Tuesday, June 18, 2013

The hype of BYO Device is on every CIOs mind right now, don't take it lightly

BYOD strategy and mobile device security remain a top IT priority

Employee-owned smartphone use for work purposes continues to expand, and the governance, risk and compliance implications of the trend are beginning to take hold. According to a recent survey by Search Compliance, "security" was cited by 96% of respondents as being among their top concerns regarding bring your own device (BYOD)/consumerisation of IT.

"Compliance" was the second-ranked top BYOD/ consumerisation concern in the survey, taken by 773 IT professionals during Search Compliance's April 24 virtual conference, The State of Cyber Security 2013.

Do you provide a BYOD strategy or not?

Many businesses either put their heads in the sand or sit on the fence…

Managing mobility in the enterprise is a relatively new and rapidly transforming business discipline. Enterprise mobile management (EMM) is an emerging holistic approach that incorporates and transcends mobile device management (MDM), mobile app management (MAM) and other software for managing mobile assets. The shift is away from merely managing the assets themselves and toward transforming business through mobilizing the enterprise. Mobile management began by focusing on MDM, but subsequently expanded to include application management, as enterprises realized that managing only the devices themselves was not enough. While MDM helps address authentication and security, success with mobility also depends on apps that are lightweight, secure and easy to manage, distribute and use.

A Growing Focus is now on Content

A growing trend is the shift toward being able to manage mobile content as well as mobile apps. Given the huge growth we expect as tablets become more widely used in enterprises is the need to manage content that is part of a mobile worker’s job. Mobile security is a top priority in gaining managed control over smartphones and tablets in business, whether the devices are company-owned or BYOD. Content stored on those devices is a critical exposure, and protecting the intellectual property of the business demands a mobile content strategy. Although newer smartphones with modern OSs have device-level encryption to protect content, significantly more is needed to protect sensitive documents and valuable corporate intellectual property.

Enterprise Mobility: The Business Imperative

For enterprises, the multiple elements of mobile and mobile management are rapidly becoming part of the strategic business foundation. Managing mobile devices and controlling BYOD have been important priorities behind the MDM segment, but increasingly a holistic approach to mobility is required. As enterprises make mobile an integral part of how their systems are designed and how their business runs, mobile management that addresses mobile devices, the mobile app lifecycle, and mobile content in an integrated way becomes a priority.

BYOD isn’t a synonym for “free for all.” Once an organization decides to let employees use their own mobile devices and PCs for work, it must put a BYOD policy in place to control this usage.
The details of any bring your own device (BYOD) policy will be specific to a given organization, but most policies cover the same basic questions:
  • ·         How should users protect their devices?
  • ·         What data and applications can and can’t be accessed?
  • ·         And what happens when a user loses a device or leaves the company?

BYOD can be confusing, because it involves different kinds of devices, use cases and users. To create a clear and simple BYOD policy, IT and other business decision-makers should consider the following issues:-

Acceptable use

First and foremost, it’s vital to specify which functions a given user can access, and what general behaviours are acceptable. It’s important to protect the organization from users who may have, for example, illicit materials on their devices, or information that may be proprietary to another firm.

Device selection

It’s probably not reasonable today, because of support costs and the sheer number of devices available, to allow any arbitrary smartphone or tablet on the enterprise network. A relatively broad range of platforms -- for example, Android, iPhone and BlackBerry -- is usually sufficient.


Some BYOD corporate strategies will pay for users’ devices and monthly services, either partially or in full. A BYOD policy should explain exactly what charges the organization will and won’t reimburse. Third-party services and software can provide detailed accounting of phone (and sometimes data) usage, but it may be easier to simply reimburse a pre-specified percentage of users’ monthly bills. Your organization may need to modify its accounting systems to support this critical function.

Applications and security

Whitelisting and blacklisting apps is a popular technique that, while certainly not fool proof, helps to maintain the security and integrity of enterprise IT resources (to say nothing of the handset itself). If your organization takes this approach, the BYOD policy should explain that IT has the authority to prohibit the use of certain apps. The overall software configuration of the handset is a key variable in successful mobile IT operations, so the BYOD policy should also cover the use of antivirus apps, other security software and firewall settings.
“New mobile technology and new user models requires a new breed of management -- that's what you should be thinking about as you move forward.”
And for the Marketing:  If you want someone to come in and remove all the vendor marketing hype reach out to CCServe Ltd and have a chat.

