www.everycloud.eu

PCI in theContact Centre

www.everycloud.e

u

www.everycloud.eu

• Security Council Recommendations• The Challenges• Where are you on your journey?• Case Study• Key Takeaways

Agenda

www.everycloud.eu

PCI DSS Security Council Recommendations

It is a violation to store sensitive card data after authentication without proper protection including in call recordings, and in particular it is prohibited to store/record the CVV/CV2 number under any circumstances.

Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology must be introduced to prevent the recording of sensitive elements.

Personal Account Numbers (PANs, or the long card number) must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).

Encryption/Tokenisation should be used when storing or transmitting sensitive data.

Unencrypted VoIP telephone systems must be avoided.

Homeworkers should be tightly supervised to ensure that they are not receiving or storing sensitive client data in a manner which breaches the requirements - including writing client card details and authentication numbers down, or storing them on unencrypted or removable media such as USB sticks.

Security Council:The Facts

www.everycloud.eu

End-to-End Media EncryptionComplies with security standards and regulations but not CVV2 capture and storage

Pause and Resume (Manual or Automated)Manual

• Reliant on agent intervention• Open to abuse

Automated • Can be difficult to scope and implement• FCA compliance implications– broken call• Agents exposed to sensitive information• Information stored at agent desktop level

The Challenges

How do we keep it simple?

www.everycloud.eu

The Challenges

“Most people we engage with are more concerned at the impact on their brand, than the threat of a fine”

Allan Packer – Managing Director Silver Lining

www.everycloud.eu

Employer – Employee

• Few would argue that the most valuable resource of any organisation is its people

• Motivation - engagement and retention• Employee brand is not a label, it is an experience -

employees represent the brand• Understand that it is your employees who are

responsible for the happiness (or otherwise) of your customers

“The higher the level of employee satisfaction, the greater the commitment and contribution to the employer.”Ronan Miles, CEO Oracle UK

The Challenges

www.everycloud.eu

“Collaboration is critical” Stephen Orfei, PCI Standards Council

GM

Where are you?

• Not simply PCI• Vendor relationships• Integration• QSA’s• On Premise / Hosted

• Keep it simple…

www.everycloud.eu

Case Study: The PCI JourneyUK leading insurance broker

www.everycloud.eu

• 1,750 employees

• Over 1.5 million policy

holders

• Two contact centres

Case Study:Overview

UK leading insurance broker

“Looking under the bonnet…”

www.everycloud.eu

• Started to protect card data on legacy IBM AS/400 platform in 2007

• CIO joins late 2008, and deploys new strategy as part of MBO to rip and

replace all key systems.

• New Avaya Aura contact centre deployed 2009/10 with Pause and

Resume for masking card details.

• New Contact Centre upgrade project kicks off 2013 which includes the

move to DTMF masking for PCI compliance / Outsourced PCI managed

service.

Case Study:The PCI Journey

UK leading insurance broker

www.everycloud.eu

• Historical card data (where Pause and Resume Failed)

• PCI-DSS – Top 5 risk on Corporate Risk Register

• Increased focus from Barclaycard / Visa & MasterCard

• Employee retention and clean room environment

• How do we reduce / transfer risk?

• Conflicting regulation between PCI and FCA

• Integration with existing applications (some green screen terminal based)

Case Study:Challenges

UK leading insurance broker

www.everycloud.eu

The Contact Centre:The Challenge

LAN

PSTN

In PCI scopeOut of PCI scope

www.everycloud.eu

The Contact Centre:The Solution

LAN

PSTN

PCI ApplianceWeb Service

Patented DTMF Clamping technology In PCI scopeOut of PCI scope

www.everycloud.eu

Single Managed PCI Contract

• Patent protected “DTMF” solution

• Broker platform integration “CDL”

• Managed Report on Compliance

• Handful of residual controls

Case Study:Solution

UK leading insurance broker

www.everycloud.eu

• Removed 85%+ of the technical landscape

from PCI Scope, including the Contact Centres

• Transfer of “Risk” under the contract

• Reduced internal / future costs of compliance

• FCA compliance maintained

Case Study:Benefits

UK leading insurance broker

www.everycloud.eu

The CIO explains:

“The key consideration here was to go with one supplier who could deliver the entire solution end-to-end. We needed a

solution that removed our Contact Centre from PCI scope and transferred the risk to a specialist partner”

Case Study:Testimonial

UK leading insurance broker

www.everycloud.eu

Secure “DTMF” Payment Process

Customer

Agent

**** **** 1307

www.everycloud.eu

• Not just about achieving compliance!– Go beyond the baseline need and consider PCI as key part of a

complete security strategy• Collaboration is critical

– Use all relationships including PCI QSA’s– Work with a systems integrator that knows more than just PCI

• Half baked solutions won’t cut it– A DTMF masking technology solution that takes the card number out

of the equation will remove most of the technical landscape within the Contact Centre from PCI Scope

• Don’t forget the impact on your employees• Start with the end in mind

5 Key Points

“Takeaway” points