Curing the multi-locational compliance headache


Share on LinkedIn

How to enable multi-locational working without breaking compliance
Over the last year merchants have faced several waves of unplanned change in the rush to home working. That rapid change broke compliance and presented challenges for many merchants seeking to stay open for business. This blog looks at some of the strategies they used, the ones that didn’t work and the ones that did. It also looks at the impact those actions had on their operations.

We also take a peek into the future to consider, not just the future of home working but, the future of compliance in a world where change is the only constant.

So, what just happened?
Looking back to the transition to home-working in 2020, we suddenly went from contact centres that looked…

his just shows the diversity of people’s home working environments and it has far reaching implications for compliance and security.

Contact centres before lockdown…

Before lockdown, the contact centre world was usually set up as part of the corporate network, integrated into data centres and there might have been in-house contact centres or outsourced contact centres. But it was all in an environment that you controlled.

What that really means is that you had secure networks that you owned and controlled – the hardware that you delivered and provided to people and the software that you gave access to on a user-by-user basis.

Once in lockdown this all changed.

As everyone moved to home working, you no longer had a small number of highly controlled environments, but a whole world of different environments such as…

– Home Wi-Fi networks where you don’t know the providence of the equipment
– People using their own equipment
– Company equipment that you provided is now on a home network
– Other, unknown, equipment may be sitting on that network too
– Has someone bought cheap internet devices that may have vulnerabilities in them that are now on these networks?
– What software have home-workers got stored in these environments?

It creates a world where the threats just keep multiplying. From a compliance perspective, how can you continue to take secure payments in a world where you’ve suddenly lost a lot of the control that you’re used to having?

Common place headaches
At Eckoh, we work with organisations of all sizes, scales and sectors. We’ve picked three to give you an example of the challenges they faced and the solutions they adopted.

A high street retailer:

Their contact centre had a ‘Pause and Resume’ solution in place to prevent card data getting on to call recordings. Their challenge, from a voice perspective, was that they couldn’t provide equipment for people to be able to take calls at home. A lot of staff were using their home phones and personal mobiles to take calls. And, from a systems and access perspective, they were often using home PCs and some staff only had iPads and tablets. In this scenario, absolutely nothing in this home working contact centre was something the business had provided or controlled centrally.

A global insurer:

This contact centre was also using ‘Pause and Resume’ but they also used a ‘clean room’ in the contact centre that they brought up to full PCI compliance in order to take payments in this area, and this area only. The rest of the contact centre was unable to take payments. They extended their softphone capability to allow their staff to work from home using connectivity to virtual desktop environments for access to systems. The challenge here was that those home-working agents were no longer in the ‘clean room’ or in an environment that the business controlled. This is where they struggled and needed to find a solution.

A utility provider:

This organisation already had DTMF solution in place that prevented card data getting into their environment and they were able to extend this to home agents via their telephony platform. Their VPN access was rapidly rolled out to their staff at home, but there was a bit of a lag that created a gap in delivering their services.

What didn’t work?

Relying on multi-site redundancy

A lot of organisations had disaster recovery strategies in place, but most relied on failing over form one location to another. So, if there was an incident at one site they would send their staff to aWhat didnt work local recovery site or they would fail over to a different contact centre in the same country, of sometimes in another country. The challenge here is that both locally and globally everyone was in the same boat, everyone had to work from home and that meant that anyone relying on this approach didn’t have anywhere to fail over to.

Solving only one problem at a time

Obviously, there was a huge urgency to get something up and running – fast. Organisations that addressed that challenge one step at a time often struggled because, while they might implement a Contact Centre as a Service type solution to get calls to agents working from home, if the next step was to think ‘how can we be compliant?’ they created a whole other piece of work to do that which might require re-engineering that first transition. By not thinking of compliance, as part of that overall change, they created this sort of black hole where they were no longer able to take payments.

Edge cases and compensating controls

Those that relied on ‘clean rooms’ or compensating controls, those organisations that hadn’t made payments a core part of everything that the whole contact centre did, are those that also found this transition difficult. Their agents weren’t trained, didn’t understand the needs or the controls around compliance. These edge cases they put in place behind their own data centres and offices, no longer applied because people were no longer in those locations.

Having comprehensive solutions in place

Those organisations that already had comprehensive solutions in place fared much better. Most likely they What did workwould have had a full a full de-scoping telephony solution in place that could be more easily extended to home workers, preserving the controls that were core to the whole contact centre. These organisations were able to get up and running faster and probably didn’t have to miss any calls during the transition.

Being ready to adapt

This is the key. Those who were able to make changes and procure new solutions quickly were the ones that succeeded where others failed. Sometimes it’s internal operational processes that can hold you back from solving a problem when you need to move fast.

Addressing the challenge holistically

Anyone who looked at the immediate challenge and solved that first may have queued up a headache that would hit them further down the line. A lot of people went into the pandemic situation thinking that it would only last a few months, but actually we’re still here, it’s the beginning of 2021 and it’s likely to run on longer before things start to return to normal.

Thinking about the future at the same time as thinking about making any changes is also quite key.

Potential solutions…
So, what options were available to merchants to help them overcome the challenges they were facing?

Increase automation

This is less about getting calls to contact centre agents and helping them be compliant, it’s more about taking payments in a compliant manner from the customer. As people moved to home working, there was often a lag between when the process started and when they were able to take 100% of their previous capacity. Automation really helped to fill the gap here so, while you were not able to offer all your services to your customers, you would be able to offer the critical services and often these are around getting balances, make payments or tracking orders. Automation can be easily added to voice channels IVR, web or apps, for example. This really helped a lot of organisations smooth this peak.