Monday, May 30, 2011

Reducing PCI compliance scope in your Contact Centre

Regulatory voice recording compliance needs to be addressed within the Contact Centre environment especially if your trading requires the use of credit cards for transactional payments

So what is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was formed in September 2005 to manage the on-going evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

The PCI DSS is administered and managed by the PCI-SSC committee (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI-DSS council.
PCI-DSS – Payment Card Industry Data Security Services Criteria
• 12 Requirements to Protect Credit Card Information
• 3 Levels based on transactions per annum

  • >6m transactions per annum
  • 150k to 6m transactions per annum
  • <150k transactions per annum
• They were formed in September of 2005
By five leading credit card vendors VISA, MasterCard, Amex, Discover, and JCB
• Why should you care – within the Contact Centre?
  • A company that has transactions with Credit Cards where that information is spoken over the phone needs to be secure
• Consequences of Non-Compliance
  • Steep monetary fines (circa £500K upwards) and
  • Revocation of credit card business trading privileges
Why do you need to review your PCI DSS strategy

It is not just about the installation of technology once and then you are compliant. Most industry suppliers will spin a story about installing a piece of technology like voice recording, or secure firewalls or putting in place a DMZ area for your servers to give the impression that that is all that is needed to be done – this is not the case. Successful completion or installation of some technology or a system scan or assessment for PCI is but a snapshot in time. Fraudsters attack non-stop and get stronger every day, which is why PCI compliance efforts must be seen as a continuous process of assessment and remediation to ensure proper safety of cardholder data.

The pass mark for PCI is 100%, not 99% so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It’s just good business.

In a recent UK based survey on companies about PCI compliance; across organisations in a variety of market sectors, including healthcare, government, e-commerce, finance and banking, the report findings indicated that PCI compliance is important to eight in 10 UK organisations – which shows good intent. However, 57%, are either PCI compliant or actively working toward becoming compliant. While this represents good progress, it also indicates that the UK is trailing the United States in adoption of PCI compliance.

Shockingly 16% of organisations don’t know what it means to be PCI compliant and nearly one in five companies reported not knowing if PCI compliance is important. "With over 40% of UK organisations not serious about PCI compliance, sensitive customer and cardholder data is still in jeopardy for many of the online transactions that take place".

The key thing to understand is that it is an ecosystem and each party plays a part in a game. You can't put all the blame on just the retailers. The key to preventing data breaches after reaching PCI compliance is knowing your infrastructure and what is changing. Battening down the security landscape involves doing more than focusing on stolen laptops and hackers breaking into networks.

Be aware that for those vendors that state that their technology has been PCI certified, are not correct – so don’t get fooled into this allegation – technology can be used to help ensure a secure environment or remove credit card data. PCI compliance is a process, and a continual process of evaluating your security and protection of PII (Personal Identification Information) data.

The Merchant consideration:
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
The company consideration:
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a ‘silver bullet’ might lead some to believe that the point product provides ‘compliance’, when it’s really implementing just one or a few pieces of the standard.

The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the ‘big picture’ related to the intent of PCI DSS requirements. Part of the problem is a lack of constant, vigilant oversight of one's compliance status. A company can be PCI complaint today but fall out of compliance next week.
What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant Level Description

  1. Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  2. Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
  3. Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
Merchant levels as defined by Visa in the table above:
PCI Security Standard Council Statement

PCI DSS issued the following clarification for contact centres that record calls that contain cardholder data.

Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?

This response is for call centres that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID by the payment brands). This response is intended to provide clarification for call centres regarding their potential storage of card validation codes and values, and their compliance with the PCI DSS. It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after transaction authorisation.

Call centres may find themselves in the position of receiving cardholder data which includes sensitive authentication data, and they may be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording. To clarify, these call centres and all cardholder data are IN SCOPE for PCI DSS. However, if the storage of card validation codes and values meets the unique circumstances described in this response AND these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. Commercially reasonable technology does exist to delete these data elements, so these elements should be deleted. If the individual data elements within an audio file can never be queried, then only the physical and logical protections defined in PCI DSS version 2.0 must be applied to these audio files.

Additionally, if these audio files that can never be queried are copied to magnetic tape media, that media must also be protected in accordance with PCI DSS. However, if card validation codes and values stored on audio files are subject to technology that allows for the capture and transposition of the speech/audio data into a format that can be queried (for example digital or other file formats), then the sensitive authentication data, including card validation codes and values, must not be stored and must be deleted immediately after authorization. Again, this response applies only to call centres and card validation codes and values. All other cardholder data captured by call centres must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4. In addition, this response does not to apply to any other entity besides call centres, and all other entities must protect all cardholder data in accordance with PCI DSS, including req. 3.2 and 3.4.
The Standard can be found on the PCI SSC's Website:
PCI compliance strategy in the Contact Centre

It is important to understand that the whole process of compliance is about being able to maintain a consistent level of checks and processes that ensure that your customer data is always secure and that the correct levels of access are maintained. Contact Centre staff if not correctly managed can be the biggest area of risk within the process so it is important to note that one should look for solutions that prevent not only the voice recorded details of a customer’s credit card are masked but also the visual typed details from either a web portal page or screen scrape.

