Is Your Customer Data at Risk? 4 Questions to Ask When Outsourcing E-Commerce Customer Service
Selecting the right customer service outsourcing partner is key to success. Cost and customer experience are likely at the forefront of your mind as you solicit support, but security should be as high of a priority to consider in the decision-making process.
Cyber attackers are getting smarter, which means retailers also have to weigh risks more diligently than before when seeking partners, especially in making the decision to outsource customer service operations.
The retail industry leads the world in data breaches. In its latest data security report, a French tech firm found that 71 percent of retail organizations surveyed said they had suffered a breach at some point, and 39 percent were hit in the past 12 months. Neiman Marcus, J.Crew, and Macy’s have all fallen prey to hackers in recent years.
The reputational damage of a single cybersecurity attack can erode brand trust with your customers, resulting in lost sales. According to IBM’s Cost of a Data Breach Report, the average cost of a single data breach in the U.S. in 2021 was $9.05 million. IBM also reported a 10 percent increase in the average cost of a breach from 2020 to 2021, with a major factor being the vulnerabilities remote workers introduce into the workplace.
How does this relate to outsourcing customer service operations? The future of the customer service contact center is undoubtedly remote. In fact, research shows that the majority (67 percent) of contact center providers expect to maintain remote or hybrid work moving forward. The benefits of having remote contact center agents are significant across the board, but the security threats are real and must be addressed.
Before you bring on a business process outsourcing (BPO) partner to support your customer service operations, you should ask it the following four questions to ensure you’re not putting your customers, brand or business at risk.
1. Is your company PCI compliant?
The PCI Security Standards Council (PCI SSC) supports the development, enhancement, storage, dissemination and implementation of certain security standards for account data protection. PCI SSC is a global forum that was created in 2006 and is composed of representatives from leading credit card companies, including American Express, Discover, JCB International, Mastercard, UnionPay, and Visa.
If you’re planning to outsource your customer service operations, at a minimum, the BPO you select should be compliant with all PCI standards. Following the standards improves cardholder data security and reduces fraud. PCI SSC regularly updates the standards in response to industry feedback and emerging threats; your BPO should be doing the same.
2. How do you handle payments?
Speaking of payments, while following PCI standards holds the BPO accountable in protecting cardholder data, you should also dig a little deeper into the specifics of if or how the company plans to store payment information.
A best practice for BPOs is to have a policy in place that doesn't allow customer credit card information to be stored in their systems. This ensures that if your BPO’s systems were to ever be breached, the customer’s payment and personal information wouldn't be vulnerable.
Given that many contact center agents are now working remotely, you should also consider how the BPO is protecting customer payment information in remote environments. For example, my company takes an added step of security to ensure we're protecting the customer’s payment information using a secure interactive voice response (IVR) system when processing customer payments over the phone. Instead of giving an agent their card number, customers are transferred to the secure IVR to enter card data using the keypad while the agent is placed on hold, never hearing or seeing customer payment details.
3. What about PII?
A customer’s credit card number isn’t the only customer data your partner should keep secure — what about other personally identifiable information (PII), like addresses, email addresses and phone numbers? A good outsourcing partner will handle all PII with great care.
For example, many third-party customer service vendors use a sentiment analysis tool to review calls with customers to ensure agents provide the highest level of service. Quality teams regularly use call transcripts to review agent performance — meaning they could have access to any PII data shared during the call. As a best practice in keeping customer data secure, your outsourcing partner should leverage technology to automatically redact any PII or payment information from the transcript and recording before it's reviewed by the quality team.
4. What do you do to protect your remote agents?
Ask your prospective BPO if it has systems and policies in place to protect its remote agents from cyberattacks and keep its systems secure. Key considerations should include:
- Multi-factor authentication (MFA): Does your BPO require agents to log in via MFA to ensure redundant layers of protection for any systems or hardware requiring a login?
- Virtual desktop infrastructure (VDI) and virtual private network (VPN): Does your BPO have a VDI solution that allows secure deployment of virtual desktops from a centralized server that limits agent access to only the brand(s) they support? As an added layer of protection, does it require all agents to log onto a VPN to access their systems?
- Bring your own device (BYOD): Does your BPO allow agents to use their own devices? If so, what systems and policies does it have in place to keep the company’s systems and customer data secure?
Outsourcing With Confidence
Security should always be a top priority for the BPO partners you work with. When you select a customer service partner you have a responsibility to your customers to critically evaluate its data security practices and policies. A quality BPO partner will invest in policies and technology that ensure the highest level of data security for the brands they support, and it will continue to evolve to combat emerging threats like those posed by remote working environments.