Background

The broadcaster and home communications provider Sky has 10.6 million customers across the UK and Ireland, subscribing to services such as TV, telephony and broadband. Handling queries from these customers, as well as accepting credit card payments by telephone, is an army of contact centre agents. Every payment received must be secured according to Payment Card Industry (PCI) regulations; this involves complex checks for every part of the contact centre which is deemed “in scope” by coming into contact with card data.

The Challenge

Sky had implemented a call muting system, and operated a “pause call record” policy, whereby the call recording is put on hold while card data is spoken by customers. Although this seemed to be a valid means of complying with PCI regulations, it did nothing to reduce the area of the contact centre that was in scope for PCI. Four different areas were affected: the telephony infrastructure, which carried Voice over IP traffic; the Citrix system used to link in partners; Sky’s own network infrastructure and over 5,000 in-­house agent desktops. In addition, Sky was concerned about the difficulties of maintaining PCI compliance when agents were able to hear and see card data. Subsequently, Sky found that the “pause call record” process was complex, time-­consuming and costly to maintain due to performance and infrastructure compatibility issues.

At the same time, Sky’s seven Outsource Service Partners (OSPs), employing another 9,000 agents, including 100 home workers, were seeking assistance for their own PCI challenges. OSPs were currently accessing Sky’s Customer Relationship Management Platform via Citrix. This meant that the in-­house triggers for pausing call recordings were unavailable to them. Sky investigated the possibility of replicating the system out to OSPs, but ruled this out almost immediately due to bandwidth, cost and complexity issues.

The Solution

To address the three challenges of pausing call recording, maintaining PCI compliance for OSPs and reducing the vast area of the contact centre that was in scope, Sky laid out its requirements. The basic requirements to meet PCI compliance were:

  • Not to transmit PCI data in the clear
  • Not to record or store CVV2 data (the numbers on the back of the card)
  • To secure any infrastructure which contains PCI data

In addition to these, Sky had the following non-­negotiable criteria:

  • The solution must not be bespoke
  • It must be swift to implement
  • It must be secure and sustainable
  • It must be easy to roll out to the OSPs and home based agents

The company also wanted to reduce the proportion of the contact centre remaining in scope of the PCI regulations.

Trying to secure every possible element of the contact centre where a breach might take place is never going to be easy; it’s an expensive and uncertain business. The solution has to focus on keeping the card data away from the contact centre.

– Scott Mackay, director of customer business systems at Sky

Three options were reviewed. The first was to keep the existing structure, adding additional security to ensure PCI compliance. This option was dismissed immediately due to huge time and cost requirements, which were likely to increase as time went on. The second option was to develop an improved Interactive Voice Recording (IVR) system in-­house. Sky had the capability to do this, but decided against it on the grounds that it was likely to take 2 years and would be a huge distraction to a company whose technical team is dedicated to providing media services.

The Solution

The final solution was to work with a third party to deliver a solution that effectively removed the entire contact centre from scope. Semafone’s approach is to allow the customer to enter card numbers directly into their telephone keypad, sending this data directly to the acquiring bank. Not only does the digital information avoid the contact centre, but the agent is unable to identify key tones, which are masked. Semafone was selected not only because it committed to meet all of Sky’s requirements, but it also brought a number of other benefits, including SIP architecture, which helped to future proof the solution, and the ability to integrate with other security systems.

We chose to work with Semafone because we could see a young company with an experienced team and a unique new product.

We liked the company’s approach and were confident that the team would be able to deliver on its promise.

– Ahmer Memon, head of customer business systems technologies for Sky

Implementation

The solution was implemented within 9 months -­ on time and on budget. Semafone was integrated into three separate CRM systems and into the automated payment IVR. The Citrix system used by the OSPs was completely removed from PCI scope and Sky’s PCI compliance liability reduced to a small “island,” which will be removed entirely when tokenisation is introduced in the future. The roll-out itself took place on a “big bang” basis. Following basic training, consisting of a 30-­minute session for staff, supported by more intensively trained “super-­users,” the agents all started using Semafone at once. A War Room was set up to handle any disruption and manned constantly for the first 24 hours of operation.

It was the most boring day of my career so far

We all sat in the room waiting for the phone to ring, but the only call was from an engineer wanting to know if we had any problems.

– Britta Barnet, Delivery Manager at Sky

The Results

Feedback from both agents and customers has been overwhelmingly positive, and tangible benefits obtained immediately. Semafone has already cut the time and cost of PCI compliance by 50%, conservatively taking 2 years off the programme, and customers have expressed their appreciation of the additional security. Responses received to date include the following comments, and many more along similar lines:

It’s good to see Sky taking customer security seriously.

I never liked giving away my card details and now I don’t have to.

We are committed to treating our customers’ data with the utmost respect.

Several customers have already commented that they prefer typing in card numbers rather than saying them out loud. At the same time they like having a real person on the line to help them out if they mis-­key a number. Agents are able to stay on the line and smooth out any problems, which we expect to help speed up average call handling time.

– Scott Mackay, Director of Customer Business Systems, Sky

The rollout across Sky’s contact centres is the largest scale project we’ve worked on by quite some margin, and as such it has been a very rewarding journey for Semafone.

Sky has a truly visionary approach to technology and is prepared to lead the way ahead of its competitors. Our teams have worked incredibly well together and we are delighted that the system has been well received by Sky’s customers.

– Graham Thompson, sales and marketing director, Semafone