It is good security practise to put in place an environment within a Contact Centre to prevent the urge for Organised Crime syndicates to actively target new recruits in the Contact Centre industry and also to make it impossible for the agents to be able to be tempted to gather the data in the first instance.

Reducing the scope of PCI compliance

As mentioned before there is technology that will make it very easy for those who are regulated and need to record calls and transactions to prevent the card data from being saved. Some solutions are more complex than others so search around but one offering from ColabCom is to not only prevent the callers credit data from being recorded but also to remove the information from the agent, thereby removing the agents and their PC’s from scope when engaging in a PCI compliance audit. This solution puts the responsibility to input the card data by the caller’s phone keypad, this will null out the tones and mask the data in the screen. In addition the recording does not gather any of the data with this process.

There is more, a verbal signature is gathered at the end of the transaction which can be saved and also sent to the card holder by email as proof of transaction. This prevents additional fraud where the card holder can immediately notify a merchant that a CNP transaction was not them if it actually was not. The signature also prevents genuine transactions by the card holder typically on low value CNP transactions from being fraudulently denied and then credited by the merchant as often it’s too costly to chaise up.

When your business is looking to bring the PCI DSS certified QSA to audit your environment make sure that you can reduce the amount of scope that your business needs to audit, so removing agents and agent PC’s in your Contact Centre from scope will dramatically reduce costs, so invest wisely.


A well-planned and thought out PCI strategy will enable an organisation to remain within the law and ensure that the regulatory bodies do not impose the steep fines or remove the trading rights to your business.

A basic solution is for businesses to worry less about PCI compliance and concentrate more on their security, be sure to build the processes round keeping your business safe from PII (Personal Identification Information) storage and remember it is not one company that can make you compliant it is an ecosystem – fine those vendors that can really make a difference.

It is important to understand the facts that could reduce your compliance and make sure that one imposes regular checks and continual processes are done. Ensure any new or merged business into your corporation does not suddenly put your business at risk and out of compliance – this is an easy trap to fall in.

Just one fine from the merchant card suppliers, (starting at £500k & going into the millions) and possibly more damming the negativity on your brand in the market from falling out with the compliance body will more than justify any costs your business will incur to ensure full compliance within ones Contact Centre payments businesses.

By Craig Ashmole

Wednesday, July 1, 2009

Challenges of effective contact centre solutions within a global financial downturn

Four very real challenges are growing and becoming more difficult to overcome as the global economic downturn continues to worsen:
1. First and foremost that being cost reduction
2. Then fraud prevention
3. How to address arrears handling; and
4. Considering hosted Contact Centre BPO solutions

It is now becoming clear that the global economic situation is going to take some time to recover and the impact will be felt far and wide. We will be forced to rethink how we all manage both our personal and business finances in order to manage our exposure and access to credit. As we lead up to the festive season and winter sales, the lack of access to finance and the potential for low cost bargains may cause many consumers to turn to their plastic – the credit card could enjoy a period of intense growth as everyone looks to preserve liquidity.

So, this seems good for card issuers at first glance. But is it?
In a recession, consumers tend to tighten their spending and save money. If they expect to be made redundant for example, they don’t want to spend and will use all means to preserve access to their savings and cash balances – usually through increased use of credit cards and in particular where access to overdrafts or re-mortgaging has become restricted.

Additionally, as interest rates continue to fall, the stimulus to spend is increased and there are of course many distressed businesses, from retailers through to car manufacturers, that are doing everything in their power to encourage consumers to maintain spending by making increasingly attractive offers.

There are four very real challenges for card issuers during this global downturn:

1) Cost reduction

Particularly in banking and finance, staff reduction will make servicing of the consumer base more difficult than ever. Added to this, tightening of margins from lower lending rates will put pressure on operational efficiency at the same time as there will be predicted increase in volume.

Making more of the telephone channel
Even with the introduction of low cost channels such as the web, for many people the telephone is still the preferred method of communication. The telephone channel can now benefit from sophisticated self-service solutions that previously seemed only possible over the web. Today’s integrated voice response systems are able to deliver truly personalised and highly dynamic customer interactions over the telephone, allowing callers to navigate menus, obtain and provide information using the power of their voice.

