Social Media Is Killing Customer Service

In a truly stunning service provider fail, I was without Internet access at home for 14 straight days. FOURTEEN DAYS!! But at least my service provider responded promptly on social media.

I won’t tell you who my provider is [virgin media cough], but as someone who works from home, not having Internet is a severe liability. I also happen to work in Internet security, so the vast majority of my day is spent faffing around online. At least my data was safe I guess.

It’s not so much that I was without access for so long, bad things happen, it’s that I STILL don’t know why! To be told every day that it’s a “known fault” and that it will be ‘resolved by 2PM tomorrow” makes an utter mockery of customer service. Not once did they update their site with an outage statement, not once did they call us with updates, and not once did they tell us what the issue was.

For God’s sake, my next door neighbour had Internet access from the same provider! Literally, next door, I’m at 45, they’re at 47.

Enough background, now to my real issue; While their actual customer service left a lot to be desired, their social media department was totally on the ball. And no, that’s not a good thing. About 30 seconds after we Tweeted about the disgraceful service their rep was back to us apologetic and full of concern.

What’s wrong with that you might ask? Well…

  1. They had no access to our account, so they could not even speak to the issue;
  2. They had no access to tech support to find out what was actually wrong;
  3. Once they realised they were making things worse they referred me to their utterly pointless Code of Practice;
  4. They kept no record of their previous contact so every subsequent bad Tweet was followed by the exact same conversation, and;
  5. Zero follow-up, zero accountability.

Bottom line; customer service over social media is nothing more than an attempt to protect their online image. At no point was this ever an attempt to actually help.

Customer Service is both an art and a science, and is one of the few competitive advantages left in the digital world. It should be pro-active, an extension of an organisation’s values, and absolutely cannot be faked. Most people I know would stick with a lesser product / service if they believed their provider actually cared.

I have never understood the visceral resistance to admitting that you’ve messed up. It’s akin to one of my favourite lines in The Dark Knight when the Joker says “You know what I’ve noticed? Nobody panics when things go “according to plan.” Even if the plan is horrifying! If, tomorrow, I tell the press that, like, a gang banger will get shot, or a truckload of soldiers will be blown up, nobody panics, because it’s all “part of the plan.

In this case, all my service provider had to do was tell me the minute they knew there was a problem, which was 4 days before the line went down. Then, if they had just keep me pro-actively informed on progress, I would have only been disappointed, not angry. Of course, it would have been great if they had offered to provide a temporary alternative, like a MiFi for example, but this was not necessary. They would have made a loss on the month, but they would have earned years of my loyalty.

As things are today, I will not only leave my current provider as soon as there is a viable alternative, but I will actively dissuade anyone from using them.

Social media is a critical aspect of customer service, but only if these two things are seen as intrinsic components of the right corporate values. If not, you’re just pandering, and I for one will not be pandered to.

[If you liked this article, please share! Want more like it, subscribe!]

The Next Best Thing to Innovation?

…is the appearance of innovation.

Well, it certainly seems that way; Can’t sell services over the Internet? Call them The Cloud. Can’t sell Risk Assessments and Vulnerability Management? Call it Operational Resilience. Can’t sell data management and access control on mobile? Call it BYOD.

When it becomes clear that there is no-where left to go with your existing product or service, the appearance of innovation seems to be the go-to place for institutions staring down the barrel of obsolescence. Instead of working on their customer service, value-adds, or – God forbid – actually improving their offerings, too many organisations resort to smoke and mirrors to stay competitive.

And the worst part? We let them.

The payments sector is perfect target for this blog, especially given the fact that I know little else. Take these two examples from the last few month; There’s a New Way to Pay With a Selfie, and TD, MasterCard and Nymi Pilot Heartbeat-Authenticated Contactless Payments.

Where is the innovation here, we’ve had biometrics for years? The only thing new is the ability to actually bring the biometrics to bear, which is an advance in mobile technology, not payments. The payment itself  hasn’t changed, we’re still stuck with the same primary account number (PAN) being used by the same intermediaries (Acquirer, Issuer & Card Scheme), over the same systems we’ve had for decades. Even if you build in tokenisation with these systems they’re still mapped to a PAN in the back-end somewhere.

