Organisations with an online presence need to be sure they are ready for full Strong Customer Authentication (SCA) compliance for e-commerce transactions.

From 14 March 2022 any merchant that fails to comply with the requirements could be subject to Financial Conduct Authority (FCA) fines and risk customer purchases being declined.

Since the deadline was extended, the FCA has been encouraging e-commerce merchants to work with card issuers to implement SCA. There is a risk that if an e-commerce transaction doesn’t meet the SCA requirements, it could be declined by the card issuer/bank. The result of high numbers of declined transactions could increase costs and complaints, reduce customer confidence and lead to possible reputational damage (as well as the FCA fines).

Protecting merchants and customers from fraud

SCA is a positive change and protects both the merchant and the customer.  If a customer pays online for goods using an SCA process, but later claims it was a fraudulent transaction they will have to prove that the transaction wasn’t made by them. In the past a fraudulent transaction meant the merchant had to refund the money and incurred chargeback costs before any investigation into the transaction’s legitimacy had begun.  Encoded’s Fraud Prevention Platform (FPP) is a new payment solution to speed-up fraud checks and ensure more transactions are processed successfully.

What are the costs of implementing SCA?

Implementing a 3DS2 (3D Secure 2.0) enrolment check API and reacting to the outcome before each authentication is something most merchants don’t want to deal with. They have to get an authorisation code from the card issuer/bank to proceed with the transaction. These secure checks can be costly and complex, requiring expert resources to manage and implement.

An alternative way is to work with an established payment services provider (PSP) like Encoded, which means the transaction process and administration is managed by the PSP from start to finish.  The merchant captures the customer transaction and the PSP carries out all the secure checks required by the acquirer to verify the card with the card issuer behind the scenes. With checks authorised, the PSP issues a secure link that takes the customer through the online process to complete the transaction.

Contact centre mail order, telephone order (MOTO) payments and fraud

While MOTO payments are out of the scope of SCA contact centres can benefit from similar extra fraud checks to reduce declined payments.  Cards can be declined for many reasons including insufficient funds, a change in usage patterns or the bank suspecting fraud for another reason.  Every time a card is declined there is a cost associated with it as both the Acquirer and the Gateway require payment.  By implementing a fraud prevention platform in association with an agent assisted telephone payment helps to reduce the time and costs while increasing the number of successful transactions.  Encoded’s Fraud Prevention Platform streamlines verification checks and allows the agent to send a secure link (via email or text) to the customer for authentication.

Once the customer acknowledges the link, the transaction is verified and becomes the equivalent of a secure ecommerce payment from a trusted device, enabling 3D secure validation and a higher degree of successful completion.  It provides an easy, secure way to reduce the number of potentially fraudulent transactions in contact centres.

Choosing the right payment service provider for contact centre and ecommerce payments have never been more intrinsic to the future success of your business.   Now is the time to start thinking about how to protect your business from fraudulent transactions and comply with the new regulations.

About the Author

Rob Crutchington is Director of Encoded.

Encoded is a leading Payment Service Provider and pioneer of new and innovative secure payment solutions for contact centres.  Encoded offers a range of card payment solutions designed to help organisations comply with PCI DSS, GDPR and the newly introduced Payment Services Directive (PSD2).

Encoded’s solutions are trusted by many of the world’s leading brands including Samsung, Mercedes-Benz, BMW and Virgin, as well as a host of UK utility companies such as Green Star Energy and Severn Trent Water.  Solutions include:  Agent Assisted Card Payments, E-Commerce Payments, IVR Payments, Mobile Apps, PayByLink Mobile Payments and Encoded Gateway Services.  For further information please visit www.encoded.co.uk

Savvy customer service managers know the substantial compliance risk created by any communication that goes to the wrong recipient under the Telephone Consumer Protection Act. Robert McKay, SVP of Risk Solutions for Neustar, looks at the recently rolled out Reassigned Numbers Database (RND).

According to the Federal Communications Commission, callers must obtain consent from the person actually called, not the person they intend to call. So, if a company has consent to call a consumer at a particular number, but that consumer has since changed numbers, any communication to that original number will be in violation of the TCPA.

