In the past few years, companies have become significantly more interdependent—users share passwords, and systems use backend technologies operated by third parties. So when hackers breach a company’s security, they often gain access to a wider set of services and information than initially expected.
That can create countless headaches for customers, whether it’s being forced to reset passwords, freeze credit records, or deal with drained bank accounts and cases of fraud. To get an idea of the scope of the danger, the top 21 security breaches in 2018 affected hundreds of millions of customers.
Beyond being hugely damaging to the brands affected, there’s the very real harm being done to customers. And these kind of breaches are especially dangerous for companies working in the growing financial technology sector. Customers who use these services—mobile banking, digital wallets, and online payment processing—expect convenience, excellent service, and peace of mind when it comes to their personal data.
That poses a significant challenge for fintech support leaders who need a customer service solution that protects the data of both customers and their companies. So when evaluating customer service software, what should those decision-makers look for?
At the most basic level, customer service software should provide secure encryption of data—for example, it should observe Transport Layer Security encryption protocols for data that moves between its servers and yours. It also means providing the environment for secure, encrypted email, and it should allow users to enact settings that automatically redact sensitive information like credit card numbers.
It’s also critical to have robust agent and administrator security measures in place, such as two-factor authentication, which requires customers to enter a code—often sent to the user’s mobile phone—in addition to a username and password, and SSO, which allows users to access several applications with a single set of credentials. And because your customer service software should allow your team to develop custom apps that integrate with other products and sources of data, API services should have strong security and authentication measures in place.
Compliance and industry standards
When a customer service software provider states it takes security seriously, it’s helpful to look for third party attestation to be sure. Meeting compliance standards demonstrates exactly how a provider safeguards your customers’ data. Here are a few standards that you should look for:
SOC 2 Type II. For the layperson, SOC 2 Type II means that an organization follows strict security measures concerning customer data stored in the cloud. A third party then audits the organization’s operations—usually over the course of six months—which helps customers understand that the company has implemented a robust system of security controls.
ISO 27001:2013. A provider that adheres to this standard, which was established by the International Organization for Standardization, has set up a rock-solid information security process aimed at addressing risks specific to its business. Meeting this standard requires implementing a culture of continual improvement and risk management,vital elements in determining if a provider will be ready to meet new security challenges.
ISO/IEC 27018:2019. This cloud computing standard covers how a company protects personally identifiable information (PII). Organizations that meet this standard have satisfied legal, regulatory, and contractual agreements and have identified—and planned for—security risks.
European Union’s General Data Protection Regulations. Any fintech company operating in the EU or providing services to customers in that market must adhere to GDPR, a stringent set of privacy regulations that, if violated, carry serious penalties. That doesn’t mean having to store customer data within the borders of the EU, but the host country must have equally rigorous data protection laws in place.
Trust, but verify
It’s all well and good if a software provider claims to be taking security risks seriously—but when it comes to protecting customer data, you can’t be too careful. That’s why serious providers seek third-party assessments, either to confirm compliance with regulations or to verify that they are observing security best practices.
Beyond those third-party certifications, you’ll want a partner that offers clear, actionable security measures, such as disaster recovery options, frequent security training and awareness sessions, and regular comprehensive reviews. And be sure to ask questions: Do they conduct penetration tests, observe secure development and deployment practices, and have incident management processes in place? Having a solid yes to each of these questions will help you ensure your customer data is in solid hands.