Delivering PCI DSS compliance – ERYC’s 3.2 journey

Avatar

Written by Editorial Team

Published January 2018

In this article...

When East Riding of Yorkshire Council looked at what it would need to comply with the Payment Card Industry Data Security Standard (PCI DSS) 3.2, it realised it needed help. In Pay360 by Capita the Council found a suite of solutions that has improved services, saved them £1 million and ensured full PCI compliance.

Councils cannot risk public funds. That was the position of East Riding of Yorkshire Council (ERYC) in April/May 2016 when the future requirements of PCI DSS 3.2 were published by the Payment Card Industry Security Standards Council (PCI SSC), giving notice that 3.2 would become ‘the standard’ on 1st Feb 2018.

As ERYC was an existing customer of Pay360 by Capita, James Hewson, the account manager responsible for the ERYC account, was on hand to support. Hewsons’ challenge was to ensure ERYC achieved the right balance between customer experience and cost, whilst at the same time meeting the overall requirements of PCI DSS 3.2 and delivering business-as-usual.

PCI DSS first appeared on ERYC’s radar at one of the Pay360 annual user group meetings, over five years ago. It became apparent that PCI was beginning to take centre stage in the security segments.

“At that point, we knew very little about PCI, other than it was assumed that it was automatically adhered to by IT. Additionally, our merchant bank began its own phased programme of mandating compliance, which complemented the information triggered by the user group meetings,” explains Patrick Woodhead, ERYC Senior Technical Officer.

“Having become aware of what PCI was and the implications for non-compliance, it was quickly realised that not meeting PCI requirements was a substantial financial risk to the Council. Furthermore, not only would a breach be extremely costly to tax-payers’ funds, it would inflict terrible damage on the Council’s reputation. Our customers expect us to protect their data. Losing that confidence and trust was unthinkable.”

Having realised that PCI compliance was a significant business risk, ERYC established a working group to assess its situation and compliance status. At that time, version 3.2 of the PCI DSScode was in the pipeline but not yet launched. The working group consisted of representatives from IT, Finance and general business administration.

Significant work needed for 3.2

The investigation confirmed that while existing measures for PCI DSS compliance were sufficient, for version 3.2, it was  apparent that significant new work was needed, in particular on the non-IT control and monitoring mechanisms that 3.2 imposed, but also with the much more rigorous demands of full point-to-point encryption that were on the horizon. 

Version 3.2 of the PCI standard raised the bar considerably. ERYC engaged a Qualified Security Assessor (QSA) and asked them to conduct a full PCI assessment to the relevant SAQ standards that version 3.2 was about to impose.

Says ERYC’s Woodhead: “They confirmed that all our chip and pin devices needed to incorporate full P2PE (point-to-pointencryption). We had a multitude of different devices at various stages of their product life cycle, some better than others (some worse!) but all, apart from a handful, that would fail under version 3.2 of the standard. Not addressing the chip and pin problem was not an option. 

The QSA report also provided a highly useful insight into our telephone card payments. As part of our preliminary investigations, we had realised that typing card numbers into a keyboard to enable telephone payments would require a full separation of the network, since telephone payments via Pay360 Paye.net were taken across the whole authority. This brought the entire network into scope. And whilst a full segmentation was possible, the cost (at over £1 million) was prohibitive.”

At this juncture, the QSA report was invaluable. It recommended that, instead of trying to segment the whole network, since all of it was in scope due to telephone-based payments, the telephone payments be taken off the network completely. 

Various options were explored thoroughly, including a dedicated and network-isolated telephone payments team, contracting-out the telephone payments to a third service provider, and implementing mini-segmentation by only allowing certain staff members in each office to take phone payments.

However, the best option that emerged was Pay360’s CallSecure product. CallSecure allowed ERYC to lift telephone payments off the network. At a stroke, this solved the complex and thorny issue of network segmentation. CallSecure allows the Council to handle a telephone call by regular staff as normal. 

Phone payments are usually, but not exclusively, a result of the call itself; booking a service – querying and then paying a bill for example. The payment portion of the call is the final action. At that point, the member of staff transfers the customer to Pay360’s CallSecure function where payment is taken.

None of the card data traverses the Council’s network; none of the Council’s servers or other IT architecture is utilised; Pay360’s own PCI-approved and certified IT infrastructure handles the card payment on the Council’s behalf, whilst still allowing the full access by customers to the Council’s staff and services. Minimal changes to working practice were required, the biggest being a slight amendment to the call handling procedure to ensure that all areas of the call had been dealt with prior to transferring the customer to CallSecure to make the payment.

Operational and implementation challenges

The Council uses Paye.net to process payments for a multitude of services. These range from ‘standard’ payments such as Council Tax and housing rents to more complex service requests that require payment to have been made prior to the service being delivered.

ERYC currently has over 400 Paye.net users, the majority of whom take payment over the telephone. There are approximately 30 users who offer a faceto-face payment facility utilising Pay360 supplied chip and pin devices.

“We have deployed Paye.net since 2002. Paye.net was the obvious choice as it enables our service delivering departments to take payment at the point of order. This reduces costs as it removes the need to raise an invoice, improves cash flow and allows service managers to better monitor income. Paye.net is also used to help drive down arrears by allowing departments to take payments whilst they have customers engaged on the phone – i.e. no more ‘The cheque’s in the post’,” says Lee Parker, Collection and Transactional Team Leader, ERYC.

Easy to implement?

