ACP: The Amazon Connect Podcast

7: PCI Compliance

CloudInteract - cloudinteract.io Episode 7

Send us a text

In this episode of ACP we delve into the world of PCI compliance with our guest, Dmitri Muntean, managing director at SequenceShift.

Dmitri brings his extensive knowledge in PCI compliance and telephony to discuss the challenges and solutions for businesses using Amazon Connect. The episode explores how Dmitri's company, SequenceShift, specializes in providing PCI compliance solutions specifically designed for Amazon Connect, including agent-assisted phone payments and self-service IVR options. 

Dmitri explains the importance of PCI compliance for any business handling cardholder data, detailing the compliance levels and the rigorous processes involved. The discussion further covers the limitations of common practices like pause-and-resume call recording and the advantages of third-party compliance solutions. Dmitri also shares insights on launching services through the AWS Marketplace and the evolving Amazon Connect ecosystem in Australia. 

Listen for a comprehensive guide to navigating PCI compliance in the Amazon Connect environment.

Find out more about CloudInteract at cloudinteract.io.

Tom Morgan:

Welcome to ACP, the Amazon Connect podcast. This is the show that focuses on Amazon Connect and related technologies. I'm your host, Tom Morgan, , and I'm joined as usual by my co host, AWS Solution Architect and Contact Center Consultant, Alex Baker. We are also joined today. By Dmitri Muntean, managing director at SequenceShift. Find out more about cloud Interact by visiting us@cloudinteract.io. Welcome to the latest episode of ACP and a special welcome to Dmitri. Dmitri. You are coming to us all the way from Sydney. And because I hate myself, I had to look up the weather and it looks amazing. We are coming out of a very rubbish weather, January thing happening in winter in the UK. So it's great to it's great to have you on the podcast. So welcome.

Dmitri Muntean:

Thank you guys. Thanks, Tom. Thanks, Alex.

Tom Morgan:

So please, in your own words, do you mind just giving us a little bit of instruction about yourself and about SequenceShift?

Dmitri Muntean:

Sure. Yes. I'm my name is Dmitri. I'm Managing Director of SequenceShift. And I've been prior to starting SequenceShift, I've been working in PCI compliance and general security space. And I also had some experience working telecom, so quite know the telephony a bit. Sequence shifts It focuses on PCI compliance for Amazon Connect. So we provide solutions that are designed specifically for Amazon Connect, and they solve the issue of PCI compliance in a number of ways. So we have two solutions at the moment. One is the agent assisted phone payment. Another one is the self service RBR.

Tom Morgan:

Okay. So let's let's sort of take a step back for a second and I want to make sure that everyone's on the same page. So I think I know what PCI compliance is, but can you help me? Like, if I don't know what PCI compliance is, what, what is it and why, why is it, why should I care about it?

Dmitri Muntean:

So PCI compliance is a set of rules created by Visa, MasterCard and other brand and other schemes, card schemes to govern how the card data. Cut holder data is stored, processed, transmitted, and, and it's applicable to any business that is doing one of those things with the cut holder data. So if you touch cut holder data namely credit card numbers and debit card numbers, you are exposed to PCI compliance and you're, you're subject to PCI compliance. There are different levels. Of compliance, depending on the number of cards that you process as a business you process in a year with the toughest one being level one at level one, level two require an external third party QSA qualified security assessor to come in and assess your infrastructure, your people your processes everything that that is around the cardholder data.

Tom Morgan:

So this is a, this is about the card. Companies wanting to keep a confidence in the system right by saying it's safe to use cards like because the people in the process, there's a, there's a compliance sort of management process that make sure that they're doing the right thing all the time. And people are making sure that's

Dmitri Muntean:

true. Correct. So on a high level, it is a way of you know, giving people peace of mind that they're working. If they're providing their cardholder details to a company and that company is PCI compliant. That means the way they're going to handle your card details is going to be secure and you know, to the best available security. Got it.

