CX Leadership & Strategy

What CX Leaders Need to Know About Security and Compliance

July 22, 2021
0 minute read

Think about the last time you identified yourself over the phone to an agent—you probably handed over your name, address and birthday without a second thought. After all, a customer service interaction is one of the rare times where a customer (usually) feels safe enough to willingly hand over their personal identifiable information (PII) to another person. To get to this point, companies have invested countless hours and resources to build a high level of trust with their customers. 

With so much on the line, it’s essential that CX teams  put the right tools in place to ensure that their agents remain compliant with security protocols while safeguarding against a potential data breach. In this guide, we talk about the importance of security and compliance to CX teams, and how you can work with your Information Security (InfoSec) teams to ensure your vendors have the right security attestations and certifications.


Why is Security and Compliance Important to CX teams?

In short: data security is important to CX teams because customers don’t want to buy from brands with security issues.

The data speaks for itself; a 2018 study published by international security firm Gemalto (now a part of Thales) found that 70% of customers would stop doing business with a brand that had suffered from a data or privacy breach. Another study, conducted on behalf of IBM Security, found that cybersecurity and privacy was the second most important factor (after quality) in B2C purchasing decisions. 

For individual interactions, agents who aren’t familiar with security and compliance protocols, and fail to verify a customer’s identity or safeguard their personal information, are bound to receive more complaints, and lower CSAT ratings.

For brands who have invested so much in building up customer loyalty, it’s alarming to know that it could all be easily undone by a few moments of carelessness on the part of an agent or vendor.

What does this mean for CX teams?

CX teams need to ensure that their suite of tools have the right security attestations in place, and that their teams are given the right training and mechanisms to detect and prevent agent behavior that might result in a breach.

For their customers, security attestations (like SOC 2, HIPAA, or ISO27001) show customers a brand’s emphasis on data security, and helps customers choose the right organization to entrust their wealth, health, and personal information with.

And for CX leaders, these attestations are usually a prerequisite mandated by the company’s Chief Information Security Officer (CISO) or CTO. An organization’s security and compliance efforts are only as secure as their weakest link, so CISOs typically require vendors to match the same attestations as the company itself has attained. 

When in the market for tools like helpdesk software, chatbots, or quality assurance software, CX leaders should be able to quickly exclude vendors who do not meet the company’s (or the industry’s) security requirements. 


What Compliance and Security Attestations Should Your CX Tools Have?

There are two main categories of attestations: Information Security (InfoSec) risk management frameworks (like SOC 2 and ISO27001), and industry-specific attestations (like HIPAA and PCI).

When purchasing CX tools, you should require your vendors to have attestations in at least one InfoSec risk management framework (SOC 2 or ISO27001, depending on your location), and, depending on your industry, these tools should also meet the industry-specific attestations that your CISO/InfoSec team has mandated.

Information Security Risk Management Frameworks:

SOC 2

SOC 2 compliance is a part of the American Institute of CPAs’ Service Organization Control reporting platform, and is widely recognized and accepted by CISOs as the standard for organizations that work with 3rd party vendors

Building on the idea that your security protocols are only as strong as your weakest link, SOC 2 attestation covers a wide range of criteria, including risk management, HR operations, engineering, local and physical access controls, incident management, and change management. Such widespread coverage eliminates any weak links in the organization’s security strategy. 

But not all SOC 2 certifications are equal. 

SOC 2 encompasses five different trust services criteria. These are: Security, Confidentiality, Privacy, Availability and Processing Integrity. SOC 2 certification requires teams to be compliant with at least the “Security” criteria—and that’s where most CX tools stop. MaestroQA has gone beyond the requirements of a basic SOC 2 certification to add “Confidentiality” and “Privacy” criteria to our own SOC 2 certification to ensure your customers’ data is protected and kept secure.

CX leaders should also be aware of the two different types of SOC 2 attestation, aptly named SOC 2 Type 1, and SOC 2 Type 2. Type 1 is a point-in-time audit, meaning that the controls are being tested only at a single point in time. Type 2 requires testing over a defined period, usually 6-12 months, and ensures that the organization has met and maintained the standards over the entire test period and the controls are operating effectively over the period.

