Chances are you’ve read about the flashier aspects of AI implementation—automation of rote tasks, CX tailored to individual customers, saving money—even if you’re not an industry veteran. However, unless you’ve spent time in AI space or your organization has already implemented AI technology, you may not have a handle on one of the most important elements of a successful organization: compliance. Fear not, because Humach has you covered. This week, we’ve chosen to provide an overview of compliance, how it works, and why it’s essential to any operation. Whether you’re looking to securely process customer payments through a compliant chatbot or keep other sensitive data safe and confidential using live agents, a basic understanding of compliance and how to avoid its most common pitfalls makes for better experiences for you and your customers alike.
A Tale of Two Compliance Schema
For the purposes of this blog, we’ll be focusing on two types of compliance, database transaction compliance and regulatory compliance, as these are the most relevant to AI and business on the whole. While the former concerns itself with the inner workings of your org’s database(s), the latter has to do with how your org conforms to the laws, policies, and regulations of its associated field. Today, we’ll look at two examples of regulatory compliance bodies, PCI-DSS and HIPAA, but more on that later. For now, let’s dive into database transactional compliance.
The Litmus Test of ACID Compliance
Back in our blog on AI and agent productivity, we briefly touched on database compliance and its benefits (e.g. avoiding fines). Where databases are concerned, compliance centers around the validity of sequences of database operations known as transactions. A single transaction, transferring money between bank accounts, for example, may be comprised of multiple actions, like deducting money from one account and then adding it to another. ACID (Atomicity, Consistency, Isolation, Durability) compliance exists to ensure all transactions remain valid even in the event of power outages, hardware failures, and other errors that can disrupt database operations by using the following safeguards:
Each transaction is placed into a rigid binary: it is either 100% successful or a complete failure. This lack of room for middle ground prevents partial updates to databases and guarantees they remain in a consistent state, that is, not corrupted.
Every transaction must bring the database from one valid state to another. To continue with the example of a bank transfer, if money is withdrawn from one account, it must appear in another. Were it to disappear en route, the database would no longer be in a consistent state.
Each transaction occurs independently of all others, even if they are being processed at the same time. This way, different users will not affect one another’s transactions.
The results of all transactions are stored in the system and can be recovered after loss of power or other system failures.
When a transaction meets all four of the above criteria, it is considered ACID compliant. The reliability of the ACID method makes it ideal for organizations that handle a significant amount of monetary transactions or sensitive data.
What is Regulatory Compliance?
Think of your business as a road trip and the different levels of compliance as tools that help you get where you need to go. To set out on the open road, you’ll first need a vehicle (i.e. a front through which you can perform transactions). In this analogy, ACID compliance is what’s going on under the hood of your car: if all parts of your vehicle are functioning properly, you can begin driving. However, to get to your destination, you’ll need to use existing roads and follow a set of traffic laws to ensure both your safety and the safety of others. Like the rules of the road, regulatory compliance encompasses an established set of parameters that ensure industry standards are met and followed by all. Organizations that do so protect sensitive customer data in addition to creating an air of transparency around their operations. For the purposes of this blog, we’ll go over two bodies of regulatory compliance, PCI-DSS and HIPAA, though many more exist.
PCI DSS: 16 Years of Payment Security
Created by representatives from five multinational credit card companies (Visa, MasterCard, Discover, American Express, and JCB) in 2004, PCI-DSS, or Payment Card Industry Data Security Standard, requires safe handling of sensitive, credit-card-related customer data during all stages of a transaction. There are four levels of PCI-DSS compliance, with organizations sorted into each according to the volume of transactions they handle per year. If you’re unsure which level your organization would fall into, or if you have concerns about PCI-DSS, use the following questionnaire to assess your org’s current level of compliance.
Given the sensitivity of card information and the ever-present threat of online credit fraud, it’s imperative that organizations using AI to collect customer data do so responsibly and in such a way that payments are conducted as securely as possible. In general, the fewer AI systems a customer’s data touches the better, not because AI is inherently insecure, but because every system is theoretically open to attack. By limiting the number of connections a customer’s data has, you create fewer avenues for invasion and theft. Depending on how it’s structured, your organization may choose to address this by diligently clearing card data from processing systems and payment terminals. Or you may choose to forgo direct chatbot payments all together, opting instead to have digital agents provide hyperlinks to a secure payment channels.