Calling a wrong number, even if it’s by accident, leads to serious penalties. Any outbound communication that violates the TCPA is assessed $500 per violation, and $1,500 if it was done knowingly. Because organizations usually engage in a high volume of automated calls, fines can add up quickly – especially when plaintiffs pursue nationwide class action lawsuits alleging massive numbers of violations. This makes TCPA violations very costly, and why TCPA cases are the second most prevalent type of litigation filed in federal court.

One of the most famous TCPA settlements happened in 2014 when Capital One and three collections agencies agreed to pay $75.5M to end a class action lawsuit that arose from calls to customer cell phones. Many other national brands have similarly paid millions to settle TCPA class action suits out of court since then, including American Express, Wells Fargo, USCB, Nationwide Mutual and Sirius XM. They demonstrate how calling the wrong phone number can create serious problems for B2C dialers.

The Reassigned Numbers Database

To help address the significant business liability issues that arise when consumers with reassigned phone numbers receive unintended calls, the FCC recently rolled out the Reassigned Numbers Database (RND).

The RND contains U.S. geographic and toll-free numbers that have been permanently disconnected — and thus possibly reassigned — since January 27, 2021, along with the dates of those disconnections. All voice service providers (landline, mobile and VoIP) are required to report permanently disconnected numbers to the database on the 15th of every month; these changes are uploaded on the 16th, resulting in a new version of the database.

Use of the RND protects callers from TCPA liability in certain circumstances. The safe harbor is available as a litigation defense if three conditions are met. The caller must have (1) obtained consent from the intended call recipient, (2) queried the most recent version of the RND to verify that the intended recipient’s number has not been reassigned since the date of consent, and (3) received confirmation from the RND that the number has not in fact been disconnected (and thus not reassigned) since that date.

A caller who submits a phone number and consent date to the RND receives one of three possible responses:

• Yes, the number has had a disconnect since the consent date (dial manually or do not call)
• No, there has been no disconnect since that date (safe harbor applies; anyone who calls that number and reaches the wrong person and is then sued by that person may be protected)
• No data (the number is not in the RND, so there is no safe harbor)

RND limitations

The RND is a step in the right direction, but the database still has many limitations.

Industry experts expect approximately 90% of calls in the first year to fall into the third category, no data, primarily because carriers have only been required to store disconnect information since January 27, 2021. If a caller is using a consent given prior to that date the RND will be unable to confirm that there hasn’t been a disconnect since then — and companies tend not to ask for renewed consent in the case that customers change their mind and revoke consent. And in some situations, such as third-party collections, consent dates are not available anyway.

Also, relatively few phone numbers (less than 5%) are disconnected each year. The RND will expand over the years as more numbers turn over, but this will be an extremely gradual process — especially since many of the people who disconnect do so often, meaning that the roughly 5% of numbers being added to the database each year represent far fewer than 5% of consumers.

The safe harbor from liability also has time limitations. Protection applies only to the current version of the database, so the maximum length of validity is 30 days (if the caller pings the database on the 16th of the month), and the minimum is one day (if the caller queries on the 15th of the month).

While companies will certainly want to use the RND both to obtain partial safe harbor and for reputational reasons, gaps in the coverage mean that the database will need to be supplemented with other measures to broaden liability protection.

The problem is larger than merely reassigned phone numbers. Compliance with phone-related regulations requires consideration of additional facets of TCPA regulations, as well as emerging regulations from the Consumer Financial Protection Bureau that place limitations upon the number of attempted calls a collections professional initiates within a seven day period . For example, compliance with the TCPA compels B2C dialing organizations to factor in Do Not Call registries at the federal and state level. The type of equipment used to generate the calls is also under scrutiny; any automated dialing machine can exclusively use random number generation. There is a lot to consider in order to safely connect with customers.

Advanced tools to enhance compliance and efficiency

Savvy organizations are filling in these coverage gaps for more holistic regulatory compliance with third-party intelligence to reduce TCPA noncompliance risk. There are tools available that work in tandem with RND information to quickly identify and prioritize the right telephone numbers for a given consumer and fill gaps in a company’s consumer records.

Data insights like these will also help improve dialing efficiency (verification of name and number, phone type, phone in service, etc.), especially when combined with phone behavior intelligence (identifying the best number and time of day to reach a given person) and automatic customer record enhancement (ensuring that CRM files are complete, accurate and up to date). Combining compliance tools with dialer optimization has been shown to yield a 20% improvement in right-party contact rates.