Naturally, SOC 2 Type 2 is much more secure and difficult to achieve than Type 1, and should be every CX leader’s first requirement when selecting a pool of vendors for consideration.

ISO27001

ISO27001 is comparable to the standards set forth by SOC 2, but enjoys more international recognition. While SOC 2 audits were designed specifically for service organizations, ISO27001 is applicable to any organization of any size or industry. 

There’s one last difference: there are fixed, international standards for ISO27001, while organizations applying for SOC 2 certification are allowed to define their own controls relevant to pre-defined criteria, which a certified auditor must then approve and attest that they’ve met.

Both ISO27001 and SOC 2 Type 2 attestations provide similar levels of comfort (InfoSec speak for security) to CX teams—rope your CISO, InfoSec or Procurement teams into the buying process when selecting CX tools to ensure the vendors are compliant with either attestation.

Industry-specific attestations:

Common examples of industry-specific attestations are HIPAA (protecting patient health information or PHI), and PCI (protecting payment card information).

The good news: if you haven’t heard of any of these, or aren’t already aware of any industry-specific attestations that your CX team requires, your industry probably doesn’t require any. On the other hand, if the alphabet soup above made sense to you, you should be requiring all of your CX tools to have the same level of compliance or attestation. 

The principle here is simple: if the tool is going to be processing, handling, or storing protected customer information, that tool needs to have the appropriate level of compliance as required by your industry. There are 5 simple steps you should follow to evaluate the security attestations of vendors.


5 Steps to Take To Evaluate the Security Attestations of CX Vendors

1. Involve your CISO/InfoSec Team Early in the Buying Process

Checking in with your CISO or InfoSec team about the necessary compliance attestations can help you whittle your vendor options down. That way, you don’t waste time assessing vendors who would not have made the cut anyway. 

These days, ISO27001 or a SOC 2 Type 2 attestation are the minimum requirements for any CX team, while other teams might require a HIPAA or PCI attestation depending on industry. Vendors who don’t meet the requirements or have no plans to complete these attestations in the near future can be easily excluded from your search.


2. Ask Prospective Vendors to Complete a Security Questionnaire

Consider what information your organization will be sharing with your vendor (e.g. customer personal information, QA scorecards, or customer support tickets). Work with your InfoSec team to produce a security questionnaire for prospective vendors to pass.

SecurityScorecard has a vendor risk management template that should help you and your team to get started. Questionnaires like these are extremely common in the SaaS sales cycle, and potential vendors should have no trouble completing (and passing!) a security questionnaire during the sales process.


3. Understand the Differences in the Attestation Levels for SOC 2 Compliance

In North America, most CX vendors have a basic SOC 2 Type 1 attestation—which only requires them to pass the audit at a single point in time. A SOC 2 Type 2 attestation is much harder to attain, and requires vendors to pass long term audits over the span of 6-12 months, and to then maintain their compliance annually. Having a SOC 2 Type 2 attestation is an indicator of a vendor that has invested the time and resources to ensure that their systems protect the privacy and security of their (and your) customers.


4. Look Out for “Exceptions” in Audit Reports

Remember the “Security” criteria that forms the basis of every SOC 2 audit? There are 9 other “common criteria” that fall under the umbrella of “Security”—and not every vendor passes each one. It’s like passing your driving test with just a point to spare—everyone you offer a ride to would probably feel safer if you took (and passed) the test again.

Be sure to ask about exceptions in your security questionnaire, and ask your InfoSec team if missing any of these “common criteria” could be a factor for disqualification.


5. Look Out For The Auditor’s Opinion in SOC 2 Reports

Every SOC report comes with an opinion attached—and the information within can be very telling.

A disclaimer opinion typically means that the auditor could not issue an opinion because they were limited by the service organization (or the vendor, from your perspective) in the information that they provided or the procedures performed.

An adverse opinion is the most severe an auditor can issue, and indicates that the auditors, and thus, the users of the SOC report should not, and can not place any reliance on the service organization’s/vendor’s system.

A qualified opinion is a caveat that the auditor issues to indicate that the controls were either not designed (for SOC 2 Type 1) or operating effectively (for SOC 2 Type 2). A qualified report indicates that the issues identified within the report were significant enough to deem one or more controls ineffective. Your InfoSec team would be able to determine if the ineffective control is enough to disqualify a vendor.

