It’s perhaps an understatement to say that we live in changing times. Adjusting to a post-Covid work and consumer environment, as well as being mindful of increased costs and the changes that brings to how we prioritise our decision making. Whether at work or home, the decisions we make over these summer months are going to significantly influence how we cope as nights draw in and the cold sets in.

One of the most significant benefits of my role in Contact Centre Panel is lifting the bonnet on so many contact centre tech’ organisations, allowing me to engage with both gifted engineers and committed business leaders. That insight gives me hope and a huge amount of reassurance that whatever efficiency or cost challenges we face, there is a team of people out there with a technology solution that we can build a business case around. As a result, I think that the problem we should be trying to solve is one of faith and belief that in the context of work, there is a technology solution out there that will make our lives easier, more efficient, more rewarding and more profitable.

The limiting factor of course is always time and reshuffling our priorities to find that time. That’s hard when our roles require us to support people, tasks and stakeholders. It’s often the case that when we are most stressed, we find it hard to reach out for help, to take the time to take a breath and consider the alternative. When I think of my own experiences as a full-time sportsman (many, many years ago) I was exposed to specialists, scientists mostly, that helped my decision making, especially under stress. Whilst my stresses today may not be entirely sports related (although I do my best to try), the lessons learnt from those times were always about narrowing the focus and trusting our own decision making.

That said, there was always one caveat. Be strong enough to know that help was there and trust that no one would think badly of us if we ask for help.

So, with the exception of Apple who remain firmly focused on the provision of stylish and functional computing and communication hardware as well as consumer payments services, four of the Big 5 global tech’ companies are now in a position to help organisations (irrespective of purpose, size or location) to directly support their customers.

For those of us who still remember copper wires and tin boxes with flashing lights, stored in purpose-built rooms with locked doors (usually propped open to keep the places cool), this year may well be remembered as the year that heralded the beginning of ‘the big change’. The moment when the planet’s largest and most influential infrastructure, software and communication companies began the battle to manage and add value to the entire customer data journey.

Why do I think that?

Well, simply consider the global positioning of any of those big 5 tech’ giants in the customer management and contact centre space. The super mature Microsoft with its ever-evolving desktop applications, cloud infrastructure, messaging and communication platforms. Amazon providing global data services and from March 2017 has been offering its own successful CCaaS application. Then the new entrants. Google with their global cloud offering now with its own global comms and contact centre AI platform. We also have Meta, who, according to phone.com have provided the world’s top 4 downloaded apps of the last decade (Facebook, Facebook Messenger, WhatsApp and Instagram), arguably making them the world’s largest human interaction business, finally acquiring Kustomer, the successful contact centre desktop unification application.

Behind these giants there is also activity. The continued success of Twilio as a seamless global comms platform and customer engagement application builder. As well as the ambitious Zoom, having failed to acquire global UCaaS and CCaaS provider Five9 back on October last year, they launched their own contact centre application as soon as February, with a European launch planned for some time soon.

Whilst the beginning of ‘the big change’ may be super exciting for any organisation on the planet who has customers to manage, the business environment for the old tin box manufacturers and the world’s established, historically copper based telco’s, the competitive environment looks just a little bit harder. In the context of ‘the big change’, what I read into that is innovation and change, certainly the prospect of collaboration and consolidation to deliver that. The collaboration plans of Genesys as a long-time global leader will be interesting to see play out, particularly with Zoom and Salesforce as investors in the Dec 2021 funding round.

Having lifted the bonnet of nearly 100 contact centre technology solutions and specialist applications since October 2019, when we began building the Contact Centre Panel Technology Network, we have seen some fantastic technologies and some great innovations. I am absolutely convinced we will continue to see more. We live in exciting times. Let’s see where ‘the big change’ takes us.

For the inside track on ‘the big change’ and what this means for your organisation, get in touch.

When Robert Leiderman first published ‘The Telephone Book’ in 1990, the pages led the reader through a journey of structure, process and measurement and supported that narrative with sound marketing principles such as Millington’s 4 Leverage Points.  

‘The Telephone Book’ defined and scoped the effective use of the telephone as a business tool and set the framework for the development of call centres in the 90s.