Tom Morgan:

And, and that responsibility, I guess, flows, it, it includes the company, you know, let's say the shop or the retailer, whoever it is taking the cardholder data. It also includes whoever, whatever they do with it and ongoing and like, are there different, are there different sets of rules for different people in the chain, essentially? Because I'm thinking if I'm a shop, yeah, I take my card or data. Probably then I put it into some system, you know, either the, like what I've been given by my bank or whatever. Or if it's online, there's a process for doing that, I guess. And then. Like all the way up until it gets to the bank. Are there different sort of levels, if you like, for the different people in the

Dmitri Muntean:

chain? Well, there's, there's different difference between service providers. So those companies that provide services based on the, on the cardholder data. So those that process, you know, store from recurring billing and things like that. So that it's, it's, it's there are additional. Requirements for the service providers, but generally PCI compliance is a set of rules and it's applicable to everyone and it goes up to the bank, the bank, banks don't the banks don't have to be PCI compliant, but anyone else down, down the line has to be compliant. The general approach that has been, you know market has taken over the last probably decade is to outsource as much PCI compliance as possible. So to find a vendor, to find a third party, to, to perform the majority, if not all work related to the cardholder data, but even then the customer, oh, the business that uses the. A third party provider to process the car data is still exposed to the scope is just the exposure is absolutely minimal. So that can be either S. A. Q. A. or S. A. Q. D. so self assessment questionnaire of type A or type D. and that just varies the number of requirements that they have to. To comply with just for comparison, the full standard is over 300 requirements. The SAQA is is about is about 24 requirements.

Tom Morgan:

Okay. I think there's there's a perception sometimes that PCI compliance is just for big companies. And you know, it's not something you have to worry about if you're just like, I've just opened a flower shop and I've just gone to Amazon connect and got a phone number and there's just me and my friend, you know I, I guess, I guess that's where providers can really help, right? Because I, I'm going to assume, and you can correct me that actually PCI compliance does also apply there as long as you're, you know. Dealing with cards and that's where a provider can really help, like take some of that workload and bring it back down to the, what you were talking about, like the, the, you know, the, the self assessment questionnaire, if you like, that rather than making it very onerous process. Yeah, on

Alex Baker:

that point, sorry, Dmitri, it would be, it'd be interesting to know a bit more about, you mentioned sort of level one, level two kind of categorization of organizations as well.

Dmitri Muntean:

Yeah, so generally so it's, it's all about the risk profile. So and, and you're absolutely right. The levels they actually they, they are assigned based on the number of cards handled in the years, anything below 20 thousands is. Level four, that's the least, you know the, the lowest level that can be assigned to a merchant, a business that processes payment card payments. Level three is about twenty thousand and one million. Level four is one to six and anything above six million is level one. And also schemes of Visa and MasterCard can assign the level themselves. So even if a merchant, say, qualifies for level three, but if they deem them high risk, they can assign them level one. The service providers can be only level one or level two. Regardless of the number of cards well, if they, if they process below below 1 million, they're still level two. So the difference there is because level three and level four doesn't require you to To involve a third party to, to do an assessment, a security assessment but level one, level two require having a third party and yeah, service providers, they're just required to have a third party assess their security. Got it.

Tom Morgan:

Got it. Okay. That makes sense. Okay. So that's kind of the landscape where we have this problem. And so what kind of a really high level, what does SequenceShift do as to kind of solve for that problem and, and how. How do you do it?

Dmitri Muntean:

Yeah. So in effect, what, what, who we are is we are that third party that provides that, that provides the solutions to reduce the exposure to PCR compliance. So we handle the car details ourselves on behalf of the customer. And that helps. Merchants businesses would use the exposure to, to PCI compliance. And there's a lot of misunderstanding on the market and it's applicable to to to Amazon Connect. So with Amazon Connect, Amazon Connect itself has tools to kind of provide you with the, with the security. Around the car data, they suppose in resume, although it's not deemed you know, it's not suitable for PCI compliance, but a lot of companies try and use that they pause the call recording when when customer is about to provide their card information and resume after boards. There's there are there's information on, on how to encrypt the card data. So Amazon Connect is capable of encryption of information. And also Amazon Connect itself is PCR compliant services, level one compliant service. It's covered in the services in scope. So there's a page on AWS website that covers all the services and Amazon Connect is there. So on a high level, a lot of people think that, okay, With all of that it means i'm compliant, you know they make it sound

