Staying up-to-date with compliance standards for contact centers is a priority for us here at DailyPay. After all, there are nearly 20 contact center organizations across the United States that now offer their employees DailyPay.
As such, it’s imperative we have insight—and foresight—into compliance and regulations so we can ensure our technology enhances the lives of our partners and their employees.
[Read More: Which Contact Centers offer their employees DailyPay?]
To stay current, we recently sent some of our team to the 2018 PACE Washington Summit. While we had a number of insightful conversations and attended a lot of thought-provoking sessions, one presentation by Ronnie Mize, Chief Security Officer at ETech Global Services, really stuck with us.
After the conference, we caught up with Ronnie to further pick his brain on contact center compliance.
Q: Why is contact center compliance becoming more critical — or more a part of the conversation — at this moment?
A: Data security and privacy are critical for a contact center to provide exceptional customer service. Customers want to know that you, as a business, are protecting their data. By knowing they are secure from the growing number of breaches taking place, your users have increased confidence in your brand.
Data security also protects your bottom line. Breaches can become costly for businesses. For example, in one of the more high-profile breaches, Facebook is looking at fines of up to $8,000 per user for their latest breach.
Additionally, the newest legislation in consumer privacy and compliance—first in Europe with GDPR and now in states like California with the California Consumer Privacy Act (A.B. 375)—is tightening control over consumer data quite a bit. Contact centers are now responsible for taking action to follow these guidelines.
A tweet from Harvey Livingston, Regional Vice President at AT&T during the PACE conference:
Q: Does data notification compliance go hand-in-hand with CAN-SPAM compliance?
A: The point most often underscored by new legislation is that an owner of data (the individual) should have the most control of that data. Not the company.
That means if you as the individual are allowing a company to access your address or social security number — or whatever else — you should be able to tell them exactly how and when they can use that information. Individuals also have the “right to be forgotten,” which means businesses may have permission to capture data at one point, but the data can and should be expunged the moment an individual asks.
So, if I’m holding your data, and I’m a responsible organization, I’m going to allow you to tell me what happens to your data and when I’m allowed to access it.
Q: What compliance questions should businesses be asking of third-party vendors?
A: A few questions come to mind:
- Is the software certified compliant?
- Is the software provider Payment Card Industry Data Security Standard (PCI DSS) compliant?
- Is the software PEN TESTED?
- Has the software been audited by a third-party?
- What type of security controls does the company have?
- Do they have the proper firewalls/antivirus?
- What happens to that data that I’m keying in? Is it redacted/masked/pseudonymization or encrypted?
Q: If we take a holistic look at the industry, how are contact centers doing in general?
A: In short, contact centers are in a much better place this year than last. That is, in part, because we better understand what we must do. We have finally started to realize that data breaches are not a matter of 'if' they're a matter of 'when.' And in turn, the focus has shifted to what we can do to ensure that when a bad actor gets in, they can't find anything valuable.
If we don't take appropriate measures, in today’s world, a single breach can shut a contact center down. And, while we’re moving in the right direction, we still have a long way to go as an industry.
Many contact centers operate with legacy technology and to adapt to new compliance regulations, that means fundamental changes, and those aren’t cheap or quick moving.
So...is DailyPay compliant?
This wasn't a question we asked of Ronnie, but this article does beg the question: is DailyPay compliant?
DailyPay strives to be the best partner possible. By monitoring and maintaining compliance regulations to match our industry partners, we continue to keep our customers and their employees safe as well.
DailyPay is CAN-SPAM compliant which means that anyone who receives email or text correspondence from us can easily opt out. Additionally, anyone who receives text updates from us would have to have first consented for us to do so.
DailyPay is also SOC-2 compliant. SOC-2 is specifically designed for service providers storing customer data in the cloud. Specifically, to be SOC-2 compliant an organization must monitor unusual system activity, authorized and unauthorized system configuration changes, and user access levels. DailyPay has been evaluated by an objective third party and found to be current on security and encryption controls which DailyPay has in place to protect systems or data.
Finally, DailyPay is fully PCI DSS compliant and tokenizes user data to further protect payment information.