Every organization will have a different approach to the vast middle ground between a confirmed phone-to-name match with consent that allows autodialing and a recent disconnect that requires manual dialing. Contactability scores with assigned risk levels can give call centers the information they need to optimize their operations in line with their specific risk tolerance.

Holistic solutions

Protecting against TCPA liability is just one of the many challenges that call centers face when contacting customers. Operational solutions need to go beyond RND querying to include understanding whom to call or text, what number to use, and when to reach out to maximize the chance of connecting with the call target. These types of holistic solutions can help organizations maintain compliance with outbound dialing regulations while at the same time improving the customer experience, increasing customer lifetime value, and optimizing the efficiency and effectiveness of outbound call center operations.

About the Author

Robert McKay is SVP of Risk Solutions for Neustar. Neustar is an information services and technology company and a leader in identity resolution providing the data and technology that enables trusted connections between companies and people at the moments that matter most.

On May 25, 2018 the regulation insists on safeguarding the personal information of all citizens of European Union member states. While many businesses are already aligned with the specifications, it’s important to make sure your business has everything covered.

This article takes a look at what you need to have in place in order to avoid being found in violation of the GDPR.

The truth is these new rules are aimed at large companies who deal in information as a source of revenue. Smaller businesses aren’t likely to be penalized the 4% of worldwide gross or 20 million Euros that large corporations will if they’re found in violation.

If you’re worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you’re unsure if you will be affected look for these key signals:

• You deal in information as a commodity;
• You request user’s data when they complete a purchase and use the data elsewhere or store it;
• You deal with one or more European countries.

If the answer is no to all of these then you will be fine!

So what can you do just in case?

Here’s 10 steps your business can take to be best prepared for GDPR, even if you are not physically located in the EU.

1. If your website has an online form that incudes a pre-checked box giving permission to receive promotional emails from 3rd parties, this box now needs to be unchecked.

2. If your business conducts any form of list-building, ensure everyone on that list has given explicit permission to be in it. Under the Canadian PIPEDA, it was enough to have implied permission; however, if any EU residents are in your database, the rules are much more firm that provides subscribers with the right to obtain the information stored on them.

3. Make sure your entire staff is aware of the new rules. Circulate a memo to all personnel with a follow-up meeting where the points are reviewed. Asking a few questions to key players whose roles would be most affected by the new rules is a great way to ensure they’re aware of what they need to do.

4. Audit all stored client/customer info and track where you got it from and where it’s been used. Keep a record of every bit of info and who you may have passed it to at any time, and document the relationship and reasoning.

5. Update your privacy policy so it includes the reasoning for retaining any user data, how it is legally used, and how users can contact your business if they feel their user information is in any way being misused.

6. Have a clear method in place to address requests for erasing a user’s data. Under the DPA, users already had certain rights but the GDPR takes it further with information rights pertaining to their data stored by your business.

The rights consist of:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling

You will need to be able to provide all this information in a clear and machine-readable format (not in handwriting).

7. Have a process in place for handing over large volumes of requests. Previously under the DPA businesses had 40 days to comply with a request. That has been shortened to one month. Any lawful request must be fulfilled though if there are a large number of requests and the suspected reasoning is to cause problems for your business then these requests can be contested legally.

8. Have your lawful reasoning for retaining user data or passing to others clearly stated for users and ensure the opt-in option is not pre-ticked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they must have the option to say no. This is separate from Terms and Conditions.

9. If your business deals with anyone under the age of 16 then you’ll need a parent or guardian’s permission to process any of the child’s data. This is very important and strictly regulated but at the same time if you’re not dealing in information as a commodity then you’re likely not going to have to worry.

10. Have steps in place to address a data breach. In the event that user’s data may be compromised you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.

As you can see it’s a big business problem and more so rooted in user protection in Europe where social networks have been cited as problematic and susceptible to foreign influence.

North America is not really affected much but the issue is still very newsworthy, which can make some small business owners nervous when they don’t need to be. In saying that, this article from Small Business BC points out some seemingly harmless potential data breaches that could put you at risk of violation such as sending out greeting cards to customers living in the EU.

If you have any questions about GDPR you can message Susan Friesen at eVision Media directly here.

About the Author

Susan Friesen, B.B.A. is the Owner/Developer at eVision Media.