CallSecure has been very simple to roll out. The ability to ‘switch’ existing Paye.net users instantly either individually or by department has allowed the Council to implement a phased roll-out whilst not suffering any loss of payment processing facilities. 

Existing users have transferred seamlessly to the CallSecure option. This is due to the fact they retain their existing user details and the only alteration to their previous practice is to select a different method of payment. Once this has been highlighted the work process is smooth and transparent

The benefits of CallSecure

The major benefit of using CallSecure is that it takes the call taker, and all the infrastructure that supports them, out of PCI scope. This is due to the fact that the user no longer has access to the customer’s card details, which are handled by Pay360’s secure data centre. The Council investigated an option of segmenting the network for each user but this was discounted due to cost. It was estimated that it would cost approximately £1 million to segment the network completely for its 400 users.

With this cost in mind, CallSecure was the obvious option to allow PCI compliance and allow the Council’s departments to continue offering payment services. Reduction of these services was not an option. “CallSecure has also delivered reductions in call handling times allowing  30 PCI DSS | Case Studies in Excellence call centre staff to move on to the next customer more quickly,” says Lee. ERYC is continuing to roll CallSecure out on a department by department basis. 

Supporting ERYC’s transition to the Cloud

ERYC have been using Pay360’s Income Management product suite including AIM, ACR & Paye.net for over 15 years. Two options were considered when they upgraded from v8 to v9. These were to remain ‘on-site’ using Council-supplied servers or move to the hosted Pay360 Cloud solution. 

After a costing exercise it became apparent that savings could be achieved by moving to the Cloud. By having the system hosted by Pay360, the Council bypassed the need to purchase a new server as well the inherent costs of keeping the server secure and up to date. 

Cloud also promised to make any upgrade of the product suite far simpler, requiring very little in the way of input from ERYC’s own IT department.

“The transfer to Cloud was a smooth transition. We had expert help in the shape of a dedicated project manager and an engineer who both understood the requirements of the Council and was on hand to investigate and resolve any issues we had. This support continued through testing and implementation in the live environment, ensuring we had minimum downtime on the day of transfer,” says Parker.

The major benefit to moving to the Cloud is that Pay360 is now responsible for maintaining both the software and the hardware. This cuts out having to decide whether issues are the responsibility of ERYC’s own IT department or a Pay360 issue. Any issues are now reported to the Pay360 helpdesk and resolved quickly.

ERYC’s PCI DSS challenges solved

Says Parker, “Through Pay360’s Paye.net and CallSecure solutions we have been processing on average 5,000 payments a month via our call centre with an average value of £170. Introducing this system has saved us £1 million and given us the peace of mind that we are fully PCI DSS compliant.

The main deliverables to us operationally have been:

  • Fully integrated to our existing call centre front end
  • Reduced operators’ time on the call by up to 50%, freeing us up to answer calls more quickly
  • Removed all telephone payments infrastructure from PCI scope
  • Reduced ERYC’s risk significantly and reduced the security burden on our teams by having no spoken payment card data in our call centres
  • Provided us with flexibility and options around our customer journey, returning a customer to the original agent, telephone hunt group or any nominated extension

More to come in 2018

Pay360 is not resting on its laurels. As Stephen Ferry, Managing Director, Pay360 by Capita, explains: “Historically Pay360 has focused on technology development and payment services delivery, and as you can see from Lee and Patrick’s responses, there’s still plenty of scope for our well-established solution sets to deliver cost savings for ERYC. However, when I joined the business at the end of last year, I believed that was not enough and our teams have been working hard during 2017 to make us better. 

That has resulted in us developing two new offerings to support our merchant and acquirer communities. We identified the need for larger merchants (Levels 1, 2 and 3) to have more insight into their payments risk, to have the ability to exert greater control over the risks they took, and from that, to increase the conversion rate between customer contact and successful payment outcomes, and deliver that across all their customer communication channels. We describe that as our ‘Optimise’ offering.

More specific to PCI DSS compliance is our second new offering that we plan to formally launch in January 2018, that is Pay360’s ‘Secure’.”

‘Secure’ arises from work with the PCI SSC and from analysis of the market. 

Says Ferry, “We know too well that merchants today want to ‘get more with less’, so building the business case for additional spend is not an easy one. We also recognise that helping merchants understand how to get the right balance between people, process and technology, so that payments compliance does not impact needlessly on business-as-usual, is not an easy task either.

“We fully support the PCI Security Council’s mantra of ‘getting risk off the table’ and ‘devaluing data’ and at the same time, Pay360 is committed to helping our merchants by fully supporting our acquirer community’s recent acceptance that all merchants of Level 3 and above can now certify PCI DSS compliance on a channel by channel basis. That means Pay360 is aligned with our 250-plus acquirers and the PCI Standards Council to help reduce merchant risk, and reduce the merchants’ burden of compliance.

“However, keeping PCI DSS on the merchant agenda has not been easy for us this year as the merchant community works to cope with the requirements of GDPR, and we recognise those struggles won’t go away during 2018 or even 2019. 

“So, putting merchants in a position where they can de-risk their journey through GDPR and PCI DSS, as well as take full advantage of 3D Secure 2 and the Payment Services Directive (PSD) 2, by providing them with the right guidance and tools to do the job, that’s what our ‘Secure’ offering is going to be all about in 2018.” 

Download the case study

Interested in finding out more?

Call us on 0333 313 7160

Speak to an expert

Pay360 bracket icon

DEVELOPER CENTRE

Get started with our API