The operating models so eloquently described by Leiderman, based on evidence accumulated through his work in the US with Simon Roncorroni, positioned the telephone as part of the customer communication process and was quick to highlight its weaknesses as a stand-alone communication tool. Working alongside data specialists driving voice contact, direct mail responses and brand development across print, TV, outdoor and radio, voice responses could begin to put more measurement around the brand orientated ads through the addition of phone numbers. This methodology, pioneered and developed by David Kyffin of Adlink, and later of Greys, focused on aligning response volumes with the ability of the call centre to answer the call, effectively putting CX above the volume of leads.

Fast forward thirty years and we now have a bigger response media toolbox, which provides greater transparency and measurement of data flows. That toolbox includes new solutions capable of augmenting the human component of customer interaction, making customer engagement design much more complex and dependent (as Robert Leiderman so clearly stated) on robust measurement and understanding.

With so much technological innovation out there it’s easy to be distracted by the variety of available options. Now is the time to get back to basics and spend more time acquiring a deeper understanding of existing data flows and less time being amazed by the sexiness of ‘modern tech’.

If you would like further information contact us.

On the 31 March 2022, the Payment Card Industry Security Standards Council officially announced the publication of v4.0 of the PCI DSS. In this article, we look at the declared goals of v4.0 and the key changes from the current version of the standard.

Three points to make upfront. Firstly, the PCI SSC has made this a big document. At 356 pages there are an additional 217 pages of guidance including the PCI SSC glossary, which makes the document much easier to use. Secondly, it has taken time for the document to be globally released, since first being announced in late 2017. Yes, Covid has been a factor, but so has the SSC’s objective to make this document inclusive. By reaching out to the secure payments community not once, but three times, receiving over six thousand items of feedback from 200 plus organisations the document adds flexibility whilst focusing entities on what is required to keep card data secure. Finally, the current version of the DSS, v3.2.1 will not be retired until March 31 2024, so there is a long transition period.

Goal 1 – Ensure the standard continues to meet the security needs of the payment industry

Released at the same time as v4.0 is a Summary of Changes document. This lists 64 new requirements, 11 of which just apply to third-party service providers. Whilst the secure payments community will always be playing catch up, the DSS certainly makes the effort to align to the current threat landscape, even though 51 of the new Requirements are not ‘effective’ until 31 March 2025.

Goal 2 – Add flexibility and support for additional methodologies to achieve security

As well as continuing with the ‘Defined’ approach with ‘Compensating Controls’, v4.0 introduces the ‘Customised’ approach. This is a new method to implement and validate PCI DSS requirements where entities demonstrate that they meet the intent of the DSS and can ‘adopt’ their own testing procedures, signed off by their (Qualified Security Assessor) QSA and acquirer.

Goal 3 – Promote security as a continuous process

In v4.0 this has been made a priority to dispel the notion that PCI DSS compliance is a once-a-year tick box exercise, much like an MOT. Whilst ‘roles & responsibilities’ has only two mentions in the current version, each of the 12 core requirements now have headline text that states “Roles and responsibilities for performing activities in requirement x are documented, assigned and understood.”

Goal 4 – Enhance validation methods and procedures

Whilst much of this goal is achieved by the introduction of the ‘Customised’ approach, we can see through the new supporting documentation for external auditors (QSA’s) increased alignment between information reported in a Report on Compliance and information summarised in an Attestation of Compliance. We expect to see more when the new Self Assessments are released in Q2.

So, in summary, a really helpful document that we have time to consider. Certainly the ‘Customised’ approach should prompt ongoing conversations, especially around the additional time, costs and effort involved for all stakeholders in agreeing to testing procedures, especially when it comes to sign off and liability in the event of a future data compromise. Food for thought!

With homeworking becoming a daily reality for many workers who had traditionally been based from the office, the parameters by which businesses need to be managed and protected has changed.

From early on in the pandemic, most large organisations have made it possible for their staff to work from home, only visiting the office when necessary. Although this new flexible way of working has had many benefits, it has also led to a far wider variety of data security and personal health risks across the distributed workforce.