Tom Morgan:

like yeah They make it sound like it's all compliant,

Dmitri Muntean:

right? Yeah, correct But without using a third party you are exposed to the full scope So over 300 requirements are applicable and these requirements are not only technology requirements those requirements cover processes people in the organization their roles what they do how they do it and that's That becomes a real burden, and we've seen with us, we've seen that a lot of times customers would look at our solution, decide that it's too expensive, go and build their own solution, go through the first audit, and understand that they didn't save a bit. Yes, building your own solution is cheaper. In the, in the short term, but in the long run the, the, if you look at it, PSI compliance keeps changing. For example, at the end of March the PSI version four becomes the default one. And that brings a lot of new requirements. to the customer. So companies that have built their own solution and been running so far with them will now have to assess their solution against level four against PCI version four. And that we'll realize that there's a lot more things in scope that they need to look into, and they need to. Adjust their solution, adjust their processes, and do a lot of other stuff to maintain their compliance. By using third party, that's responsibility of your provider. Your provider needs to be a compliant level four version four compliant. So it,

Tom Morgan:

it completely makes sense. Like it's, it's all those things that are not the primary focus of the, the organization. It's, it's just like outsourcing your website or your SEO or a million other things that are not core to like what your company is doing with the added like flavoring of risk as well. Like, you know, the, the, the added risk exposure you pick up by not doing it properly. That's,

Dmitri Muntean:

that's absolutely right. That's absolutely right. Yeah. Can we

Alex Baker:

touch a bit more quickly on, I'm interested in what you said about pause and resume in particular, Dmitris. I think that's something that is quite common from what I've seen across contact centers that might be taking payments. A lot of them seem to adopt pause and resume as sort of that base level of this will stop us from capturing the card details. Why is it that that? In itself might not be sort of compliant and might not be what they actually need.

Dmitri Muntean:

So ultimately it is up to QSA to say if it's compliant or not compliant. But by using pause and resume, you solve only one piece of the puzzle. You solve the problem of having card data recorded somewhere. And that means where the storage that you use for recording usually S3, you know, doesn't have to, doesn't fall into the PCI compliance scope. However, you know, you absolutely sure you're pausing it every time and resuming maybe not that, not, not that important in that context, but are you sure that it's, it's paused every time? So that's, that's solving just one problem. But you also have a problem of you know, agents. And because agents are on the call and they're using computers, there are other devices in the room. All of that from PCI compliance perspective has to be segregated. So network has to be segregated because the cut holder data travels through those computers. They're typing it in. They're using headsets. All of these devices need to be patched. They need to be you know, patched within, within a month of, of of the release of the latest security updates. So you need to patch your phones. You need to patch your computers, you need to use some sort of recording tools for the screen to make sure the agent is not using. Is not recording this data, you know, in the text file and printing it out and taking that home. You need to ensure that it's a clean room environment. The agents are not, are not writing, are writing the information down, you know, and taking that home. So , pause and resume solves just the problem of the recording. You still have the people which are agents, you have the processes, how the card data is taken and you have all that infrastructure that the car data travels through that needs to be segregated, kept up to date, maintained and everything that comes with it. That's how you make sense.