An unqualified opinion is the best case scenario, and indicates that the controls tested were designed (for SOC 2 Type 1) and operating effectively (for SOC 2 Type 2). An unqualified report doesn’t necessarily mean no issues or exceptions (see the previous section on qualified opinions) were identified. Rather, it means that any issues the auditors uncovered were remediated/mitigated by the vendor/service organization, and the overall impact on the report was deemed effective despite these issues.


Have More Questions About CX Security and Compliance? We’re Here to Help

Want to learn more about cybersecurity and compliance on CX teams? 


Request a demo of the industry’s most secure quality assurance platform. Learn more about the controls and criteria we’ve put in place to protect your customers' privacy, and how using best-in-class quality assurance software can help build the right compliance behaviors in your CX team.

Previous Article

How QA is Transforming Sales

Leanna Merrell

Navigating AI Pitfalls and Enhancing CX in Call Centers

Leanna Merrell

Beyond VOC: The Future of Customer Service Conversation Intelligence

Leanna Merrell

How to Optimize Your Chatbot Strategy: QA’s Critical Role in Enhancing Accuracy & Effectiveness

Leanna Merrell

MaestroQA Achieves PCI DSS 4.0 Level 1 Compliance: Leading the Way in Secure QA Solutions

Lauren Alexander

Don't Settle. Dig Beneath The Surface For Customer Insights.

Team MaestroQA

Using Zendesk CSAT Reviews and Slack to Appreciate CX Agents

Customer Support Best Practices From The NYC Support Driven Meetup

Why Failure To Provide Great Customer Service Is A Risk To Company Success

Maintaining Quality Of Customer Support In The Face Of Hyper-Growth

Customer Service Quality Assurance and Soft Skills

The 2 Agent-Controlled Factors to Improve CSAT Scores

Guide to Building Call Center Quality Monitoring Scorecards

How To Improve CSAT Scores for Your Call Center in 3 Steps

Customer Service Quality Assurance for Higher CSAT Explained

How To Build Your First QA Scorecard — A Comprehensive Guide

Innovation in Quality Management with Freshly at The Art of Conversation

A maybe-too-honest perspective on our rebrand

How FabFitFun Uses Customer Service Quality Assurance To Manage A Best-In-Class Support Team

Team MaestroQA

How to Create A Customer Service Quality Assurance Form

See The Future: Be Proactive In Support Of Your Customers

Team MaestroQA

Quality Management and Customer Service Training Programs

Why Paving A Path To Resolution Is A Customer Service Best Practice

Team MaestroQA

CSAT Scores vs. Quality Assurance Metrics – Which Is Better?

5 Ways Quality Assurance Programs Can Improve CSAT Scores

MaestroQA Partnerships: Introducing Zendesk Suite

Is Your Quality Assurance Program Built For 2018?

Fresh Take: How Peer Review Can Identify Improvements

Roger That! Assume Nothing Until You Get Confirmation

Creating a Multi-Channel Quality Form For Contact Centers

The Art of Training with Harry's Razors and FuboTV

Building Customer Loyalty And Trust Through Service

Team MaestroQA

How ActiveCampaign Uses MaestroQA To Scale Their Support Team, And Improve Team Dynamics

Team MaestroQA

Omnichannel Support For Agents And Customers: A Necessity

2 Types Of Agent Skills That Impact Customer Satisfaction

Mastering Customer Interactions in the Age of DSAT

Leanna Merrell

How Shinesty Uses Alternative Positioning as a Best Practice

Dangers Of The 90%+ QA Scores

Using Positive Positioning to Improve Call Center CX

Team MaestroQA

Navigating AI Implementation Strategy in Customer Experience: Risks and Strategies

Leanna Merrell

Elevating Call Center Performance with Six Sigma and MaestroQA

Lauren Alexander

Elevating Business Excellence Through Non-Customer-Facing QA: A Strategic Imperative

Leanna Merrell

Elevating Trust and Safety through QA: How TaskRabbit Sets the Standard

Leanna Merrell

The Essential Guide to Chatbot Quality Assurance: Ensuring Excellence in Every Interaction

