One of the world’s leading global call centers, with contact centers in over 15 countries, support in roughly 30 languages, and more than 20,000 employed team members, engaged Focal Point for a PCI risk assessment and compliance roadmap. The Call Center was being acquired, and wanted to evaluate their compliance efforts, network security processes, web application infrastructure, and security policies to see if they were aligned with the PCI DSS requirements prior to the acquisition completion.
Due to the urgency of this project and the fact that there was no margin for error, the Call Center needed an experienced and trusted advisor to help them understand their current program and the remediation steps necessary to be fully aligned with the PCI DSS. The Call Center selected Focal Point to perform an initial gap analysis, which uncovered that the Call Center was only compliant with one PCI requirement. But Focal Point designed a clear compliance roadmap, and after 5 months of remediation work, the Call Center was compliant with the PCI DSS. They designated Focal Point as their primary QSA and have continued to partner with Focal Point for PCI services and penetration testing for the last five years.
Project Summary
Challenge 1: Lack of Defined Controls
At the start of the engagement, Focal Point performed a detailed gap analysis across the Call Center’s entire network and supporting infrastructure, including routers, firewalls, servers, and service providers. This assessment analyzed how their cardholder data was captured, transmitted, and stored using the existing applications and processes.
A significant number of gaps were discovered through this analysis, indicating a lack of understanding around the PCI DSS and the company’s cardholder data environment (CDE). The results of the gap analysis revealed that the Call Center only had one requirement in place out of over 300+ – a physical lock on the data center door. Based on these findings, the Focal Point team developed a comprehensive PCI roadmap and listed the remediation tasks that needed to be implemented in order to achieve compliance, categorized from highest to lowest priority.
Challenge 2: Compliance at the Eleventh Hour
A few months after Focal Point completed the gap analysis and delivered the PCI compliance roadmap, the Call Center requested help with the remediation of their infrastructure, architecture, policies, processes, and plans of their systems. Over the next few months, Focal Point conducted penetration tests, vulnerability assessments and scans, defined their incident response and business continuity plans, and redesigned their infrastructure to align with new controls.
After five months of remediation, the Call Center’s PCI compliance program had significantly matured as a whole. However, the Call Center had not realized the magnitude of their PCI compliance needs and had waited to begin compliance until the final negotiations for acquisition. Despite the team’s best efforts to rush the remediation, they were forced to delay the acquisition process.
Eventually though, the acquisition went through. Today, the Call Center has a robust PCI DSS program with a dedicated team managing and monitoring compliance. By eliminating redundant compliance efforts and minimizing dependence on third-party vendors, the Call Center reduced their timeline of future PCI audits to under six months, even as they grew and acquired other businesses.
Challenge 3: Immature Security Environment
Over the course of the project, Focal Point identified a serious lack of the security awareness within the Call Center, including its IT and security teams. A combination of overly permissive business justifications and turnover led to a host of security vulnerabilities and compliance challenges. For example, members of the IT and Information Security departments at the Call Center were unaware of certain CHD dataflow changes, which caused segmentation issues and led to inadequate protection.
To improve cybersecurity processes, the Focal Point team delivered a detailed network diagram of the Call Center’s environment and defined their CDE and non-CDE perimeter devices. Through facilitative sessions with key stakeholders, Focal Point provided guidance on ways to reconstruct segmentation rules and develop a scope to minimize delays and costs, eliminate blind spots in the environment, and establish a proficient compliance posture.
Success and Continued Support
After completing the initial gap analysis and PCI compliance roadmap, the Call Center was able to reduce the overall scope, risk, timelines, and expenses related to PCI DSS compliance. Due to their ongoing compliance efforts, the Call Center has seen a marked reduction of more than 50% in annual PCI compliance fees.
Following the success of this initial engagement, the Call Center has continued to partner with Focal Point on PCI attestation services, onsite audit assessments, and penetration tests for the last five years.