The Beginner’s Guide to Compliance
HIPAA & Data-Driven Business
There exist few sets of data more sensitive than a patient’s medical history, which makes HIPAA (Health Insurance Portability and Accountability Act) compliance a necessity for organizations connected to the healthcare industry. Medical records present a unique challenge for digital agents, because the vast amount of data needed to train a machine learning system are typically protected by HIPAA. Furthermore, until training has occurred, a digital agent will not understand what information is confidential and what isn’t, so it’s possible to incur HIPAA violations if tech is not deployed carefully.
In order to render a tract of data HIPAA compliant, a process of de-identification (removing personal identifying characteristics like names and addresses) must be performed, either by the entity selling the data or the party interested in procuring it. These processes can be both time-consuming and expensive, but considering HIPAA violation fines can reach up to $1.5 million per year, they’re certainly worth doing.
What’s At Stake When You Don’t Comply
While I’ve previously touched on certain penalties for failure to ensure AI compliance, I really only scratched the surface of what might happen should your organization release a non-compliant system. Listed below are some of the most significant consequences.
Both HIPAA and PCI-DSS violations can and do lead to fines. A PCI-DSS infraction will run you between $5000 and $10,000, and that’s just for a single month. Even when your organization is fully compliant, you are still liable for any data breaches and may be forced to pay affected clients $50–$90 a piece, which adds up quickly depending on the severity of the breach. While the $1.5 million I mentioned earlier represents the uppermost extreme of HIPAA-related fines, the other end of the spectrum isn’t much better at a rate of $100–$50k for a single error.
Lawsuits & Audits
In additions to fines, your organization may find itself facing legal action, depending on the level of negligence and the degree to which injured parties have been affected by data breaches, especially if the breaches occur multiple times. If enough fees have been incurred over enough time, the FTC may choose to audit your agency.
While less quantifiable, the damage that data breaches and other failures inflict on customer relationships is no less significant. Regardless of industry, odds are your organization will not be the only game in town, and customers have no reason to engage with a brand that neglects to take the necessary cautions to protect their sensitive information. The tarnish that non-compliance often brings can do irreparable harm to your brand’s reputation.
The Problem Is Sometimes The Solution: Using AI to Bolster Compliance
Hopefully by now, I’ve convinced you that compliance is absolutely necessary for your digital agents (and your organization as a whole). And given that I work for a company that specializes in AI, I’d be remiss not to offer some kind of AI-based solution to the litany of problems I just described. The beauty of AI lies in its ability to be retooled and refined into a solution to problems it otherwise might create or exacerbate. Both PCI-DSS and HIPAA concerns can be addressed by deploying and training AI in smarter ways. Even the smallest organizations handle large amounts of transactions, and the process of verifying the validity of each one makes for tedious work. Thankfully, automating rote tasks is AI’s bread and butter. For organizations seeking PCI-DSS compliance, error detection can be improved by training AI to analyze elements flagged as possible problems, thereby greatly reducing the number of false positives in your system.
Using digital agents for compliance can also help healthcare and healthcare-adjacent organizations move toward more secure operating models. As outlined in part 3 of a recent series of articles in The National Law Review, a coalition of developers, engineers, medical professionals, and lawyers should work together to determine how to use medical data safely and responsibly in ways that protect patient lives and well-beings while navigating the channels of public and corporate policy. Here, it’s not so much that the AI is doing the leg work, as a group of experts are directing its actions.
While PCI-DSS and HIPAA represent two of the most ubiquitous compliance bodies, there are dozens more, each with its own unique challenges to address. We hope that this blog serves as a jumping-off point, and to help ease the burden we’ve created a Beginner’s Guide to Compliance.
At Humach, our agents and technology solutions operate with full PCI DSS and HIPAA compliance, so we know a thing or two about how complicated and costly it can be for contact centers to stay on top of updates and best practices. This guide is designed to help contact centers get started on the path to compliance. Whether you’re considering an agent or technology outsourcing partnership, or just trying to keep your own contact center compliant, this guide provides an at-a-glance overview so your organization can make informed compliance-related decisions.