PCI Pal: Security by design

EXECUTIVE SUMMARY

PCI Pal PLC is a leading supplier of PCI DSS compliant contact centre technology solutions. The company has its origins in an internet local directory that expanded rapidly, first into contact centre services and then into designing and building scripts for contact centres. Later, founding directors, William Catchpole and Geoff Forsyth, developed a PCI DSS compliant payment service called PCI Pal, using a dedicated hosted datacentre. PA and 7Safe senior risk and compliance consultant, Sujith Madathil Parambath assisted and advised PCI Pal to design the secure architecture and identify secure solutions to build the platform. PCI Pal ensures that the card data remains safe throughout the transaction process and the customers are happy because there is someone on the line to make sure that everything goes smoothly. The agents can deliver the highest quality customer experience without having complicated security controls to adhere to, or the pressure of handling sensitive data. Crucially, the requirements of PCI DSS compliance are dealt with by PCI Pal so clients can concentrate on business objectives.

BUSINESS ISSUE/PROBLEM        

Our client needed to develop a security architecture that was 100% PCI DSS compliant without slowing down contact centre operations.

REQUIREMENT                             

Provide a secure architecture design that prevented card data from ever entering a call centre environment, for a server-based solution and later for cloud services to create a robust and safe environment.

THE PROCESS                              

What PA did: We assessed the system requirements for PCI Pal from the standpoint of PCI DSS compliance and operational efficiency. Following our analysis, we assisted PCI Pal in designing a data server architecture to help make this ongoing compliance requirement easier, more cost-effective and more robust. Our QSA also carried out regular and extensive security audits as part of PCI DSS compliance process.

Key activities: identifying card data flows, mapping flows to the IT/telephone network, ascertaining processes and controls, reviewing documentation, 7Seec data discovery, report writing, preparing returns to acquirer; designing of compliant security architectures.

Infrastructure Penetration Tests and Network Segmentation Tests were conducted within the environment to validate the required controls had been implemented. ‘Cloud-ified’-assessments were included to test applications and services deployed on IaaS, with validation of security controls set within VPCs (AWS specific) through network segmentation tests. The PA and 7Safe team also improved the ‘Terraform’ deployment scripts (used for deploying / maintaining the configuration of infrastructure), based on the output from the assessments.

In addition, PCI Pal’s CTO attended the 7Safe Hacking Insights for Managers (HIM) course, to help to develop their awareness of the potential threats to the environment; and insight into what was potentially being reported back throughout the engagement

PA CONSULTING'S WORK ON AWS 

PA has been supporting PCI Pal’s development of a new payment platform on Amazon Web Services a unique combination of cloud, PCI compliance and SIP telephony by:

  • Defining the target AWS architecture and design
  • Recommending best practices for securing AWS accounts
  • Recommending the use of immutable servers and  infrastructure-as-code, with specific recommendations on platform agnostic tooling (i.e. Packer and Terraform) and integrating with PCI Pal's build and deployment pipeline
  • Developing, testing and refactoring Packer and Terraform scripts including log management components
  • Identifying and implementing the server hardening controls necessary for PCI compliance
  • Knowledge transfer to the PCI Pal development team

This led up to the successful deployment of a demonstration platform in time for the CNP Expo in Orlando in May 2017.

OUTCOME                                    

The client achieved PCI DSS Level One certification well within the allotted time and on budget. The scope includes PCI Pal Agent Assisted Payments, IVR Payments, Hosted Solution, Contact Centre Payments, and Secure Payments.

BENEFITS TO THE CLIENT

The PCI Pal secure payment system has won and developed some big name clients since its launch in 2012, including IKEA, Serco, Made.com, and All Saints. In the process, the platform has migrated to the AWS cloud, providing greater flexibility for contact centres and extending the service reach to overseas markets, notably the USA. As a truly global agent assisted secure payment service, PCI Pal can offer advantages that few competitors come close to providing. PA and 7Safe’s experts led Security By Design aspects to achieve PCI DSS compliance and system performance on time and within budget. 

“In April 2017, we saw our shares surge by 17% on card security contract wins, reinforcing our position as one of the market leaders in delivering cloud-based PCI compliant solutions to the largest and most demanding clients. We continue to see the market waking up to the effects of cybercrime and with the imminence of the General Data Protection Regulation driving PCI compliance. Thanks in no small part to the expert advice and technical support from PA Consulting and 7Safe, PCI Pal is well placed to capitalise on this global opportunity and grow.”

NEXT STEPS                                 

The client is continuing to use 7Safe for their annual PCI QSA assessment and is developing PCI DSS compliant services for contact centres in overseas markets including the USA and Canada with the help of PA Consulting’s security design specialists. PA and 7Safe will conduct half-yearly penetration
tests going forward to ensure PCI Pal’s security and compliance.

#    #    #

To speak to a PA & 7Safe Consultant and QSA, contact our sales team on +44 (0)1763 285 510

Visit our website for more information: https://www.7safe.com/risk-and-compliance

"Thanks in no small part to the expert advice and technical support from PA Consulting and 7Safe, PCI Pal is well placed to capitalise on this global opportunity and grow."