Background

The broadcaster and home communications provider Sky has 22 million customers across the UK and Ireland, subscribing to services such as TV, telephony and broadband. Handling queries from these customers, as well as accepting credit card payments by telephone, is an army of call center agents. Every payment received must be secured according to Payment Card Industry Data Security Standards (PCI DSS) regulations; this involves complex checks for every part of the call center which is deemed “in scope” by coming into contact with card data.

Challenge

Sky had engaged Genesys to provide an omnichannel customer experience platform for its call center. As part of this, Sky had chosen a call muting system, with a “pause call record” policy, to put all call recordings on hold while card data is spoken by customers. Although this seemed to be a valid means of complying with PCI DSS regulations, it did nothing to reduce the area of the call center that was in scope for PCI regulations. Four different areas were affected: the telephony infrastructure, which carried Voice over IP traffic; the Citrix system used to link in partners; Sky’s own network infrastructure and over 5,000 in-house agent desktops. In addition, Sky was concerned about the difficulties of maintaining PCI DSS compliance when agents were able to hear and see card data. Subsequently, Sky found that the “pause call record” process was complex, time-consuming and costly to maintain due to performance and infrastructure compatibility issues.

At the same time, Sky’s seven outsource service partners (OSPs), employing another 9,000 agents, including 100 home workers, were seeking assistance for their own PCI DSS challenges. OSPs were accessing Sky’s Customer Relationship Management Platform via Citrix. This meant that the in-house triggers for pausing call recordings were unavailable to them. Sky investigated the possibility of replicating the system out to OSPs, but ruled this out almost immediately due to bandwidth, cost and complexity issues.

Requirements

To address the three challenges of pausing call recording, maintaining PCI DSS compliance for OSPs and reducing the vast area of the contact center that was in scope, Sky laid out its requirements.

The basic requirements to meet PCI DSS compliance were:

  • Not to transmit PCI data in the clear
  • Not to record or store CVV2 data (the numbers on the back of the card)
  • To secure any infrastructure which contains payment card

In addition to these, Sky had the following non-­negotiable criteria:

  • The solution must not be bespoke
  • It must be swift to implement
  • It must be secure and sustainable
  • It must work easily with the existing Genesys platform
  • It must be easy to roll out to the OSPs and home based agents

The company also wanted to reduce the proportion of the contact center remaining in scope of the PCI DSS regulations.

Trying to secure every possible element of the contact center where a breach might take place is never going to be easy; it’s an expensive and uncertain business. The solution has to focus on keeping the card data away from the contact center.

Kim Connor – Customer Contact Technology Platform Manager, Sky

Three options were reviewed. The first was to keep the existing structure, adding additional security to ensure PCI DSS compliance. This option was dismissed immediately due to huge time and cost requirements, which were likely to increase as time went on. The second option was to develop an improved Interactive Voice Recording (IVR) system in-house. Sky had the capability to do this, but decided against it on the grounds that it was likely to take 2 years and would be a huge distraction to a company whose technical team is dedicated to providing media services.

The Solution

The final decision was to work with a third party to deliver a solution that effectively removed the entire call center from scope. Semafone’s approach is to allow the customer to enter card numbers directly into their telephone keypad, sending this data directly to the acquiring bank. Not only does the digital information avoid the call center, but the agent is unable to identify key tones, which are masked using dual tone multi frequency (DTMF) technology. This means the agent can remain in full verbal communication during the entire transaction, and is on hand to help should any issues arise during the payment process, which significantly improves the quality of customer service.

Semafone was selected not only because it committed to meet all of Sky’s requirements, but it also brought a number of other benefits; including SIP architecture, which helped to future proof the solution; and its flexible integration options, which gave it the ability to integrate with existing security and customer experience systems, including the Genesys platform.

We chose to work with Semafone because we could see a young company with an experienced team and a unique new product.

We liked the company’s approach and were confident that the team would be able to deliver on its promise.

Ahmer Memon – Head of Customer Business Systems Technologies, Sky

Implementation

The solution was implemented within 9 months – on time and on budget. Semafone was seamlessly integrated to work alongside the existing Genesys platform, and into three separate CRM systems as well as the automated
payment IVR. The Citrix system used by the OSPs was completely removed from PCI scope and Sky’s PCI DSS compliance liability reduced to a small “island,” which will be removed entirely when tokenisation is introduced in the future. The roll-out itself took place on a “big bang” basis. Following basic training, consisting of a 30-minute session for staff, supported by more intensively trained “super-users,” the agents all started using Semafone at once. A War Room was set up to handle any disruption and manned constantly for the first 24 hours of operation.

It was the most boring day of my career so far.

We all sat in the room waiting for the phone to ring, but the only call was from an engineer wanting to know if we had any problems.

Britta Barnet – Delivery Manager, Sky

The Results

Feedback from both agents and customers has been overwhelmingly positive, and tangible benefits obtained immediately. Semafone has already cut the time and cost of PCI DSS compliance by 50%, conservatively taking 2 years off the program, and customers have expressed their appreciation of the additional security.

Responses received to date include the following comments, and many more along similar lines:

It’s good to see Sky taking customer security seriously.

I never liked giving away my card details and now I don’t have to.

We are committed to treating our customers’ data with the utmost respect. Several customers have already commented that they prefer typing in card numbers rather than saying them out loud. At the same time they like having a real person on the line to help them out if they mis-­key a number. Agents are able to stay on the line and smooth out any problems, which we expect to help speed up average call handling time.

Kim Connor – Customer Contact Technology Platform Manager, Sky

The 2011 rollout across Sky’s call centers was Semafone’s first large scale project and working with Sky over the past six years has been a very rewarding journey for us. Sky has always had a truly visionary approach to technology and is prepared to lead the way ahead of its competitors. Our teams have worked incredibly well together and it’s always fantastic to hear positive feedback from end users.

Tim Critchely – CEO, Semafone

Sky
Semafone