Pay by Link and eWallet

This is a lighter weight solution that people are used to, and it works well in some scenarios. So, if you’re in a situation where you can’t take a payment securely you could ask the customer to make that payment for themselves. Perhaps your agent is on the phone in a voice channel or on a website chatting in chat, or maybe using Facebook Messenger, Whatsapp or social media channels. Your agent could send a link out to the customer so they can click the link and make a payment on their device. The great thing about this is that it’s not restricted to card payments and can be used with methods like PayPal, Google Pay or Apple Pay. It’s a great way to be able to take payments via any channel.

Secure the contact channel

This is perhaps the most comprehensive scenario and the best way to avoid any risk to the card holder data by not having any of that data in the contact centre environment in the first place. The ability to secure the entire contact centre by routing calls through a DTMF masking solution or taking a payment securely via a web chat provider are the sort of things that can help. We saw this work best where people already had solutions in place that could be extended to cover other channels and use cases. In a lot of situations, we found that while it may be possible to move quickly to implement things, once staff had been sent home to work merchants were not necessarily able to make any changes to their operation very easily because they didn’t have anyone in the office and couldn’t get people in or out.

Secure the agent

Another solution that really helped in this scenario was securing the payment at the agent end. You may have been able to get the calls through to an agent at home and provide access to the systems they need, but you still don’t want that agent to be able to see or hear the card data spoken by a customer. There are software-based solutions out there that work with softphones to prevent agents having access to that card holder data, the customer doesn’t have to speak their card data and the agent cannot access of retrieve any data from the system. Because this solution is local to the agent’s desktop it can be rolled out easily and quickly which makes this a very appealing proposition.

How the headaches were cured…
Looking back at the three client scenarios we addressed, how did they address their challenges?

Our high street retailer chose to use Pay by Link because they had a lot of people using their own devices and equipment and couldn’t get company ones out to them. This option meant they were able to carry on serving customers. They now intend to continue this as part of their ongoing operations to enable their in-store retail staff to take payments during phone calls to the store without having to ask the customer to read out card details. This company has been able to capitalise on the change to make things better for the future.

Our insurer could also get their calls to their staff at home, but they needed some way to prevent the agents from seeing or getting hold of that card holder data. They chose to secure the agent to meet the challenge.

Our utility provider already had a DTMF masking solution in place for their contact centre and they were able to extend that through their telephony solution. But, because there was a lag between getting people home and getting everything set up, they used automation to bridge the gap to ensure they could continue to provide the most critical services to their end customers during the transition. You can also use automation to provide helpful and regular messaging to people so that you’re informing your customers about what’s going on. Because everybody was affected by the same issues most people had some sympathy and explaining that helps them to accept some lower functionality or self-service.

What to consider next?

The role of home working

Many people have seen that it can really work, and work well. Admittedly, there are challenges but we’ve seen for ourselves, through surveys in our own organisation, that people often say there are many upsides. Benefits such as a better work-life balance, greater productivity through less commuting and easier recruitment because you’re no longer bound by the geographical area of your contact centre. But perhaps the most useful aspect of retaining home working is that you have an instant disaster recovery option. A lot of organisations are looking at how home working fits into that longer term strategy.

Pivoting your tactical solutions

How do you turn tactical solutions into longer term solutions? An important part of this is to analyse the changes that were made to get up and running. Did they work? How did they impact customers? How did customers feel about it? How has it impacted customer satisfaction and ease scores? Is there some sort of flexibility that can be retained out of the changes you made to address the rapid shift to home working?

Planning for disruption

What we’ve really learned from this whole experience, including the shift to home working, is that we need to plan for disruption. A lot of organisations build their operations around what they want to happen, then put in place things to catch particular scenarios if things go wrong. But a better way to approach this is to upend it and design for failure, so you design for when things go wrong. This means that you’ve always got an option, or a series of options, that you could deploy in the event of an unforeseen situation. Building in automation plays a vital role here so you’re able to scale your operation up and down as well as provide messaging to your customers.

Embracing change

This is really what it’s all about. Keeping that focus on operational readiness. Organisations that struggled to make the change to home working may have lost out to competitors in a world where it’s very easy for customers to take their business from one merchant to another if your services aren’t up to scratch. Here is where agility becomes your competitive advantage.

Compliance also has a role and should be used to drive positive change. Too often compliance is seen as a problem to be solved – create a project for a few months, resolve the problem, tick the box and everything is fine. But the organisations that treat compliance like this are the ones that didn’t manage to make the transition very well. The ones that did were the ones that said ‘right, compliance is a part of what we do’. If you make sure that all your staff know the important steps involved in maintaining compliance, make sure they’re all aware of security issues and ensure that anybody can take a secure payment if they need to will set you up to thrive in any situation.

To summarise
– Operational flexibility beats disaster recovery
– Compliance is part of every decision making process
– Payments are a part of everyday operations
– Use compliance to drive positive change
– Create agile compliance for your organisation

If you’d like to know more about some of the case studies and issues they faced, or would like to talk to us about how we can help you build in resilience without breaking compliance then, get in touch

Claire Lynam
Marketing Manager Claire is a professional marketer with 30 years experience in marketing, communications and PR, creating content and collateral that resonates with an organisation's audience. Having worked in multi-national companies and SMEs, Claire has expertise in creating messaging that works for both B2C and B2B markets. 


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here