In CS, we want to do everything we can to protect our customers’ personal information. We want to ensure that credit card data isn't shared over the phone or through ticket/chat. If it is shared, we want to take the proper measures to remove that information from our database.
Important - We should only be submitting redaction requests to remove CC data from ZD (excluding when only the last 4-digits are shared in ZD). No other redaction requests are needed.
Personal Identifiable Information (PII)
Personal identifiable information, or PII, is any data that could potentially be used to identify a particular person. Some examples of PII include, but are some limited to: Credit card data, government issued ID, bank account numbers, street address, and telephone number.
*The redaction requirements in this policy do not apply where a customer has provided only the last 4 digits of a credit card number. That information, taken alone, is not considered to be sensitive credit card holder data and is subject to other data protection measures implemented by Upwork. That said, please do blur the last 4-digits of the CC with screenshots if it's not needed for the specific case being worked on. While the last 4 is not sensitive data, we do want to be mindful of what we're sharing and when.
Payment Card Industry (PCI) Compliance
Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that credit card data provided by cardholders is protected. For example, we can only see partial credit card details in OBO for a customer vs. their entire number.
This process will remove the CC details from ZD entirely. This process should only be used for CC details outside of when only the last 4-digits are shared.
Important - Redactions need to be completed before merging takes place. If you have a merge that needs to take place, leave a very specific internal note on the ticket stating what ticket your ticket needs to be merged to and whoever completes the redaction will also merge your ticket for you.
If a customer gives CC details -
Agent should respond to the customer as usual and after assisting them, follow the below steps. No need to escalate to a TL.
- Set ticket to “Internal Note” and select the macro called “Request Type is Redaction”
- A Side Conversation popup window will show, click “Send”
3. A new item will populate showing the request. VERY IMPORTANT: Click on that new internal note here:
4. When clicking it, a Child Ticket pops up. This is what goes to Leadership to process the request, but it needs to be completed. Click the Child Ticket # like here:
5. By clicking the Child Ticket number, it will open up the Child Ticket:
6. Within the Child Ticket, if it’s a CC file that needs to be removed, to the left of the ticket, add in the file name (just type the name of the file) OR if just a CC number, add in the last 4-digits, under the “Redaction” section
7. Save the Child Ticket as “New”
8. Once Leadership completes the task, you’ll receive an email saying it has been completed.
Subject line:
Email:
9. Continue processing interaction as needed, saving the ticket as “solved” (or, the status appropriate for that specific case). Important - if the ticket needs to be merged, leave a very specific internal note on the ticket stating what ticket your ticket needs to be merged to and whoever completes the redaction will also merge your ticket for you.
Important - we only redact CC info. If other requests come through unrelated to a CC number or CC image, please deny the request.
Steps on how to redact -
1. Go into the #cslt-escalations Slack channel
2. In the Slack channel, any redaction requests that do NOT have a “done” emoji need to be completed
3. Locate an incomplete redaction request notification and expand it by clicking on it:
4. Click on the ticket link provided to open the child ticket associated with the request:
5. Once the child ticket opens, click on the "Take it" button to grab the ticket
6. Click on the ticket link in the upper portion of the child ticket to open the parent ticket:
7. In the message section of the parent ticket where the CC number or file / image is actually posted, click on the three dots icon and select the "Redact" option.
8. Use the cursor to select the image or highlight the text that needs to be redacted, and then choose "Mark for Redaction"
9. Once you have selected all the necessary areas for redaction, click on the "Redact" button located in the lower right-hand section of the screen:
10. X out of the parent ticket window and return to the child ticket. Important - lookout for an internal “merge” note in the parent ticket. If one exists, keep the parent ticket open to complete the merge on behalf of the agent after the following child ticket process is completed.
11. Within the child ticket, select the appropriate option from the left-side panel to indicate whether the redaction has been completed or not:
12. Add an internal note to document actions taken, then mark the child ticket as solved
13. Moving back to the Slack channel, add a “Done” emoji to indicate that the request has been completed
Being mindful of handling PII:
- If we need to collect PII from customers in order to assist them e.g. asking them to verify name / address, we should be mindful to only request the info that’s needed and should avoid unnecessary PII collection
- If customers send copies of govt IDs or other documents containing PII, it’s good to let them know that should we ever need this information, we’ll provide them a secure link to avoid sending it via ticket / email / chat
- We should never request customers send us government issued ID documents or information through tickets or chat. If this info is ever needed for any sort of IDV or verification purposes, we should ensure they have a secure link to upload them in first.
- When we send screenshots to assist a customer, it's extremely important that we ensure to blur out any personal information e.g. address, phone number, name, user pictures, etc. Here's an example of what that may look like. You can use the raindrop tool in a Dash screenshot to do this.
- This may also include the last 4-digits of a credit card number. While the last 4-digits are not sensitive data, we do want to be mindful of what we're sharing and when. If it’s not relevant to the case being worked on, please refrain from sharing the details within ZD or in screenshots.