This report is provided by BRC Associate Member, IP Integration.
__________________________
Regulations loom increasingly large over retail, but they don’t need to impact CX
Retail Contact Centres are a critical hub for customer service. The experience consumers have interacting with agents can often be the making or breaking of their relationship with a particular retailer. Yet they are also governed by a growing set of rules and regulations: whether it’s best practice standards like ISO 27001 or industry requirements like PCI DSS. New legislation like the Consumer Duty and the EU’s Digital Operational Resilience Act (DORA) also come into play here. While such regulations currently only apply to financial services organisations, with many retailers providing financial services, e.g. buy now, pay later schemes, they fall within its scope.
The key is to ensure that compliance efforts don’t come at the expense of a focus on customer experience (CX). The good news is that there are technology solutions out there: and when deployed judiciously, they can actually enhance CX, revenue and reputation while minimising compliance risk.
A patchwork of rules
The Contact Centre sits at the epicentre of any retailer’s customer interactions. Its agents might be fielding calls, texts, emails and web chats, or even proactively monitoring social media for customer sentiment and news of emerging incidents. The experience delivered to these customers will often decide whether they stick around or not. Research reveals that the digital customer experience is either “extremely important” (40%) or “very important” (41%) for over four-fifths of organisations.
But at the same time, the Contact Centre holds and manages huge volumes of customers’ personal and financial data. This is in high demand on the cybercrime underground, where it is sold for use in identity fraud and follow-on phishing attacks. More than a third (35%) of UK retailers fell victim to fraud, cyber-attacks or data breaches in 2023, according to the Centre for Economics and Business Research (CEBR). This is a 38% annual increase and amounts to an average £1.4m loss to fraud per retailer during 2023.
That’s why customer and employee personal identifiable information (PII) is highly regulated in the UK. Industry standard PCI DSS has a strict set of requirements for any processor of cardholder data, including retail Contact Centres. And the UK GDPR and Data Protection Act 2018 demand all organisations rigorously safeguard personal information in line with best practices.
There’s more with DORA
But there’s more. Retailers that offer financial services products to their customers, such as banking or insurance, and which operate in the EU or with partners based there, could also be required to fall into line with the bloc’s DORA.
Among the requirements are that all complying financial service providers identify, document and secure all IT assets, and that they continuously monitor sources of cyber risk—preventing, detecting and containing critical threats. Business continuity and disaster recovery plans and solutions are also a must-have, as are incident management and reporting, regular testing of IT systems and remediation of security gaps. All IT suppliers serving the financial services market must also double down on cyber-risk management and operational resilience.
Streamlining compliance
Fortunately, there are plenty of ways that retail Contact Centres can manage their compliance burden without impacting CX. One of the best ways to reduce risk is to follow data minimisation principles as recommended by privacy regulator the Information Commissioner’s Office (ICO).
Technology exists to automatically pause a phone call during a phone-based card payment to an agent, ensuring it never gets stored on the Contact Centre’s systems – where it could be accessed or stolen by a threat actor. The call automatically resumes once payment is taken.
Meanwhile, DTMF suppression enables customers to use their phone pad to enter their card details, with the tones produced by each number automatically masked. This means they’re not included in call recordings and can’t be used to work out what numbers have been pressed—either by a rogue agent or third-party malicious actor. These capabilities are particularly useful for PCI DSS, as they help Contact Centres to reduce in-scope data volumes and therefore compliance costs.
When it comes to digital channels, pay-by-link functionality can be sent by a Contact Centre agent to a customer via a chat window. Once again, this ensures that any personal or financial information inputted by the customer is hidden from the agent—to reduce breach risk and compliance scope.
Retailers who they think might have DORA obligations will also need to keep a closer eye on their IT suppliers, including any Contact Centre technology. It should ideally be penetration-tested, up-to-date with patches and feature redundancy and fault tolerance. This is why cloud-based systems have an advantage, because they are frequently and automatically backed up and updated by their vendor, and are therefore always on the most secure and feature-rich version.
Consolidating Contact Centre technology onto a single, cloud-based supplier makes most sense where feasible, as it reduces administrative and management headaches and could even free up time to work on more complex aspects of DORA compliance.
Compliance as business driver
A third (32%) of consumers say they have left a company due to poor customer service. Another fifth (17%) claim it was because the service they received was no longer fast or efficient. In the fight for sustainable growth, it’s therefore vital to optimise CX in the Contact Centre. And if compliance programmes are aligned to these goals, then there’s no reason why the process should negatively impact customer service.
The technology is already here to streamline the customer journey, while ensuring regulatory compliance rules are enforced. It’s about treating compliance less as a box-ticking exercise and more as an opportunity—to improve CX and drive revenue.