A recent BBC article highlighted the main cybersecurity issues, although none of which come as a big surprise. The most interesting facts and statistics were:

In addition to this, many organisations have successfully moved their workforces into the home, after adapting or redesigning their business processes and corporate systems to enable productive working, are up against a potential legislative ticking time bomb in relation to remote workplace safety.

Where there’s blame…

The UK claims industry has not had an easy time of it recently. With only a few exceptions, the door is now firmly shut for PPI claims and planned changes to the whiplash claims process will further curtail revenue opportunities.

What is next for the claims sector? Will it be class actions against companies by groups of employees who have been forced to work in unsuitable home environments?

While the home environment has, before 2020, been the homeowner’s domain, it is now the workplace. Any accidental damage caused by trailing cables, poorly placed computers, unsuitable seating might now fall on the employer to address. Then add to that the potential mental damage caused by having to balance work and family commitments within a confined space. The claims industry could have a field day!

What should your business be doing about it?

It is essential your business acts now and puts your company in a defendable position.

The failure of organisations to fully document a ‘risk assessment’ against not being able to meet your organisations obligations under the Data Protection Act 2018 and the Health and Safety at Work Act 1974, may not be an easy position to defend.

Both these pieces of legislation make very clear what an organisation’s responsibilities are for them to comply with the Act and keep both data and people safe.

Recording decision making actions, particularly at Board level, that are reasonable, proportionate and timely will help create the defendable position that insurers will look for when defending a potential claim.

Do not believe for one minute that the claims industry are not preparing themselves for this and do not think that your organisation is immune. Ensuring that your organisational risk documentation is complete and that words and actions are aligned to what could be considered a reasonable timeline, will be essential components of a defendable position.

Help your team to work with you

In short, homeworking is here to stay. Businesses have shifted and employees have become accustomed to the ‘new norm’. However, it’s not plain sailing yet as mistakes are being made and so far, most organisations are getting away with them. Don’t be the organisation in the first batch of ‘class actions’ because of lack of timely decision making and appropriate, proportionate and timely actions.

By working with your team to provide a safe and productive homeworking environment, with protected systems and structured support, your business can be a home-based success. Your team can grow and thrive, knowing what to do if problems occur and feeling supported in their work.

If you’re unsure how to assess the risks posed by homeworking and how to equip your business to deal with them, get in touch. We can advise you on what areas need to be considered and how to mitigate risk. We can also provide tips on how to work with your staff to maximise their health, happiness and productivity.

With tight restrictions being enforced across the UK and businesses trying to maintain performance, homeworking has once again become a daily reality. In this article, we ask how can your business create a genuinely safe, secure and flexible work environment for its teams so they can flourish and achieve wherever they work?

The accelerated move to homeworking

The Covid response forced many contact centres into having to rapidly adopt the homeworking Contact Centre model. Although as a concept homeworking is nothing new, with around 13% of the UK’s workforce based from home prior to the pandemic. What has been new is the volume of homeworkers and the proof that the concept could really work at scale for contact centres.

The foundations for success

Before Covid struck, global digital transformation with the parallel transition to cloud-based technology platforms was already creating the foundations on which truly flexible working arrangements could be built.
The WFH model is proven, with a strong set of benefits including improved flexibility for team members, less reliance on large offices, reduced impact of forced changes (including pandemic lockdowns!), the potential for improved staff loyalty, faster communication and rapid response to market and demand fluctuations. While there are some challenges, the benefits outweigh the drawbacks for most Contact Centre organisations.

Growth of cloud-based businesses

Adopting cloud platforms and tools can be much easier than their site-based predecessors. Capital costs are usually much smaller or absent; expensive tailored development is minimised; implementation can be tested and delivered in parallel and as a result, the capability of following a more rapid ‘Test – Analyse – Improve – Implement’ model vastly reduces the risks of system failure.

Scaling these technologies up to a whole-business level, when implemented correctly, can deliver huge benefits whilst supporting the need to keep personal data secure.

On the other hand, not having the appropriate technologies in place to support people, processes and performance whilst maintaining data security and corporate governance obligations can be problematic and lead to serious risks.

The risks of getting it wrong

In the fast and forced Covid-19 response, organisations will have opened themselves to risks without necessarily having the knowledge or tools to deal with them. While most businesses have now successfully moved to a WFH model, at least in part, how many have done this in a truly planned way?

