Background

TalkTalk is a young company with a long history. Established in 2003, today it’s the UK’s leading value for money consumer and B2B telecoms provider.

The Challenge

TalkTalk handles a significant number of payment transactions each day. With a wide variety of payment methods and channels to choose from, a growing number of customers opt to make online or telephone payments using their credit card.

To keep its customers’ personal data safe at all times, TalkTalk uses a form of tokenization for all card data, irrespective of the channel used to collect it. The data for online channels is secured using a secure iframe with its acquiring bank. With so many customers choosing to pay via the telephone, it was essential that this channel complied with Payment Card Industry Data Security Standards (PCI DSS).

The PCI DSS has strict rules relating to the way sensitive authentication data, such as the three-digit security code on the back of a payment card is handled to ensure it is kept safe. In the early days, TalkTalk had to ask customers to read their card details out loud so that agents could manually input their payment details onto the system. All calls were recorded and a ‘pause-and-resume’ method was used to avoid sensitive card data from being stored on call recordings. TalkTalk then worked directly with its Payment Service Provider (PSP) who validated and processed the payment.

As TalkTalk experienced rapid market growth, the company realized that it needed a completely new approach to de-scope the hundreds of checks and controls required by PCI DSS guidelines to keep data safe. That meant finding a robust compliance solution that would enable its contact center to record the entire telephone call, but not store payment card data.

The Solution

In 2011 TalkTalk was introduced to Semafone and it became clear that the only guaranteed way of taking its contact center ‘out of scope’ of PCI DSS was to remove all payment card data completely, and it could do this by using Semafone’s Cardprotect Voice+ solution.

Cardprotect Voice+ uses Semafone’s patented payment method and dual-tone multi-frequency masking technology (DTMF) to enable TalkTalk’s customers to enter their credit card details into their telephone keypad; the incoming card numbers are then intercepted, and the call center agent is presented with masked (flat tone) digits. Once the system has verified that the information entered is correct, it then seamlessly passes the payment transaction data through to the payment service provider (PSP) for processing, by-passing the contact center and the desktop environment completely. The solution dramatically reduces the complexity and number of controls required for PCI DSS and allows the agent and customer to remain in full voice communication throughout the entire process.

Jashan Sidhu, Head of Billings, Cash and Banking at TalkTalk, commented; “The Semafone solution appealed, as we could see that it would allow us to handle customer data even more securely and it would be a great enabler to become PCI DSS compliant. Our agents were able to stay in contact with customers at all times during the payment process and the customers felt far more comfortable tapping numbers into their phone than saying them out loud.”

The Move to a CPE Solution Within TalkTalk’s Data Center

TalkTalk initially deployed Cardprotect Voice+ ‘on premises’ in its UK contact centers, later expanding the solution to serve TalkTalk’s overseas contact centers.

In its quest to protect customer data, TalkTalk continually tests and challenges its entire network to ensure that payment card data stays ‘out of scope’ of PCI DSS and remains secure. Previously, card data was transmitted to its PSP, and was potentially still at risk when it touched its systems’ network. TalkTalk worked closely with Semafone to create a solution that primarily protected
its customers by handling their card data in the best way possible, which in turn allowed the company to gain and maintain its PCI DSS accreditation.

Jashan Sidhu explained; “Cardprotect Voice+ did everything it promised and the team at Semafone were a joy to work with, supporting us at every step. This gave us the confidence to take advantage of Semafone’s platform services, which would provide further levels of security by removing the data from our systems completely. We set the wheels in motion to roll out a far more integrated program that involved moving our call routing through Semafone.”

The Implementation

TalkTalk worked closely with its Qualified Security Assessor (QSA), Semafone and its PSP to fully integrate Cardprotect Voice+. A joint project team worked tirelessly to embed the solution across all systems and ensure payment card data was not stored on TalkTalk’s systems by routing it through Semafone’s platform.

Like most large scale projects, the delivery, implementation and integration was very complex and required great expertise from both the internal teams at TalkTalk and external partners. The Semafone changes impacted various channels and teams across the business, however, the way in which Cardprotect Voice+ integrates via iframes and embeds payment pages and fragments ensured TalkTalk’s customers could continue their journey seamlessly without disruption and TalkTalk is able to ensure its payment journeys are simple, secure and seamless for its customers.

Benefits

Jashan Sidhu, commented: “PCI DSS compliancy was a massive project for TalkTalk and Semafone enabled us to reduce a huge number of applications across our voice recordings and IVR payment capabilities – it simply took away the need to read out card numbers, therefore the information was no longer stored in our voice/IVR application.”

The success of this project was a major achievement for TalkTalk, who became one of the first UK Carriers to become fully PCI DSS compliant.

Jashan Sidhu continued, “We worked as a tight unit and Semafone delivered on time, achieving exactly the right solution for TalkTalk. Over 18,000 customers now pay via the telephone each week and they are happy and secure in the knowledge that their data is safe. Indeed, there has been an increase in credit card payments across the board and as a Tier 1 service provider, who is subject to regular external audits, we are confident that our systems are robust and fully compliant with the PCI DSS guidelines.”

Today, the company processes thousands of credit card transactions securely each day via a variety of payment channels. Its team of over 1,200 contact center agents can now easily and securely handle millions of transactions per year.

Jashan Sidhu, concluded; “Sadly, the world has changed, criminals are far more sophisticated – we have to continually train our staff to be vigilant and lock the doors behind us at all times, but the good news is that criminals cannot steal data that is not there.”

Talk Talk
Semafone