In the Trenches: Handling Sensitive Customer Data

I just got back from a week on the road, and as usual, it was exhausting. Being in a bunch of different places is one thing, but then having to run a business on top of it really drains me. I need to get others to be able to take my place, but there’s one thing standing in the way: the money.

No, not spending money. Taking it from our customers.

There are really two tasks that can’t currently be done by other people in the company, and they’re related. One is booking travel, but that’s just because nobody else knows how to use the system yet. I can train someone or find someone with a good background in the system I use and the problem is solved… except for one small piece. That’s where the money comes in.

Today, I’m the only who handles sensitive information. We don’t deal in social security numbers or anything like that, so it’s really mainly focused on credit cards. There are a handful of times when clients need to use their cards.

  1. If a client signs up over the phone (if they do it online, then we don’t need the number)
  2. If we need to book travel for a client

If one of our concierges is working with someone who needs to book a flight, then I talk to them directly to get the credit card info. The reason? Security and privacy. I take customer data security very seriously, and when I let others start handling that data, it suddenly becomes a much bigger issue. I’m not even sure I fully know what needs to be considered, from a legal standpoint, when dealing with this.

Clearly I’d need to make sure that there is something in the customer contract that talks about responsibility of the concierge or employee. I’m sure I’d need to create an internal policy for data handling as well. I’d also need to make sure I had insurance to cover any issues that might arise. Background checks? Maybe. I can probably think of a million hoops to jump through before letting someone even touch a credit card number.

But that’s largely guesswork. What do I really need to do to protect myself and my customers? Anyone have good resources on this?

About Brett Snyder

Brett is the Founder and President of Cranky Concierge air travel assistance. He also writes the consumer air travel blog, The Cranky Flier.
This entry was posted in Employees and tagged , , , . Bookmark the permalink.
4 comments
Brett Snyder
Brett Snyder

Thanks, Haj. That's certainly an option to some extent, but it would require a significant amount of tech work to interface with the systems we use for travel booking. That's probably not in my budget at this point, but it's certainly on the wish list!

Hajime Sano
Hajime Sano

If the client is in front of a computer, you could set up a system where the concierge sets up the transaction, the customer enters the credit card data on the Cranky Concierge web site by one of these mehtods: 1) logging in to their existing CC account and selecting the just created itinerary, 2) entering some descriptive information, such as a transaction number, or 3) clicking on an e-mailed link (least desirable)When the data is accepted, the concierge can continue with whatever he/she needs to do to complete the transaction.If the customer is not in front of a computer, it gets a little trickier. Perhaps if it was an existing customer, they already have their credit card information stored on the CC web site, and concierge just needs to access their account, and ask which credit card (last four digits or user-created credit card nickname as an identifier) should be used.Just my $.02. Haj

Jim
Jim

The only thing you really need is a good insurance policy to cover yourself in case one of your employees does something stupid and posts a customer's credit card number on facebook or something like that. Writing a data handling policy and doing background checks is up to you, probably a good idea but not required as far as I know.PS IANAL, this is not legal advice.

Ed Kelty
Ed Kelty

On the last page of "Origin of the Species," Darwin thanked everyone who helped him in his journeys and added basically this advice: Don't trust anyone, and be very grateful to those who helped along the way.In any business or investment, there are bound to be screw-ups. Most people are honest, though some are always looking for short-cuts. Most transactions work, though sometimes there are computer or human misunderstandings. It's part of the challenge of doing business. Just don't take it personally.

Trackbacks

  1. [...] In the Trenches: Handling Sensitive Customer Data – Intuit Small Business Blog Handling sensitive customer data is a huge issue in general, and it’s a nerve-wracking one for many a small business owner. [...]

  2. [...] not several of them. Banking and other financial accounts are obvious bull’s-eyes for bad guys. Customer databases and HR files — which often include social security numbers, credit card numbers, and other [...]