Organisations which invest in modern digital technology specifically to protect their customers’ personal data and which clearly and simply explain how it works, gain a clear competitive advantage over those that don't.
One of the key customer-facing business areas where this can be most clearly seen is in an organisation’s contact centre. Contact centres that have invested in advanced digital technology to facilitate and protect the human interaction have, in reality, wisely invested in their organisation’s customer care and customer experience programmes. How so?
By leveraging that technology:
Such contact centres and their owning organisations will be the clear business-winners and business-keepers of the future, far exceeding their rivals in the race for great customer service. It is well known that businesses which have strong market reputations for great customer care, attract yet more clients, adding to their loyal customer-base and by so doing, increasing their revenues. The opposite is also true – disproportionately so, as bad news tends to spread faster than the good. Just ask anyone who has ever had their credit card details compromised as a result of simply speaking “the long number on the front of your card” into a phone at the request of a contact centre agent.
But people like talking with people. Given the choice between speaking with a human being and interacting with some “robotic automated intelligence”, I for one would always opt for the former. Consequently, I believe that when new digital technology is deployed in a business (especially in those parts which are directly customer-facing), that technology must be non-intrusive and must enhance the customer experience, appearing to work in the background whilst maintaining the humanity of the customer-call. Needless to say, the technology must meet your needs, produce consistent results, be totally reliable and give good “value for money”. Moreover, and where possible, the use of such technology should be widely known and recognised to be a “good thing” by the general public (e.g. the universal acceptance in Europe of “Chip and PIN” technology during face-to-face payment card transactions).
Given the need for the general public to know about “good things”, it is both surprising and horrifying to see that one particular outcome, obtained in the recent Ultracomms survey (Ref. 1) is so very poor. A meagre 3% of customers were aware that using secure payment technology is the safest method of providing payment details over the phone. It would appear that the vast majority of customers just don't know what good looks like! This is a strong indicator that legislators, regulators and customer watchdogs have a lot more work to do to inform the general public about the risks to unprotected personal data and the benefits of using appropriate, effective and secure technologies for its protection.
Those organisations which have wholeheartedly taken on-board the mandate to “do the right thing” and protect their customers’ information are, nevertheless, faced with some significant challenges in doing so. This is particularly the case in the travel and hospitality sector. Below I have highlighted a number of the most pressing issues for travel and hospitality businesses when it comes to ensuring an adequate level of security is maintained throughout their operations.
Against each challenge, I have set out my recommendations for possible ways to mitigate that challenge:
Challenge | Recommendation |
Use of legacy IT can cause problems when implementing or integrating new technologies. For example: web chat needs to be integrated with the existing “full customer service”. [Link to Ultracomms Survey Finding: 29% of travel industry customers said web chat was their preferred method of contacting an organisation to ask for information, 25% said the phone.] |
Review the points of integration from a “customer flow” viewpoint and prioritise for attention, those which are clear customer bottlenecks. If direct technical connection between “old” and “new” systems is impossible, consider using “gateway” or “translator” intermediary systems to “liaise” between the two. Ensure that appropriate technical security measures act as effective wrappers around each system part. |
Contact centre processes tend to be complex (sometimes involving: both front and back office work, phone-back scenarios, email exchanges and chat functions). [Link to Survey Finding: 20% of travel industry customers want less “passing on” and 18.5% want a faster service.] |
Conduct a thorough review of all the contact centre processes and seek to simplify and rationalise them as much as possible (e.g. remove any duplicate work that is uncovered). As far as possible, seek to remove payment card data from the contact centre environment completely. Consider the use of anonymisation techniques to reduce the amount of customer personal data in the contact centre systems. |
Contact centre staff frequently need access to the Internet to fulfil their customers’ requests and this can cause a potential scenario for data leakage. [Link to Survey Finding: 41% of all customers surveyed made contact to get help and 49% to clarify or confirm information.] |
Review the need for access to the Internet for contact centre agents. Seek to limit access to the Internet to only those specific sites, systems and functions that are strictly necessary for the business. Consider the local implementation of a store of “frequently requested information”. |
Possible need to hold payment card numbers and other personal data in booking records. [Link to Survey Finding: 50% of travel industry customers who made a payment via the phone did not feel confident that their payment card details would be stored safely.] |
This data must be protected under the UK Data Protection Act 2018 and the Payment Card Industry (PCI) Data Security Standard (DSS). Isolate the booking records and apply appropriate PCI DSS measures to protect the data (e.g. encryption, masking data during phone calls). |
Loyalty schemes require the storage of significant amounts of personal data. [Link to Survey Finding: 18% of all customers surveyed wanted to know how the person contacting them got their details and 16% wanted to know why they are being contacted. 66% of customers said they did not give their consent to be contacted.] |
This data must be gathered, stored, processed and protected in accordance with the UK Data Protection Act 2018. Ensure appropriate customer permission has been obtained to hold the personal data. Consider encryption or anonymisation techniques to protect the personal data. |
Where contact centres have been outsourced, information security training for the contact centre agents is also often contracted out to, or assumed to be given by, the outsourcing company. Such security training may or may not be adequate. [Link to Survey Finding: 50% of travel industry customers who made a payment via the phone did not feel confident that their payment card details would be stored safely.] |
Review the outsourcing contracts to ensure that the responsibility for security training is well-defined and understood by both parties. Review the security training provided to ensure that it meets (ideally exceeds) the minimum necessary (i.e. that it represents “good information security practice”). |
With the updated UK Data Protection Act (Ref. 2), which enshrines the European Union’s General Data Protection Regulation (GDPR) and the Payment Card Industry (PCI) Telephony Guidance (Ref. 3) both now firmly “front and centre” on the legal and regulatory stage, organisations should be motivated more than ever to deploy effective and customer-friendly protective measures. Such security measures will include: appropriate masking of personal data during financial transactions made over the phone, encryption of databases which store customer information and extensive data protection training of all staff who handle customer data.
From a customer experience viewpoint, there is an even greater driver for organisations to make every effort to comply with data protection legislation and regulation, which is to win and keep new customers, especially those of the younger generation.
References:
Director, Phyonis Limited.
Email: info@phyonis.com
Philip is an independent payment card security and InfoSec consultant who has worked extensively across industry, including the airline, finance and telecoms sectors. Philip was a member of the PCI Security Standards Council (SSC) Board of Advisors from 2011 to 2018.