Mobile UX * Product Design Lead * UX Research
Enhance PCI DSS compliance processes to address challenges stemming from infrequent engagement, perceived burden, forgetfulness, and operational inefficiencies. Specifically, optimise the compliance journey for merchants handling card payments by leveraging technology to streamline vulnerability scans and reduce operational costs associated with compliance verification.
PCI DSS compliance poses unique challenges due to its quarterly and annual engagement requirements, contrasting with systems encouraging continuous user interaction. Often seen as a burdensome task, especially delegated by financial organisations to merchants, users typically engage with compliance processes only 4-5 times a year, leading to forgetfulness regarding procedures. For most merchants handling card payments, compliance involves quarterly vulnerability scans of external IP addresses. In Viking Cloud's Proactive Data Security Programme, support agents may need to make up to 9 phone calls to ensure compliance, even if no PCI-related vulnerabilities are found, resulting in significant operational expenses.
Infrequent engagement
PCI DSS compliance requires merchants to engage with the process quarterly or annually, leading to low user interaction compared to systems with continuous engagement models.
Perception of burden
Many merchants perceive PCI DSS compliance as a burdensome task imposed by financial institutions, resulting in low motivation and compliance fatigue. Having to log into web portal to perform non-frequent but reoccurring actions can often be dropped.
Forgetfulness and complexity
Due to the sporadic nature of engagement, users often forget procedures and requirements, increasing the risk of non-compliance.
Operational inefficiencies
In the context of Viking Cloud's Proactive Data Security Programme, support agents face challenges in ensuring compliance, including the need for multiple phone calls(up to 9 calls) to obtain verbal attestation, regardless of the presence of vulnerabilities. This manual process results in high operational costs and inefficiencies.
Task analysis
We began our research by taking a close look at the task necessary to be completed by the user with regard of the Vulnerability Scanning and Attestation as they happened today on the portal. Identified key milestones and looked for opportunities where it would be possible to extract key interactions from the web portal into mobile.
Customer journey mapping
Identical to the overall compliance journey, Vulnerability Scanning requirements can look very different for each user depending on complexity their environment and security standards already implemented. We analysed each possible user journey and identified those that are more frequent, easier to complete and would work well with mobile form factor.
Key touch points id and analysis
We identified three critical milestones in the merchant journey that had the highest impact on call center operation time and were simple actions achievable on a mobile device in under a minute: 1) Scan setup and scope completion: completed on the web portal. 2) Scan result monitoring and special notes completion. 3) Scan result attestation and expiry date tracking for compliance.
Collaborating with the mobile engineering team and product owners for both the mobile and web portal, we devised workflows validated through user testing with our beta audience. We identified key points in the web portal journey, and strategically introduced the mobile app to demonstrate immediate value to users. For passing scans requiring only confirmation, we developed a simple one-click workflow on mobile, reducing support desk call times significantly.
For scans needing additional actions, such as filling out notes and identifying related hosts, we adapted the minimal web portal UI to mobile, enabling direct completion on the phone before attestation. For compliant users from the previous year with consistent scan results, we introduced a streamlined flow allowing confirmation of environment changes. If no changes occurred, users could one-click re-validate using last year's information.
Albeit waiting 12 month to analyse the impact was exhausting teeth clenching exercise - the results were astonishing. Mobile uptake saw a notable increase of nearly 20%, with significant benefits observed for mobile users. The quarterly scan journey was accelerated by up to 90% for mobile users, showcasing a substantial improvement in efficiency.
Moreover, the compliance conversion rate witnessed an impressive year-on-year increase of approximately 40%. Within the program, the number of annual phone calls decreased dramatically from an average of over 20 to just 7, indicating enhanced operational efficiency. Additionally, annual re-validation rates experienced a notable uptick of 12% compared to the previous year, reflecting improved adherence to compliance requirements.
conversion rate increase
acceleration in quarterly scan
uptake over 2 years
call reduction
Get in touch on LinkedIn
Drop me an email to anton@lebed.works
