How Covid-19 Changed Payment Security: Part 2 of our interview with Dan Arntz, President of US Operations, at Eckoh
If you missed Part 1 of our interview with Dan Arntz, you can find it here.
In part 2, we’ll cover the evolving security around call centers, Covid-19, and what advice he would give to health systems as they look to evaluate and set their security protocols for the year.
Removing risk from the call center environment
Caleb B: I think that leads us really nicely into talking a little bit more about the agents, themselves, in the call centers. As you know, the healthcare industry is one that is heavily reliant on call center models, particularly the clients that Flywire works with, some of the larger health systems in the United States. Obviously, security within call centers is a huge concern. And so, I just wanted to highlight some of the advice and benefits that Eckoh brings to that type of environment. How does it change the role of those call centers in the healthcare process?
Dan Arntz: Yes. Good question. As you take a look at how it impacts that patient experience, as we both have mentioned, they’re calling for health reasons. They have bigger things on their mind, and so, it really does put that patient at ease, knowing that their information is being handled securely.
Secondly, whether you’re doing collection calls, or these are inbound calls where the patient is looking to make a payment, in keeping that person, it’s important to recognize that people have a channel of choice.
So, if I have called you on the telephone, that’s the way I prefer to do my business. If I’m chatting with you over a chat channel, don’t make me leave that channel to go someplace else to finish the transaction. We’ve seen a lot of feedback from people who work in the call centers that say, “This is great, because I’m not frustrating X” – in this case you call it a patient, but a patient’s a customer, and patients today have choices as to which healthcare option that they want to take.
If I feel like they’re not handling my business in the way I want it to be handled, I can go elsewhere. So, when we talk about meeting somebody where they want to be met and being able to finish that transaction in that channel, it really does pay big dividends for the people who are running these contact centers.
Finally, from an agent perspective, I am removing some of the things that make my job difficult by giving a secure interface for how I’m going to take those payments. They can focus more on that customer-patient care aspect of that phone call and be able to take the information in a much cleaner, and more predictable manner that is good for both the patient/customer, and the call center.
Caleb B: I think that would bring tremendous value to health systems that are looking for ways to make that experience for the agent better, but also, would like to reduce their amount of liability and maintain their PCI compliance.
Dan Arntz: You touched on a very good point there with PCI compliance. One of the things I always try to make sure our customers understand is that, approximately every 18 months, the PCI DSS Council comes up with new laws, new suggestions and recommendations, and they get more and more difficult to follow each and every year.
So, the way we’ve architected our solution is to “future-proof” it by saying, “We’re not going to let any data ever get in there.” Agents aren’t going to hear or see it. It’s not going to be on the call recording. It’s not traversing the network. That way, it doesn’t really matter what PCI DSS comes out with in a few years. If I'm a large healthcare provider and that important financial information never gets into my environment, I don’t have to worry about it.
Those are the things that if I’m in that business, and I just want to do it once, and do it right, that’s the kind of solution I’m going to be looking at, because the rules will only get more and more difficult every year. And if I’ve taken that worry away, then I’m in a really good position for the future.
Caleb B: Absolutely, I think, to your point, PCI compliance isn’t something that you just get good at once and then you’re done. For a lot of health systems, that’s part of the overwhelming challenge, that these rules are constantly updating.
Dan Arntz: Right.
Caleb B: And so, it’s a goal that they have to continue to track, and to set security policies against, and anytime a vendor can come in, and reduce that scope for them, I think it creates tremendous value for all up and down the line.
Dan Arntz: No, absolutely, Caleb. Being compliant does not mean you’re secure. Under today’s PCI rules, you can still do things, and have different methods of meeting the criteria, but if you have data of any kind actually traversing your environment, you haven’t removed the risk. You’ve just met, like you said, an ongoing, changing target. What we’re trying to do is take the target out of there, and no matter what you do, you’re going to be fine.
How Covid-19 impacted call center security
Caleb B: I want to shift gears a little bit and talk to you about the pandemic. We’ve seen, obviously, a lot of changes in industry brought about by the pandemic, a lot of changes in strategy, and certainly changes in consumer behavior, as well.
I wanted to talk about how Eckoh has helped enable your clients to shift their strategy around payment security as the pandemic has unfolded?
Dan Arntz: Great question, the first thing that hit was, obviously, we had a crisis in this country, and around the world, and it was incredibly difficult for everyone. People had to quickly adjust, and figure out: “How is this going to impact my business? How do I operate, and give my customers the same level of care, and concern that we always had?”
