West Corporation is a global provider of communication and network infrastructure services. One of West’s Unified Communications Services is their UK Cloud Contact Centre solution.
Contact centres face many compliance requirements including evidencing financial transactions but without conflicting the Payment Card Industry Data Security Standard (PCI DSS) requirement to protect “card-not-present” transactions.
PCI DSS has a requirement to keep cardholder data storage to a minimum, mask the card number and not to store card details such as the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorisation.
West’s Cloud Contact Centre UK provide a call recording and card payment collection solution which assists companies with meeting industry and PCI DSS requirements by taking cardholder data out of scope for their customers. The solution removes the need for customers to provide their card details to contact centre agents and masks card details within call recordings. Customers enter their payment details via their telephone keypad directly therefore bypassing the need for the contact centre agent to be told or see the card details. Once authorised, West securely pass back authorisation codes and transaction ID’s so that their customers can then process, repeat transaction or refund as appropriate.
West had been conducting an internal PCI self-assessment (SAQ) but felt they could be misinterpreting the PCI scope and controls and West initially approached Gemserv in 2014 to conduct a PCI DSS Compliance Scoping and Gap Analysis Assessment. West were working towards compliance with the PCI DSS as a service provider and had a number of their clients requiring PCI compliance attestations, this plus. West’s transactions were increasing to a point at which West would reach a threshold where a full PCI DSS assessment would need to be conducted by a PCI SSC approved QSA Company such as Gemserv, and as required by Visa Europe.
The initial engagement involved our Quality Security Assessor (QSA), who worked collaboratively with the West team to perform a gap assessment and confirm the scope of their PCI-DSS compliance programme, through a series of interviews, discussions and workshops. Following the gap assessment and report provided, the QSA presented the findings to the West UK Management team and helped them understand what was required to remediate the gaps found. During this period the QSA provided insight, support and guidance before any formal assessment was conducted. Once West addressed the findings they then engaged with Gemserv further to conduct a formal review of their updated procedures and systems against the PCI DSS at the time, (version 3.1). This led onto the formal assessment of the controls in scope for the West UK operation. At all times the QSA kept the West team informed of progress and items that needed further remediation, using a dedicated remediation plan and regular update calls with the West project lead. The West team found this approach appealing as not only were they being assessed against the standard but also felt they had a trusted advisor to help them throughout their PCI DSS journey
The QSA had established a very comprehensive understanding of West’s Card Holder Environment and was subsequently engaged to fully assess West against the latest version of PCI DSS (version 3.2). Through sampling many onsite interviews and assessments, the QSA observed and reviewed evidence onsite with West stakeholders, demonstrating to the QSA that West were compliant with PCS DSS, which led to producing the initial Report on Compliance (RoC) in March 2017 and subsequent re-assessment and RoC in March 2018.
West and Gemserv have built a great working relationship and work as a partnership more than a client supplier engagement, this helps with the continuous improvement of the West’s security posture and processes, as West see Gemserv as a key supplier for delivering Information Security guidance and advice and not just purely an assessor.