If you accept that a payment is just a transfer of value from one place to another, true innovation must involve the complete disintermediation of almost every player in the current ecosystem except the banks. Sure, there can be service provider intermediaries, but they will be providing true benefits to consumers and banks alike in the fields of identity management / authentication, anti-fraud, customer service, loyalty and reward programs, ratings and reviews, big data analytics and host of others services of which I can barely conceive.

To be worthy of the term ‘innovative’, any service or product offering must have the following attributes:

  1. Be of practical use, and not just theoretical
  2. Provide long-lasting benefit to all stakeholders
  3. Cannot knowingly stifle or exclude competition

For payments, there are a few more:

  1. Be available to the largest portion of the population possible (including those with disabilities)
  2. Be frictionless to the average consumer, or better yet, invisible
  3. Maintain appropriate confidentiality, integrity and availability of all underlying sensitive data, to meet – or exceed – all current legislation, regulation and best practices

Not one, or even ALL of these things at once should be too much to ask, but it’s never that simple. There will always be those existing players whose power and position can make some of these requirements all but impossible for newcomers. And the newcomers themselves rarely do themselves any favours; disruptive innovation, competitive advantage, and blatant greed all prevent true innovation from reaching the mainstream.

In payments, like most industry sectors, collaboration is the key to significant and beneficial change, and in a market worth tens of TRILLIONS of £/€/$, I would have thought there was enough to go around.

 

Payments Innovation Should NOT be Disruptive!

By now I think everyone has heard the phrase ‘Disruptive Innovation’, as defined by; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.“. This phase is especially bandied around in payments.

But how many of you have heard the phrase; ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So if you accept that a payment itself is just a way for you to access your stored value (what we call money) any time / place of your choosing, why is everyone so interesting in disrupting the existing payment ecosystem? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. Non-cash payments work [for the most part], and you have a large degree of faith in your bank’s ability to protect your monetary assets, do you really want the whole thing to change? Do you even know what it is that you want that’s different from what you have today?

Do things even need to change? Yes, they do. Are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. Can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be though collaboration and fair competition.

The greedy can stay home.

[If you liked this article, please share! Want more like it, subscribe!]

Is Your Acquiring Bank Making PCI Even More Difficult?

First a caveat; this blog is not aimed at all acquirers, nor is it aimed at every individual at any one acquirer, there are some very professional, knowledgable, and pragmatic acquiring banks out there who are providing excellent advice and guidance to their merchant base.

Then there are the others who not only seem to have no idea what they are talking about, but are actually making things actively worse in terms of both resource effort and overall expenditure for their merchants. This is suppose to be a program of APPROPRIATE security, not just compliance.

The latest, utterly inexcusable example of this is a Level 3 merchant I know who, wanting to do things properly, hired a QSA company to come in and help them prepare for the completion of their SELF Assessment Questionnaire (SAQ).

The first thing the QSA had to do was get the merchant to ask the acquirer which SAQ they wanted, as the acquirer had left that to the merchant. For those who don’t know, it’s the acquiring bank’s responsibility to determine the correct SAQ based on the merchant’s business processes and card transaction volume. The acquirer should NEVER point at a QSA for this decision, and should most certainly not be leaving it up to the merchant.

After spending a significant amount of time and money, this particular merchant completed 2 compensating controls, which were then required to be signed off by a QSA!! Are you kidding me!? It’s a SELF assessment!! You show me a QSA who will sign off on a compensating control without the context of a FULL Level 1 assessment or a million caveats and I’ll show an idiot.

Now try to imagine this merchant’s frustration  when he knows another similar merchant had just filled out an SAQ by themselves, got an ASV scan, and received no questions from the same acquirer? The original merchant tried to do it properly, tried to ensure they could answer every question properly, and were even honest about the things they could not do. Their reward for this was additional expense getting another QSA to come in and help them translate the PCI rules back to the acquirer.

Here I am now 4 short weeks later and I have another merchant being told that the acquirer would “accept a SAQ D” for their reporting requirement. Bear in mind that this client is an e-commerce merchant who has implemented a full redirect to a PCI compliant service provider and you can again imagine the frustration. Add to this that the merchant, who will be reporting full compliance within a month, was also “encouraged” to complete a Prioritized Approach Tool spreadsheet as well, and the whole thing becomes a farce.