At the same time, they had to consider their employee base. Our customers have very large call centers with thousands of people in them. Well, guess what? They can’t meet anymore. So, now, the first thing our clients had to consider was, “I’ve got to get these people to work from home, so I have to change my infrastructure to allow that.”
In regards to PCI, before, if they were in a call center, they could use things like a clean desk policy; they could also have closed-circuit cameras to monitor people’s behavior to make sure that they didn’t have a bad agent walking away with data. Well, now that’s all changed. Now, they’ve got people working from home, so things that used to work before, don’t work now. When you have people working remotely, the risk increases dramatically. We were getting a lot of calls from people saying, “How do I do this?”
So, we had to take a step back, and figure out, “Well, how do we make sure our customers understand this changing environment?” If I was a company who was taking PCI, and doing what I’ll call “manual interventions,” to keep myself compliant, now I have people working at home. Those manual interventions basically went away.
Luckily, our solution has always been of the type that it didn’t matter if you had a hosted contact center, or you had somebody working from home, it wasn’t reliant upon all those people being in a single place. We’re descoping people no matter where they sit. And so, people who came to us were relieved, because they were concerned that they would have to change something dramatically.
Key takeaways for 2021
Caleb B: Continuing on with some of the things we’ve talked about, the pandemic has obviously created drastic shifts in business. It would be amazing to be able to say here in 2021, “We no longer have to think about that,” but obviously that’s not the case. We still find ourselves in the middle of this thing, and so, as health systems, or clients, in general, think about 2021, what advice or key takeaways would you give them, as they set their security protocols for the year?
Dan Arntz: I would say, one, don’t look at it piecemeal; look at it holistically. Understand what it is that you’re trying to achieve and who needs to be involved. More than ever healthcare providers and others are just having to take a more holistic view at their business, and try and do it in the most effective, and efficient manner.
Our conversations with clients starting projects usually, quickly get to, “I understand you’ve got this project, and I understand why you have it, but here’s five other groups that are going to probably want to get involved.” It touches everybody. It touches people from the security standpoint to the IT folks, to the people who are in the contact center and on down the line.
And they all have different needs, and wants, and requirements around how they’re going to keep that information secure without degrading the experience between that patient and that call center agent.
Secondly, take a look longer-term. Examine the areas you’ve had to adapt, in the last nine months, because of the pandemic. How does this change your business? Are there other things that you might want to look at to better prepare for if something like this happens again?
Reconsider how you might want to run that element of your business, and make sure that the vendors and suppliers you use to make that happen are able to move you from one environment to the next in a clean and efficient manner.
Finally, if I look at health systems, as well, don’t just limit it to payment information, but look at how your agents are helping their patients, and how do they identify them in the first place? How do I know that it is truly Dan Arntz calling me? Are there things like multi-factor authentication I can put in there?
So, what are those other things that are driving the business in terms of security, and how am I helping my patients during that contact center experience? I think those would be some of the things I would recommend.
Measuring partner relationships
Caleb Burrill: I like that you touched on the client-vendor relationship, because it’s incredibly important right now. We’ve done a few webinars recently where clients have talked about how they’re navigating the pandemic, the different things that they’re evaluating, and how they are prioritizing different projects they have for the year.
A really strong thread throughout has been the amount that they have to rely on vendors now versus before, because they’re getting inundated with so much. They’ve really had to start taking a look at their vendor relationships, and thinking about “who can help us through this?”
Those types of vendor relationships and projects that help them reduce complexity are definitely getting prioritized over others. I wanted to see if you could talk a little bit about what makes a strong client-vendor relationship?
Dan Arntz: I’d say there’s two things: One, is my goal with all of my clients is to some degree to say, “Who?” And I say, “Eckoh.” And I want them to say, “Who?” because we’ve done what we were hired to do. They didn’t have a breach; they didn’t have a concern; our systems were up and running perfectly. So, that’s one-half of that equation. I want us to be a seamless part of their system that they can count on every single day. I think every provider of a service wants that same thing.
Secondly, it’s incumbent upon us, as a good partner, to bring new things to our customers. By that, I don’t mean new things that we’re selling to them, but, rather, key insights into what we've seen in the marketplace from others that could impact their business. I think that’s really important for a partner to give to their customers. As partners, it’s important for us to take the time to really understand our customer’s business like it’s our business. It makes their job easier.
Caleb Burrill: I really like that. This has been great, Dan. Thank you for joining me.
Dan Arntz: Thank you, Caleb.