To ask a specific question, how many have implemented WFH knowing that their organisation is compliant with the Data Protection Act 2018? Have you?

Compliance is just one issue with serious consequences, but there are more which need to be considered.

Cyber attacks and cyber fraud are now considered among the top 5 global business risks. Cybercrime is a huge, State-sponsored, organised business sector. Hidden marketplaces for valuable data are maturing, with SLAs for data validity offered by the criminals who work very professionally to obtain good quality stolen information. Alongside this, 2019’s IBM Security & Ponemon Institute Report into security found that on average it took 243 days to identify data breaches. That is a lot of time for stolen data to be in circulation before any action is taken to make data more secure or to enable individuals to take action with their own data.

Telephone payment risks

Taking payment details over the phone is an apparent and immediate commercial risk. Moving this to home-based workers multiplies the probability of that risk becoming an incident.

By listening to card data over the phone, your organisation becomes exposed to fraud-related chargebacks, higher transaction charges and PCI compliance failures.

As far back as 2011, DCI Derek Robertson of Strathclyde Police identified a simple problem: “We know of organised crime groups who are placing people within the call centres so that they can steal customers’ data and carry out fraud and money laundering. We also know of employees leaving the call centres and being approached and coerced, whether physically, violently or by being encouraged to make some extra money.” Allowing people to listen to payment data, in the office or especially at home, puts your business at risk.

How can you systemically reduce risk to protect your homeworkers?

To make our colleagues more secure we need to remove the possibility than they can be compromised. We need to take the temptation of fraud away, not to implement security measures which make them feel like they are criminals. By supporting them, we make it easier for them to have meaningful, useful and positive communications with our customers.
In short, removing card data from your agents’ voice interactions with customers removes most of the opportunity for fraud. Your agents may still be approached to sell data, or coerced in some other way, but their absence of exposure to the valuable data will massively reduce their vulnerability.

If your Contact Centre takes payment details, take a very critical look at how this information is taken and processed. Are you confident that your processes are compliant with the relevant industry standards? If you are not sure how the PCI DSS applies to your organisation, talk to us today. We can help you to assess your risks and avoid potential problems in the future.

The most important steps to take now

The World Economic Forum has identified the ‘three most worrisome risks’ for companies over the next 18 months. These are:

  1. Prolonged recession
  2. Surge in bankruptcies
  3. Cyberattacks and data fraud

The first two phenomena are largely outside our organisational control; we must adapt to them and if we are successful we will survive beyond the effects of the pandemic. However, the third is driven by the first two: reduced opportunities to earn will force an increase in illegal behaviour and the involvement of our employees in that behaviour.

So as a business, you must mitigate this risk. You can do this by protecting your staff from exposure to the information that criminals want.

1. Change your risk and fraud profile

There is already regulatory pressure to put risk-management processes into law. However, rapid action to improve your own exposure to risks will not only make your staff more secure but will give your business a competitive advantage.

2. Put data governance and security on the Board agenda

GDPR was passed into law in 2016 and has applied since 2018. However, 2020 has changed many businesses processes and data protection may already have suffered enormously. Make sure you are aware of your organisation’s risks, not just of non-compliance but of potential data breaches. Moving payment data outside your voice conversations not only protects your customers, but it makes your employees safer too. Remove this opportunity for criminals to look for data in your organisation.

3. Analyse your WFH arrangements

Working from home is now a critical part of your business model. Do not treat it as a temporary measure, or outside the scope of your business analysis. It is possibly the part of your operation which carries the greatest probability, and the greatest consequences, to open up a breach of customer and/or payment data.

By keeping your people safe and your data secure, your business will cope better with the realities of working beyond 2020. Implementing the systems and processes which facilitate this required planning and thought but most of all, it required achieving the right balance between customer experience, costs and risk. Make sure that balance is in your favour.
If you would like to understand the options and the advantages in more detail, talk to us here at CCP. We have a team of contact centre experts who can advise you. We can help if you need it, or we can reassure you if your organisation is ready to move ahead in the post-pandemic world.

