Adding a Secure Message Center to Self-Service Portals and Apps 1024 403 maxon1212

Adding a Secure Message Center to Self-Service Portals and Apps

Self-service started long ago with things like the self-service gas pump (1947) and automated teller machine (1967) – primarily for economic reasons. Self-service often helps to reduce the cost of doing business, and when it comes to digital self-service – is available 24×7. But ever since the introduction of online banking and online brokerage services, the idea of “self-service” has become increasingly more important – particularly in financial services. Account holders want online access to view a balance, initiate payment transactions, buy investments or to check credit account charges – from portals and smartphone apps. A perfect self-service arrangement – convenient and efficient for both the consumer and the business. But every self-service process can reach its limit – and then customers want an equally effective communication channel to get help. That’s where a secure message center becomes a key link between efficient self-service and efficient customer service.

What is a secure message center?

A secure message center adds web-mail, web-form or web-chat services natively to financial services customer portals or apps so that clients can easily ask questions about their account and even share supporting files or images (receipts for a credit charge dispute, a tax return as part of a loan application process). Client messages and files are routed to responsible employees – account teams, support personnel, or contact center agents for a response. Case numbers may be assigned for tracking in ticketing systems, and response notifications are sent via email or SMS text channels to notify customers of a waiting reply. For security and regulatory compliance reasons, the message content (and any uploaded file or image attachments) must use encryption for security, and detailed logging and tracking reports which provide history and proof for compliance audits.

How is a secure message center enabled?

Enabling an efficient secure message center requires an assessment of the workflows end-to-end. What type of inquires are expected? Can they be categorized for efficient routing? What is the log-on process to use it? How should the secure message center look? What type of message features does it need? What type of file attachments do customers need to upload and share? Which employees need to respond to messages? What type of applications and user interfaces will the employees use to receive messages? There’s a litany of questions that will drive the design and requirements for the secure message center – all centered around making the communications workflow as seamless and efficient as possible.

Figure: Secure Message Center architecture

How should customers access a secure message center?

Secure message centers have evolved from traditional email encryption services, which provide similar security and tracking features, but generally force users to create a separate login on a separate web-portal to send or receive secure messages. By contrast, an integrated secure message center shares a financial services portal login (via SSO techniques) at a minimum, and at best – blends seamlessly into the service portal’s user interface. Taken a step further – corresponding mobile apps can be offered as an alternative to web portal access and the secure message center features and functions are replicated in the mobile app as well. Under the hood – this requires a secure messaging service that supports SSO services and exposes web service APIs for the secure messaging service functions, management and provisioning. This simplifies the addition of secure message center features in financial services portals and mobile apps.

How do employees access the secure message center?

For account management and lower volume, or ‘un-categorized’ inquires – an email client such as Outlook may be most suitable. For high volume, contact center workflows, employees will often use a CRM like Salesforce Service Cloud to manage the customer database, automate and track customer interactions for support and retention – even for marketing and sales touchpoints. So, the secure message center must integrate with the backend applications and UIs that your employees use, while maintaining end-to-end message security and verifiable compliance with security policy and privacy regulations – always ‘must have’ table stakes of a secure message center design for financial services firms.

The benefits to digitally integrating and transforming your self-service customer portal

By updating your self-service customer portal and mobile apps with a secure message center, you can transform the way you and your customers/clients work together. Your customer feels enabled to easily do business with you. Your response and outreach are more complete and efficient. And, your business can often reduce costs. A win-win for everyone. This solution is a notch on the belt of “digital transformation” and how to improve the interaction between clients and your customer teams that respond to their needs.

Want to learn more about how to secure workflows in self-service customer portals? Visit us at the DataMotion Developer’s Center, financial services solutions pageor Contact Us for a consultation.

Major Email Compliance Regulations That You Need to Know 1024 403 maxon1212

Major Email Compliance Regulations That You Need to Know

Keeping up with industry and government email compliance regulations impacting the exchange of sensitive information can be exhausting. So, we’ve put together a list of four big ones you need to know about.

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Information Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)


Security for credit card information stored, processed or transmitted by merchants and associated vendors is regulated by PCI DSS. All cardholder data passing over an open, public network such as the internet, must be protected (encrypted), according to requirement number 4.

PCI DSS helps organizations focus on security, not compliance, by making payment security business-as-usual. By raising security standards and making compliance status quo, monitoring effectiveness of security controls and maintaining a PCI DSS compliant environment is easy.

