Carlos Moreno Tobon was a payment card and fraud analyst at Locus Telecommunications until recently.
Would you mind starting off by telling us a little bit about your background?
We’re a prepaid telecommunications provider based in the United States, operating under the prepaid model which is very popular in Europe and South America, but really not very popular in the United States up until five years ago. Along with that popularity growth came the responsibility of safeguarding the increase in credit card transactions.
One of the things that we looked at for guidance was the rules and regulations as well as the recommendations set forth by the PCI Council. I analyzed our organization’s situation to identify ways in which we could tackle security. From the get-go, I understood that the best course of action for an organization our size and with our resources was to look for third-party providers to whom we could outsource many of these functions and leave all the security concerns behind us. That’s where we’re at now and that’s how the process of finding third-party vendors and setting up this secure infrastructure came about.
Your decision was to de-scope entirely, just not have the data?
Yes. Especially with the latest releases of PCI DSS, we noticed that there was a lot of complexity especially when it came down to the requirements having to do with networks and databases and a lot of these different things just put a huge burden on us.
When we noticed that the complexity of the PCI requirements was so huge, we decided it would be best to de-scope this any way we can, get it out of sight, get it out of mind. That’s the approach we took. It was more of a technical decision at first, but then it became apparent that it was going to be a financial decision as well.
We started doing the math and we realised that just isolating databases and mainframes so that we could have payment information isolated from our daily activities would mean that every workstation had to have a couple of different computers, that our customer service department would need to be completely isolated and run on its own database and their own network. We calculated and we estimated that the cost to develop this was probably going to be in the neighbourhood of $1.5 to $2 million. We’re just not that big. We don’t have the resources to go out and drop $2, $3 million on making this happen, so it became very obvious that we needed to descope.
From a technical standpoint too it made a lot of sense. We didn’t have to make any changes to our internal systems. We didn’t have to go around and re-design our CRMs or accounting systems or anything like that. We figured, you know what, if we go out, we outsource and we descope, we better find providers that match up to our technical needs. That was important.
What methods were you using beforehand to ensure payment card security? How were you taking payments over the phone beforehand?
Beforehand, we relied on basic IVR protocols. Whenever we had data transmission or stuff that needed to flow through our servers, we tried to use socket layers of security that had certain encryption levels, but of course all this information still flowed through our systems which were shared by everything internally from our billing platforms as well as our customer service and as well as our CRM tools.
Even though we tried to prioritise how we handled that information with certain encryption levels, we still knew that at that point, we had some of that data whether it was in transit or at rest, it was still residing within our servers and our databases.
Obviously, the very first thing we needed to do was identify a payment service provider which was PCI DSS level one that provided a payment gateway that was equally compliant. We saw sought some refuge in the sense that we knew that at the very least after the information had been transmitted and we obtain authorisations, the data was safe, but during the collection process we were still very much exposed.
We had all sorts of internal procedures in which a customer service representative outside of our New Jersey or United States call centers were the only ones authorized to accept and handle and listen in to card numbers over the phone. We never allowed our outsourcing partners to listen in to those calls or obtain card information, but there was still the possibility that our customers unknowingly so would offer that information to our outsourced partners.
Really, it was a very primitive approach and it was just using very basic tools and very basic levels of encryption.
What criteria were important to you when deciding what option to go for?
I think the biggest things were flexibility, integration time frame and pricing. Pricing was a huge driving factor. We weren’t able to sacrifice the solutions just because we wanted to save a couple of dollars here and there. That was huge, but the biggest and I think the one that had the most impact was just the flexibility from the third-party provider to allow us to meet our needs as opposed to us having to change things around in order to meet the needs of the solution which was the case with other providers.
When we looked at Syntec we saw that they had the very same options that all the other companies were offering but were a little bit more robust because of the ability to have the hosted solution as opposed to the on-site solution. That was huge. Just the fact that we didn’t have to have equipment or DTMF tone blockers in every station, that to us was huge. When the price proposal came in, it was a no-brainer.
Why did you decide to go for a DTMF solution specifically?