The UK Contact Centre Operational Review (6th edition - 2008), a recent major study of over 200 call centres carried out by ContactBabel, has found that although only 6.5% of inbound calls are dealt with entirely through self-service, rather than a live call centre agent, the savings to the UK call centre industry amount to over £1.6 billion per year. That’s an impressive figure based on a small percentage of inbound automation and clearly illustrates the potential savings for the cards business sector.

2) Fraud prevention
Although a lesser problem than arrears, the losses from fraud have been increasing recently and issuers need to take any steps they can to shut down the range of possibilities for fraud, without losing their most valued customers.

Speech self-service can help tackle fraud
Speech automation can be successfully introduced to tackle fraud at all levels of card use. All card issuers use intelligent risk and habit-based modelling systems, which profile their cardholders based upon historic transactions and locations. These systems flag warnings when a potentially fraudulent or out-of-character transaction takes place. They work in ‘real-time’, so that when a customer enters their card details, either at a POS (point of sale) machine or on a website, the transaction is scrutinized. If it is then identified as a potentially fraudulent activity, this information can be passed to an outbound interactive voice response (IVR) system, where an automated call is placed to the cardholder to confirm whether the transaction is valid. This has huge benefits for card issuers as they can elect to make far more transaction checks and further reduce fraud particularly for “cardholder-not-present” transactions or transactions that do not benefit from the security of chip and PIN.

3) Arrears handling
In the current climate, poor credit rating is topical enough and card issuers are already taking steps to limit new card issue and more rigorously control to whom they lend. However, the growth in arrears and delinquent accounts is now going to become uppermost for 2009. Although written with the UK market in mind, it is clear that this White Paper reflects the challenges on a global scale.

Automating the awkward calls
Being an arrears-handling agent is about as socially acceptable as being a traffic warden. It is a critical function of any business, but it is also one of the most challenging for lots of reasons. It takes a special kind of character to ask a cardholder or any customer, to pay off their outstanding debt. They must withstand a sometimes-alarming level of stress and verbal abuse and, as a result this is quite often the highest churn area of a contact centre.

This is an area that intelligent, cost-effective telephone-based technology can help. For example, sending a SMS payment reminder to cardholders ahead of time can act as a gentle reminder before they become delinquent. Prevention of debt at the cost of a SMS message - clearly this makes sense, and if well timed can be appreciated.

4) Hosted solutions
Managed hosted solutions are rapidly growing in popularity and should be considered, at least for speed and effectiveness. A surprising number of financial institutions are looking at hosted options, as these can be an effective way to deliver cost savings. Managed Service Providers (MSP) can today provide securely hosted solutions where it is still possible for the customer organisation to control the process locally on their premises. It is interesting to see many companies now sarting to put the efforts into doing their core business rather than trying to build up their own technology stack and this too is providing a key move towards hosted BPO services. The key thing is to check that the hoster has coverage in the countries that you need the services and that they have the language and infrastructure capabilities.

Reduction of costs with centralised control centres
As an example of hosted services one of the UK’s leading contact centre and back office processing providers, Teleperformance, recently invested in a state-of-the-art mission control centre that significantly increased productivity and reduced costs for its customers.

The mission control centre allows activity to be centrally monitored in real time across its network of contact centres. The technology intelligently puts together clusters of similar campaigns to allow shared services, identifying the best agents, skills required and time frame required. For example, it can intelligently forecast that a certain morning is busy for a particular campaign and identify that a similar campaign has the same agent profile and skills available. A sudden demand of calls can be shared across similar campaigns and across different sites where necessary. All this reduces costs as a result of agent skills based pooling.

Summary note
With a global recession card issuers are under greater pressure than ever to reduce their operating costs. They are expected to maintain a high level of customer service, protect cardholders from fraudulent attacks and improve their collections process - all with eroding budgets and slow growth.

It will be the card issuers that act now by streamlining their business processes and introducing more innovative automated solutions that will come out on top. By proactively avoiding fraud before it happens and reaching out to their customer base to collect outstanding balances before they become write-offs, card issuers will become the brand preference for consumers, since they will able to earn their long-term loyalty.

It is vital to remember that practical innovative solutions do not have to cost the earth, or be overly complicated. It all starts with a simple analysis, identifying which gaps need to be filled in order to deliver on business goals and finishes with the right solution delivering an impressive return on investment – or a value based return for every transaction. This is seldom a technology driven exercise it’s a business solution led exercise.

If you are interested to discuss any aspects of the content of this blog then contact Craig Ashmole at craig@ashmole.com