I have a lot of sympathy for acquirers, their PCI  headaches are multiplied by as many merchants and service providers they acquire for, but this is no excuse to provide anything but the most pragmatic guidance as they can. PCI cannot be driven from behind a desk, and practical guidance can only come from those who have been in front of a client as a QSA. I can read a book on emergency appendectomies for example, but I would suggest you go to a real doctor.

Merchants: If you do want to do PCI properly, hire a good QSA or industry expert for ONE day to set the game-plan with your acquirer and your internal teams, then get on with it.

Acquirers; Hire ex-QSAs with good reputations to run your merchant-facing PCI Programs, you’ll save yourselves and your clients a Hell of a lot of pain.

‘PCI Compliant’ Service Providers, You Are Warned!

Readers of my blog know I am opinionated, which I why I have so many non-readers I suspect. I find myself now with something of a mission, and that is to either train providers of PCI-related services to perform 12.9 correctly, or I will make available a responsibility mapping matrix of their Attestation of Compliance (AoC)-defined services. Merchants need to perform appropriate due diligence, without full disclosure and guidance from Service Providers (SPs), this is all but impossible for the majority of non-PCI experts.

I  am not saying the SPs are doing anything nefarious,[mostly] they are not, it’s just clear that neither they, nor it would appear their QSAs, have taken the time to produce a responsibility mapping that makes sense.

I will not be posting names, but if you contact me on david@coreconceptsecurity.com and ask about a specific provider, I will tell you whether I have the mapping or not (just started this, so it’s unlikely, but stay tuned…). I am also happy to accept AoCs for your provider if you want a mapping done. Finally, I am also happy to help SPs directly if they would like to get ahead of this.

For Merchants: Regardless of the SAQ you complete, you are responsible for EVERY requirement in the PCI DSS, so any mapping and contract you have in place must be at that requirements level, not that of the SAQ, so if all you get is an AoC, there’s a very good chance your residual responsibility is significantly higher that you would like, and perhaps been led to believe.

At a minimum, your mapping will have 3 columns:

  1. AoC Mapping – This is the only ‘official’ recognition of the requirement numbers included that you have to go by, anything else the SP may say is irrelevant. If it’s not on the AoC, you cannot point your RoC/SAQ to it, and the requirements must still be assessed on your behalf. Note: Be VERY careful re: sub-requirements, if they are not SPECIFICALLY addressed, they are not included (Listing Req. 1.1.5 on the AoC does not necessarily mean Reqs. 1.1.5.a AND 1.1.5.b for example).
    o
  2. Services YOU Require – This is where you specify EVERY requirement you’re looking to outsource, but you need to be reasonable. There are surprisingly few requirements you can fully outsource (depending on the service), and you must detail what partial responsibility must remain with you. For example; you can outsource the changes to your rule-set, but you will usually retain ownership of it (which is the majority of Reqs. 1.X).
    o
  3. Residual Responsibility – This is what’s left for you to cover, and will represent an agreement between you, your service provider, and your QSA (if applicable). Anything NOT handled by your SP, is yours.

The above is not to say that an SP cannot provide significant support outside of their officially assessed services, but whatever they are doing needs to be noted, and included in your report.

For example; regardless of the services provided, EVERY policy requirement is owned by you, and followed by your SP. They may have their own policies, and even have them listed on their AoC, but those policies do not cover you as a merchant from a RoC/SAQ perspective.

Once complete and agreed by both sides, this mapping should form the basis of your contract. It does not matter if it’s an annex, addendum or in the main contract body, but the actual PCI DSS v3.0 requirement numbers must be part of any binding agreement. Whether or not you put SLAs around the services, or require full compliance on an ongoing basis, is a business decision, tying your SP to the DSS requirements they cover on your behalf is a PCI obligation.

I have uploaded an example of a Service Provider Responsibility Mapping that I recently provided to a client – help yourself. Hopefully it makes sense, but you are free to contact me if you would like more guidance.

This is actually a very simple process, as is everything else in security, it’s only not knowing yourself what to do that makes it difficult. So ask for help.

[If you liked this article, please share! Want more like it, subscribe!]