West Unified Communication Case Study

West Corporation is a global provider of communication and network infrastructure services. One of West’s Unified Communications Services is their UK Cloud Contact Centre solution.

The Challenge

West Corporation is a global provider of communication and network infrastructure services. One of West’s Unified Communications Services is their UK Cloud Contact Centre solution.

Contact centres face many compliance requirements including evidencing financial transactions but without conflicting the Payment Card Industry Data Security Standard (PCI DSS) requirement to protect “card-not-present” transactions.

PCI DSS has a requirement to keep cardholder data storage to a minimum, mask the card number and not to store card details such as the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorisation.

West’s Cloud Contact Centre UK provide a call recording and card payment collection solution which assists companies with meeting industry and PCI DSS requirements by taking cardholder data out of scope for their customers. The solution removes the need for customers to provide their card details to contact centre agents and masks card details within call recordings. Customers enter their payment details via their telephone keypad directly therefore bypassing the need for the contact centre agent to be told or see the card details. Once authorised, West securely pass back authorisation codes and transaction ID’s so that their customers can then process, repeat transaction or refund as appropriate.

West had been conducting an internal PCI self-assessment (SAQ) but felt they could be misinterpreting the PCI scope and controls and West initially approached Gemserv in 2014 to conduct a PCI DSS Compliance Scoping and Gap Analysis Assessment. West were working towards compliance with the PCI DSS as a service provider and had a number of their clients requiring PCI compliance attestations, this plus. West’s transactions were increasing to a point at which West would reach a threshold where a full PCI DSS assessment would need to be conducted by a PCI SSC approved QSA Company such as Gemserv, and as required by Visa Europe.

Our Approach

The initial engagement involved our Quality Security Assessor (QSA), who worked collaboratively with the West team to perform a gap assessment and confirm the scope of their PCI-DSS compliance programme, through a series of interviews, discussions and workshops. Following the gap assessment and report provided, the QSA presented the findings to the West UK Management team and helped them understand what was required to remediate the gaps found. During this period the QSA provided insight, support and guidance before any formal assessment was conducted. Once West addressed the findings they then engaged with Gemserv further to conduct a formal review of their updated procedures and systems against the PCI DSS at the time, (version 3.1). This led onto the formal assessment of the controls in scope for the West UK operation. At all times the QSA kept the West team informed of progress and items that needed further remediation, using a dedicated remediation plan and regular update calls with the West project lead. The West team found this approach appealing as not only were they being assessed against the standard but also felt they had a trusted advisor to help them throughout their PCI DSS journey

The Outcome

The QSA had established a very comprehensive understanding of West’s Card Holder Environment and was subsequently engaged to fully assess West against the latest version of PCI DSS (version 3.2). Through sampling many onsite interviews and assessments, the QSA observed and reviewed evidence onsite with West stakeholders, demonstrating to the QSA that West were compliant with PCS DSS, which led to producing the initial Report on Compliance (RoC) in March 2017 and subsequent re-assessment and RoC in March 2018.

West and Gemserv have built a great working relationship and work as a partnership more than a client supplier engagement, this helps with the continuous improvement of the West’s security posture and processes, as West see Gemserv as a key supplier for delivering Information Security guidance and advice and not just purely an assessor.

To find out more about our PCI capabilities, click below:

Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out

More

Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.

We are in unprecedented times and businesses are needing to adapt faster than ever to an ever changing situation. But what does that mean in practice and what does that mean for employees?

We are launching a series of live podcasts with some of our team whose backgrounds are in IT, Security, Business Resilience and Digital Transformation. They will discuss advice and guidance for companies in the process of adapting to unprecedented changes in the way we work and live.

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.