3. www.everycloud.eu
PCI DSS Security Council Recommendations
It is a violation to store sensitive card data after authentication without proper protection
including in call recordings, and in particular it is prohibited to store/record the CVV/CV2 number
under any circumstances.
Where it is necessary to record calls (for quality control or regulatory purposes), appropriate
technology must be introduced to prevent the recording of sensitive elements.
Personal Account Numbers (PANs, or the long card number) must not be held in a manner
accessible to others and should be masked in part if/when displayed (e.g. last 4 numbers only).
Encryption/Tokenisation should be used when storing or transmitting sensitive data.
Unencrypted VoIP telephone systems must be avoided.
Homeworkers should be tightly supervised to ensure that they are not receiving or storing
sensitive client data in a manner which breaches the requirements - including writing client card
details and authentication numbers down, or storing them on unencrypted or removable media
such as USB sticks.
Security Council:
The Facts
4. www.everycloud.eu
End-to-End Media Encryption
Complies with security standards and regulations but not CVV2 capture and storage
Pause and Resume (Manual or Automated)
Manual
• Reliant on agent intervention
• Open to abuse
Automated
• Can be difficult to scope and implement
• FCA compliance implications– broken call
• Agents exposed to sensitive information
• Information stored at agent desktop level
The Challenges
How do we keep it simple?
5. www.everycloud.eu
The Challenges
“Most people we engage with are more concerned at
the impact on their brand, than the threat of a fine”
Allan Packer – Managing Director Silver Lining
6. www.everycloud.eu
Employer – Employee
• Few would argue that the most valuable resource of
any organisation is its people
• Motivation - engagement and retention
• Employee brand is not a label, it is an experience -
employees represent the brand
• Understand that it is your employees who are
responsible for the happiness (or otherwise) of your
customers
“The higher the level of employee satisfaction, the greater the
commitment and contribution to the employer.”
Ronan Miles, CEO Oracle UK
The Challenges
9. www.everycloud.eu
• 1,750 employees
• Over 1.5 million policy
holders
• Two contact centres
Case Study:
Overview
UK leading
insurance broker
“Looking under the bonnet…”
10. www.everycloud.eu
• Started to protect card data on legacy IBM AS/400 platform in 2007
• CIO joins late 2008, and deploys new strategy as part of MBO to rip and
replace all key systems.
• New Avaya Aura contact centre deployed 2009/10 with Pause and
Resume for masking card details.
• New Contact Centre upgrade project kicks off 2013 which includes the
move to DTMF masking for PCI compliance / Outsourced PCI managed
service.
Case Study:
The PCI Journey
UK leading
insurance broker
11. www.everycloud.eu
• Historical card data (where Pause and Resume Failed)
• PCI-DSS – Top 5 risk on Corporate Risk Register
• Increased focus from Barclaycard / Visa & MasterCard
• Employee retention and clean room environment
• How do we reduce / transfer risk?
• Conflicting regulation between PCI and FCA
• Integration with existing applications (some green screen terminal based)
Case Study:
Challenges
UK leading
insurance broker
14. www.everycloud.eu
Single Managed PCI Contract
• Patent protected “DTMF” solution
• Broker platform integration “CDL”
• Managed Report on Compliance
• Handful of residual controls
Case Study:
Solution
UK leading
insurance broker
15. www.everycloud.eu
• Removed 85%+ of the technical landscape
from PCI Scope, including the Contact Centres
• Transfer of “Risk” under the contract
• Reduced internal / future costs of compliance
• FCA compliance maintained
Case Study:
Benefits
UK leading
insurance broker
16. www.everycloud.eu
The CIO explains:
“The key consideration here was to go with one supplier who
could deliver the entire solution end-to-end. We needed a
solution that removed our Contact Centre from PCI scope and
transferred the risk to a specialist partner”
Case Study:
Testimonial
UK leading
insurance broker
18. www.everycloud.eu
• Not just about achieving compliance!
– Go beyond the baseline need and consider PCI as key part of a
complete security strategy
• Collaboration is critical
– Use all relationships including PCI QSA’s
– Work with a systems integrator that knows more than just PCI
• Half baked solutions won’t cut it
– A DTMF masking technology solution that takes the card number out
of the equation will remove most of the technical landscape within
the Contact Centre from PCI Scope
• Don’t forget the impact on your employees
• Start with the end in mind
5 Key Points
“Takeaway” points