Leanna Merrell

Unlocking Superior CX: The Bombas Blueprint for Quality and Coaching

Leanna Merrell

Agent Empowerment: 5 Tactics for Customer Retention from Industry Leaders

Mastering Agent Onboarding: Quality Assurance Lessons from ClassPass

How Angi Unlocked Growth and Continuous Improvement with QA

The Transformation of QA: Driving Business Results - Key Takeaways from MaestroQA’s CX Summit

Lauren Alexander

Unleashing the Power of Customer Conversations: Top 6 Tech Trends Revealed at the CX Summit

Lauren Alexander

Important Factors to Consider when Exploring Sentiment Analysis in Customer Support QA: A CX Community Discussion

Driving Business Impact with Targeted QA: Insights from an Expert

The Art of Outsourcing Customer Support: Lessons from Stitch Fix's BPO Partnership

Larrita Browning

How to Revamp QA Scorecards for Enhanced Quality Assurance

De-Villainizing QA Scorecards with Hims & Hers Customer Service

How to Maximize Call Center & BPO Performance | MaestroQA

Larrita Browning

Writing the Auto QA Playbook & Transforming Customer Support

Larrita Browning

MaestroQA Named One of Comparably’s 2023 Best Workplaces in New York for the Second Consecutive Year

Larrita Browning

Advancing Customer Service Metrics with AI Classifiers

Lauren Alexander

MaestroQA Named on Comparably’s Best Workplaces in New York

Larrita Browning

CX Strategy: The Future of AI in Quality Assurance

Larrita Browning

Elevating Customer Satisfaction with Visibility & Coaching

Larrita Browning

How Customers Collaborate with Their BPO Partners Today

5 Key Strategies to Supercharge Your BPO Partnership

Larrita Browning

Champion-Challenger Model: Improve Customer Service In BPOs

Larrita Browning

Kick Start Your Customer Service BPO Partnership Successfully

Larrita Browning

BPO Call Centers: Best Practices for Quality Assurance

Larrita Browning

Call Calibration: What is It & What are the Benefits?

Larrita Browning

Increase QA Team Alignment with Call Calibration & GraderQA

Dan Rorke

Measuring An Organization's 3 Ps: People, Process and Product

Larrita Browning

Empathy in Customer Service: Everything You Need to Know

Larrita Browning

Average Handle Time (AHT): How to Calculate & Reduce It

How to Onboard Your Customer Service Team to a New QA Program

21 Key Customer Experience Definitions for QA Professionals

Should You Have Dedicated Quality Assurance Specialists?

How Top eCommerce Brands Ensure Exceptional Customer Service in a Remote World

The Top 4 CX Books Recommended by Our QA Community

A Guide to Customer Service Quality Assurance Programs

5 Key Components of a Remarkable Customer Service Experience

The Ultimate Guide to Improving First Call Resolution (FCR)

How to Refresh Your Call Center Quality Monitoring Scorecard

The Key to Customer Service Coaching Is More Data (and Fewer Opinions)

Call Center Quality Assurance with Zola and Peloton

How to Update Your QA Scorecard

3 Ways to Test Your Call Center Quality Assurance Scorecard

The 9 Customer Service KPIs Needed To Improve CX

What is DSAT and 5 Steps to Improve It

Leveraging Customer Sentiment to Improve CX in Call Centers

Larrita Browning

Customer Experience Management and Quality Assurance Jobs

How Deeper CX Analytics Lead to Better CSAT | MaestroQA

Customer Service Management 101: Everything You Need to Know

Beyond Low CSAT Scores: Finding the Root Cause of Poor CX

How to Create an Omnichannel Call Center Quality Assurance Scorecard

Achieving Effortless Customer Experiences (CX) with QA

This Is What an Effective Customer Service Coaching Session Looks Like

Customer Service Coaching 101: Improve Agent Performance

Auto-Fail in Call Center QA: What It Means and When to Use It

MaestroQA's Aircall Integration: Bring Your Calls to Life

Build the Ultimate QA Scorecard Process for Email and Chat

Why Poor Agent Experiences Happen (and How to Fix Yours)