherwise it’s the customer’s word against the businesses, or vice versa. In fact, the Financial Services Authority (FSA) requires all financial companies to record and store their telephone conversations. However, it is a violation to store any sensitive authentication data including card validation codes and values after authorisation, even if encrypted. Should companies be found to violate this, penalties and fines could be enough to close a business down.
To safeguard against this, businesses must have in place a fully compliant PCI call recording system that satisfies all criteria outlined in the PCI DSS, as well as regulations from the Financial Services authority. By doing so, agents don’t hear or see any sensitive information provided by the customer and the information remains missing from stored or archived call recordings. The solution increases trust between the business and the customer, as well as improving call handling and customer experience overall by combining an intuitive IVR (Interactive Voice Response) system which provides an automatic call journey for card payments, freeing up agent time for other tasks, thus increasing business efficiency.
Interactive Voice Response payment system
Research has found that 75 percent of consumers prefer talking to a customer service representative over the phone rather than online. This makes perfect sense – for customers a quick phone call eliminates waiting time and solves the problem there and then. However, with this comes the need for increased customer support and, with more agents involved in the payment process, the worry of non-compliance.
Using a state of the art IVR payment system enables customers to make payments without the need for an agent, or the need to store credit card details, making the transaction 100 percent PCI compliant. It also provides a competitive advantage with the ability to take hundreds of payments an hour, 24/7, making the business more accessible to existing or potential customers with lower overall costs to the business. This again frees up call centre staff to focus on other servicing issues, eliminating on-hold times and reducing staff errors.
PCI compliant hosting
When making payments over the phone, understandably safety and trust are top priorities for consumers. This means a data breech can be catastrophic to a business’ reputation. Imagine calling a company, handing over your details, and having those details stolen. You would feel it was the businesses’ duty to help. However, with no record of the conversation, you could be left to pick up the pieces.
In this way, when becoming PCI compliant, businesses must protect not only credit card data, but also sensitive customer data in general. A recent example of this is cyber criminals targeting Apple Pay call centre operatives in an attempt to commit fraud.
To combat this, a Unified Threat Management security platform can protect any distributed network with the fastest security technology on the market, including next generation firewalling, IPS, Data Loss Prevention, app control and vulnerability management, ensuring the business isn’t a target for cyber criminals. Customers can then spend confidently and the business can keep its reputation intact.
PCI – data governance
A data governance solution allows organisations to be able to keep pace with data, manage access entitlements efficiently and effectively, audit access to every file and email event, identify and involve data owners and find and classify sensitive and business critical data. This ensures data governance policies are in place and adhered to.
In the case of PCI, it is important to protect not only databases, but file shares as well. Customers can then rest easy that their details are secure, and out of reach of curious members of staff. When file shares contain any of the PCI-designated sensitive information, organisations need to audit access to these shared networked resources as part of their PCI compliance efforts.
Understandably, there is no one size fits all solution. Compliance levels depend on the size and nature of a business, and knowing where to start can prove a daunting task due to ever changing rules and regulations. What is clear is businesses need to seek expert advice on deploying the right solution ahead of the new EU legislation, helping them become and remain PCI compliant. By doing so, they can have the peace of mind that they will not be handed a fine which will halt future business growth, not to mention the irreversible damage it can do to a brand’s reputation.
Matt Newing is the founder and chief executive of Elite Telecom.
© Financier Worldwide