We have many different channels of accepting payments and we needed to make sure that all of them communicated and we needed to make sure that all of them resided within the same ecospace. We have a customer service department, we have an outsourced customer service department. One of them in Japan, and a couple of other ones in different parts of the world. Really, when you’re dealing with call centers in different corners of the Earth as well as a full-blown e-commerce platform, you’ve really got to look for different solutions and sort of mix and match what it is that you want.
We isolated a lot of the information. We took care of a lot of the recurring transactions, but we still had the big issue of what to do with our customers who were still dialling in, what are we going to do with that outsourcing our platform? We said, okay, the best way to approach this is to do a combination of both DTMF masking, collecting as well as tokenization. When we really had that one-two punch, that’s when we realised, okay, this is the way and this is the approach to have a full-blown de-scoping solution and that’s what we went with.
What benefits have you seen since implementing the solution?
Well, I think the biggest benefit has been the fact that we no longer have that dark cloud lingering over our heads. Not if we’re going to get breached, but rather when we’re going to get breached and when we do get breached, what’s going to happen. We no longer have to think about it. The liabilities are now gone. We’ve been able to streamline everything in a way, so that the collection of data is much more efficient.
Before, we had to rely on customer service representatives to listen in to customers giving their card numbers and there was always room for error. A lot of our customers are not native English speakers. There was always that issue of communicating and having to repeat that information. Now the customer has the ability to enter that information directly, we no longer have that possibility of human error margin.
It has helped in expediting the flow of calls, collecting information accurately and really gives the customer more control as to their transactions. Another added benefit to that is of course, the perception that the customer now sees. Obviously, they feel a lot better because they no longer have to speak up their card over the phone. They no longer have to wonder if their card is going to be compromised. It just may give them that good sense of security that their card is being handled internally and with no human interaction.
One of the biggest benefits have just been the way that we’ve been able to manage the flow of the calls as well as just completely eliminating the scope. Basically, we went from having a PCI assessment of 300 plus pages for our PCI level down to a self-assessment questionnaire of three pages and a certification. That was insane.
We didn’t have to bring in any outside consultants. We didn’t have to bring in any outside security assessors. That was huge to us. I believe right now the going rate for an assessor is somewhere around $5,000 to $10,000 per certification cycle. You’re forking up ten grand a year, it just doesn’t make any sense.
Have you had any feedback maybe from your staff, people in the call centers or from your customers about how they like it?
Some of the most positive feedback that we received have actually been from the higher-ups within our customer service department. At first, there was a learning curve, not so much more for our representatives and not so much for us internally, but rather to educate our customers as to how this is managed. Everybody is very used to the idea of just speaking up the card number over the phone.
For the first couple of months after integration, there was a little bit of hand-holding, letting the customer understand that this is a new initiative to keep them very safe. After the growing pains went away, the feedback that we received from our customer service department has been very positive, again because it allows the customer service representative to tackle different things at once as opposed to having to listen in to a card number, typing it into a computer and processing that transaction.
All this information is happening on the back-end, so during the time that the customer is taking care of the payment, the customer service representative has the ability to offer them promotions, offer them benefits of signing up to different options that we may have available to them. It’s really freed up some of their time.
Any time you free up five, six, seven seconds on any call and you multiply that by our call volume, you are saving quite a bit of manpower and that is some of the positive feedback that we have received from our higher-ups within our customer service department.
What was it like working with Syntec during the implementation of the project?
I’ve worked with many third-party providers over the years, whether it was a tokenization provider, an auditor or an assessor. I actually have the pleasure of saying that I’ve never had any other vendor as motivated and as willing to work with us as Syntec was. From the very first conversation that I had, it was very apparent that really, they didn’t want to be a service provider but they wanted to be a true partner. That to us was huge.
Whenever we ran into issues, calls were quickly coordinated with IT. A lot of times, we had to have calls at our C level, with our executives just to get them to understand what the solution was all about because it’s very easy for somebody who’s technically inclined and somebody who understands this to get it, but it’s very difficult for somebody who doesn’t understand it to really know what this is about. That to us was very important. I think the ability for the folks at Syntec to be able to adapt to the different personalities and what the different needs internally were, was huge.by