PCI in the Contact Centre
-
Upload
silverlininguk -
Category
Technology
-
view
187 -
download
1
Transcript of PCI in the Contact Centre
www.everycloud.eu
PCI in theContact Centre
www.everycloud.e
u
www.everycloud.eu
• Security Council Recommendations• The Challenges• Where are you on your journey?• Case Study• Key Takeaways
Agenda
www.everycloud.eu
PCI DSS Security Council Recommendations
It is a violation to store sensitive card data after authentication without proper protection including in call recordings, and in particular it is prohibited to store/record the CVV/CV2 number under any circumstances.
Where it is necessary to record calls (for quality control or regulatory purposes), appropriate technology must be introduced to prevent the recording of sensitive elements.
Personal Account Numbers (PANs, or the long card number) must not be held in a manner accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
Encryption/Tokenisation should be used when storing or transmitting sensitive data.
Unencrypted VoIP telephone systems must be avoided.
Homeworkers should be tightly supervised to ensure that they are not receiving or storing sensitive client data in a manner which breaches the requirements - including writing client card details and authentication numbers down, or storing them on unencrypted or removable media such as USB sticks.
Security Council:The Facts
www.everycloud.eu
End-to-End Media EncryptionComplies with security standards and regulations but not CVV2 capture and storage
Pause and Resume (Manual or Automated)Manual
• Reliant on agent intervention• Open to abuse
Automated • Can be difficult to scope and implement• FCA compliance implications– broken call• Agents exposed to sensitive information• Information stored at agent desktop level
The Challenges
How do we keep it simple?
www.everycloud.eu
The Challenges
“Most people we engage with are more concerned at the impact on their brand, than the threat of a fine”
Allan Packer – Managing Director Silver Lining
www.everycloud.eu
Employer – Employee
• Few would argue that the most valuable resource of any organisation is its people
• Motivation - engagement and retention• Employee brand is not a label, it is an experience -
employees represent the brand• Understand that it is your employees who are
responsible for the happiness (or otherwise) of your customers
“The higher the level of employee satisfaction, the greater the commitment and contribution to the employer.”Ronan Miles, CEO Oracle UK
The Challenges
www.everycloud.eu
“Collaboration is critical” Stephen Orfei, PCI Standards Council
GM
Where are you?
• Not simply PCI• Vendor relationships• Integration• QSA’s• On Premise / Hosted
• Keep it simple…
www.everycloud.eu
Case Study: The PCI JourneyUK leading insurance broker
www.everycloud.eu
• 1,750 employees
• Over 1.5 million policy
holders
• Two contact centres
Case Study:Overview
UK leading insurance broker
“Looking under the bonnet…”
www.everycloud.eu
• Started to protect card data on legacy IBM AS/400 platform in 2007
• CIO joins late 2008, and deploys new strategy as part of MBO to rip and
replace all key systems.
• New Avaya Aura contact centre deployed 2009/10 with Pause and
Resume for masking card details.
• New Contact Centre upgrade project kicks off 2013 which includes the
move to DTMF masking for PCI compliance / Outsourced PCI managed
service.
Case Study:The PCI Journey
UK leading insurance broker
www.everycloud.eu
• Historical card data (where Pause and Resume Failed)
• PCI-DSS – Top 5 risk on Corporate Risk Register
• Increased focus from Barclaycard / Visa & MasterCard
• Employee retention and clean room environment
• How do we reduce / transfer risk?
• Conflicting regulation between PCI and FCA
• Integration with existing applications (some green screen terminal based)
Case Study:Challenges
UK leading insurance broker
www.everycloud.eu
The Contact Centre:The Challenge
LAN
PSTN
In PCI scopeOut of PCI scope
www.everycloud.eu
The Contact Centre:The Solution
LAN
PSTN
PCI ApplianceWeb Service
Patented DTMF Clamping technology In PCI scopeOut of PCI scope
www.everycloud.eu
Single Managed PCI Contract
• Patent protected “DTMF” solution
• Broker platform integration “CDL”
• Managed Report on Compliance
• Handful of residual controls
Case Study:Solution
UK leading insurance broker
www.everycloud.eu
• Removed 85%+ of the technical landscape
from PCI Scope, including the Contact Centres
• Transfer of “Risk” under the contract
• Reduced internal / future costs of compliance
• FCA compliance maintained
Case Study:Benefits
UK leading insurance broker
www.everycloud.eu
The CIO explains:
“The key consideration here was to go with one supplier who could deliver the entire solution end-to-end. We needed a
solution that removed our Contact Centre from PCI scope and transferred the risk to a specialist partner”
Case Study:Testimonial
UK leading insurance broker
www.everycloud.eu
Secure “DTMF” Payment Process
Customer
Agent
**** **** 1307
www.everycloud.eu
• Not just about achieving compliance!– Go beyond the baseline need and consider PCI as key part of a
complete security strategy• Collaboration is critical
– Use all relationships including PCI QSA’s– Work with a systems integrator that knows more than just PCI
• Half baked solutions won’t cut it– A DTMF masking technology solution that takes the card number out
of the equation will remove most of the technical landscape within the Contact Centre from PCI Scope
• Don’t forget the impact on your employees• Start with the end in mind
5 Key Points
“Takeaway” points