Contact centres, call centres and telemarketing agencies are under pressure right now to get their houses in order when it comes to the security of sensitive customer data. Under normal circumstances, the telecoms and IT systems that enable agents to handle calls, emails, chats and social communications are protected within the secure corporate perimeter. Covid-19, however, has forced a rapid exodus from physical offices and agents are working remotely on devices, many of which are not suitable for combating cyber crime.

Lock down happened quickly and for insurance and banking contact centres, still heavily dependent on legacy systems, the remote working model is not generally supported. This has meant that all too many of their agents have been using laptops, tablets, home PCs and personal smartphones that have either no up-to-date security, or software that is not designed to protect customer data and therefore compromising organisations obligations under the DPA 2018 and the PCI DSS.

Cyber criminals have seized the opportunity

Research from numerous security organisations and government agencies confirms the rise in cyber crime activity since March and for companies holding digital data on customers, there will have been a higher than average likelihood of being hit.

Attacks have come in a variety of insidious ways from phishing and ransomware through to key logging, which is malware that tracks every key as it enters the system. Human fallibility is a factor in whether these attacks succeed, however, it is endpoint devices – laptops and smartphones for example – that put companies and their data most at risk. According to the 2019 Endpoint Security Report, 70 per cent of cyber breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. When it comes to smartphones, the risk is not so much malware, but data leakage, but regardless of how the breach happens, once a customer’s personal data is exposed, there are serious implications for those involved.

Working within the PCI DSS requirements

There is an additional pressure for organisations taking card payments, who are obliged to meet the Payment Card Industry Data Security Standard (PCI DSS). This protects customer credit card data over landlines, mobile phones, through Chat or use of apps. Contact and call centres use processes, technologies to manage this, ensuring that wherever agents process cardholder data, the transactions are monitored, logged and secured, however the supporting processes and technology are within their physical estates.

Not every organisation is fully meeting its PCI DSS obligations, and adherence has become more sporadic over the last few months, but the contact and call centre industry needs to take this seriously. Any chink in their armour could result in data being stolen within seconds. While compliance to the PCI DSS is a contractual obligation with the acquiring bank, payment card data is treated by Data Regulators as personal data. Which means that in the event of a data compromise organisations should expect  payment card scheme penalties (up to €18.00 per card exposed) as well as fines from the Information Commissioners Office (ICO) and the potential of unlimited ‘class actions’ from card holders. As payment card data is more attractive to criminals than other common forms of personal data, having card data present in unsecured systems represents a significant risk as data breaches are commonly reported, there is the potential for serious brand and reputation damage that no company would welcome. All the more reason, therefore, for agents working remotely to be equipped with technology that protects them and their customers, and this includes secure endpoints.

Put in place comprehensive protection of data

Remote working is likely to continue for the immediate future, so the smartphones, tablets, home PCs or laptops that are being used by agents to process and access customer data should have, at the very least, the same security posture as the managed devices that reside within the company perimeter. This includes making sure that SaaS applications are isolated or ‘containerised’ from any potentially compromised unmanaged machines or endpoints.

The vulnerability of endpoints means that solutions have to specifically protect data entry, particularly into remote access apps, web browsers and Microsoft Office applications. Browsers that access the corporate network should be locked down, including URL whitelisting, enforced certificate checking and enforced https.

Whilst this is a comprehensive approach, it is neither time-consuming or costly. A simple download and install from pre-configured software will provide an effective and rapid resolution to the threat. Call centre IT managers can select proven anti-key logging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing customer credentials, payment and sensitive personal and credit card data and be sure that they are compliant with PCI.

Covid-19 is no longer an excuse for sub-standard service

As we begin to get back to a ‘new normal’, banks and insurance company customers will be looking for the highest standards from their financial services providers, regardless of whether the agent they speak to is working in a physical call centre environment, or at home. Covid-19 will no longer be an acceptable reason for not delivering a secure, compliant service. The contact centre industry must address areas of weakness and put in place the necessary procedures so that agents and customers can be confident that they, and their data, are fully protected.

Need help protecting your customer data?

If you would like to know more about the technologies that are available to help protect your customer data, the team at Contact Centre Panel can help. We have built a technology network to help businesses to source the ‘right fit’ providers, who can best meet their needs. This is a free of charge service and includes expert advice and guidance from our technology experts.