All credit card processors have adopted the Payment Card Industry Data Security Standard (PCI DSS). The goal of this regulation is to prevent identity theft and protect cardholder data and it applies to any company that processes credit card data. The most recent version of PCI (3.2) was released in April 2016 with a minor update (3.2.1) issued in July 2018 to update migration dates.

PCI DSS 3.2 mainly consists of changes meant to streamline and clarify the regulation, but there are a few updates that fall under the “evolving requirement” category that affects how you handle credit card data as of February 1, 2018.

One of the changes is that there is now a “new requirement for service providers to maintain a documented description of the cryptographic architecture.” Although more documentation is required to stay compliant with the new PCI DSS update, the goal is to protect sensitive client information and ensure safer communications between business processes. This update will also help companies detect bottlenecks in their cryptography functionality, giving them to opportunity to make the appropriate changes.

A more detailed description of the updates can be found here.


Congress passed HIPAA in 1996 and is probably the most well known compliance regulation impacting email The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognized regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or PHI (Protected Health Information).

The key HIPAA impacts on email are:

HITECH was passed as part of 2009’s American Recovery and Reinvestment Act, HITECH and is intended to push the healthcare industry toward faster adoption and use of health information technology. Subtitle D of HITECH addresses “the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

In 2013, HIPAA/HITECH was expanded by the Department of Health and Human Services with the Omnibus rule, which became effective on September 23, 2013. The reach of HIPAA data privacy and security requirements expanded to include “business associates” of covered entities making them also subject to HIPAA as well as giving HIPAA more power in enforcement.The rule expanded significantly the number and type of organizations covered by re-defining who is a business associate of covered entities.  Because civil and criminal penalties may now apply to business associates, these businesses also need to take steps to secure Protected Health Information (PHI).

Business associate agreements

Another important term related to HIPAA is the Business Associate Agreement (BAA), which is a contract required to be established between a HIPAA-covered entity (CE) and a HIPAA business associate (BA). This contract protects PHI in accordance with HIPAA guidelines. Subcontractors who have access to or who store PHI now also need to sign business associate agreements and be able to demonstrate compliance. HIPAA now effectively applies not just to medical providers, but to the entire ecosystem of vendors supporting them. A typical example of CE is a healthcare organization that handles PHI for its patients, and a typical example of a BA is a service provider that securely handles, transmits or processes PHI for a CE. Under the HITECH Act, BAs are responsible for securely handling PHI and can be held accountable for data breaches and penalized for noncompliance.


GLBA is the third major email compliance regulation on our list. GLBA was passed in 1999 with primary goal of protecting the private financial data of consumers. The fancy term for this is “Nonpublic Personal Information” (NPI). Although this act applies mostly to financial institutions, today, many more organizations in a variety of industries maintain NPI for their customers.

The Financial Privacy rule is the key consideration for most organizations. This rule governs the collection, use, and disclosure of private financial data. The process companies must take to safeguard this information is also defined.

The Safeguards Rule instructs organizations to develop security programs in alignment with the amount of NPI data they maintain.

Although the law is technology neutral, the Safeguards Rule instructs the organization to implement policies to encrypt or block email traffic based on the message sender, recipient or content.


GDPR is a new major privacy regulation that went into effect in May 2018. It is a European Union (EU) directive but does impact organizations outside of the EU if those organizations market to and collect information on EU residents.

In a nutshell, when an organization is collecting, processing and/or storing the personal data of any EU resident – regardless of where the organization is located – express permission must be obtained first. This means the individual must have opted in, not only to collect the data, but to process and store it. Data collectors/processors (the organization) must also be clear with the individual about how the data will be used, stored and protected.  These individuals must also be given an easy way to withdraw their permission and have it completely deleted from an organization’s database(s). You can learn more about GDPR here.

Article 5 of the GDPR details the principles covered by the regulation.  5.1 lays out the requirements for treating private data of EU citizens:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Take the Steps to Comply

A major facet of meeting the requirements of all these email compliance regulations is ensuring that your email is secure and well protected against hackers, scammers, and those with the intent of committing fraud. Failure to comply with mandated regulations leads to not only financial consequences but can permanently damage your company’s reputation as well as scare clients from coming back. Don’t take chances when it comes to staying compliant. It isn’t worth the risk.

Learn more about securing your email and other moving data.