Tom Morgan:

Makes sense. Yeah. Great answer. Thank you. Yeah, cool. So you, you said earlier that you had two different models for kind of delivering. Your solution on, on connect a agent assisted and non agent. Is that correct? Do you want to just walk through those? Yeah. Cause it'd be good to understand like

Dmitri Muntean:

how that works. Yeah. So I'll start with the self service option which is the easiest one. So it's basically a customer reacting or providing their card data in return of after, after listening to the prompts. It's a prompt play please enter your card number, they, they enter the card number, please enter your expiry date, CVV et cetera. So it is it is a simpler solution in terms of there's no agent involved. Mm-Hmm. In, in that process. What's, what's different about our solution compared with, other vendors is that with our solution, the call never leaves Amazon Connect. Mm-Hmm. If you look at what's available on the market it is usually the dial out. So you need to, to, to so your customer goes through the contact flow. And at the time when they need to make a payment Amazon Connect dials out to a third party and that part where the card data is captured is hosted in that third party IVR. And it becomes a challenge to pass additional data. So for example, an amount that customer must pay, any reference number that you want to, you know, to pass with the payment, any other additional information that's required for that payment. So if you look so yeah, it just becomes, it just becomes really, really problematic to pass that initial information into, into the third party without solution. The call always stays in the Amazon connect. So as the customer goes through the flow, there's somehow authenticated. It's all, they provide some information about, for example, their invoice number, and you can do a data deep. You can look up that information in your database with the help of the lender. You can retrieve all the information that you have about that payment. You can you know, present you can tell the customer the amount that's outstanding. You can tell the customer other reference numbers, and if the customer wants to proceed with the payment, that information is just passed to our system via API call. And then they go into providing their card data, which still happens within Amazon Connect and is immediately sent over to our environment in the encrypted format. So we provide an encryption key, which gets imported. It's a public key, so that key can only be used to encrypt the data. It gets imported into Amazon Connect. The customer provides their data, it gets encrypted and sent over into our environment.

Tom Morgan:

That's nice. And I can kind of see, like, that's a nice model for security as well, because there's no, there's no other humans present, like, in that process. It's all, you know, you, you've taken the agent out, which I, it's a, I guess it's a compromise, right? Because it's arguably safer, but is it quite the same kind of human touch? But I guess, You companies have that choice, right?

Dmitri Muntean:

Yeah, yeah. And a lot of come, a lot of our customers use both of our solutions, so, but they have different use cases. And it is, it is really down to, you know, what type of why the customer is calling. So for example, if we're talking about the company that collect payments, so we, for example, your energy company, so you are calling to provide a payment and that is the reason for your call. And for you or for the business, it. Doesn't really matter if it's an agent assisted or self service, the customer will provide the payment because that's the reason they called you know the they call the, this organization. But if it's a sales call, for example, where an agent is trying to convince the customer to to make a purchase, to buy something switching them off, you know, after the conversation, after agent. And the customer has agreed to you know, to proceed with the purchase, switching them to automated IVR you know, can lead to customers dropping off because it's much easier to hang up on an automated IVR compared to, you know, a human when you're talking to a human, and this is where our second solution comes in. So it's an agent assisted solution. The way it works is the, the agent and the customer, they maintain voice communications. So they keep talking to each other during the process all the time. And the customer still uses their keypad to provide the. Their card, card data, which pops up on a page to the agent. So the agent is looking on the page and the information that's entered by the customer pops up there in a mask format and the agent can confirm all the details. So for example, they can see the type of the card, the last four digits, they can't see the, the full card number on the last four digits. And they can't see CVV, but they can confirm, you know, the amount, everything else. And they, the agent is the one who initiates the payment. So and they can see the, the response in real time. So they can say, yeah, I can see it was approved and they can move on with their scripts. Or they say unfortunately it was declined. Would you like to try a different card? Maybe, you know, maybe you made a mistake during that process, during the data entry process. Maybe, let's try it again. So this is where agent assisted solution, this is what agent assisted solution is. This is where the agent and the customer, they talk to each other and sales call is just one of the application. But obviously as you said, the. The experience, it's the customer experience. And we know that in some parts of the world, the customer experience maybe is not as important, but you know, the more and more we see companies are competing on customer experience where they provide, you know, similar services, it is about the customer experience that you want your, your customers to have. And obviously an agent assisted payment is a much smoother and , more human process compared to a self service. Yeah,

Tom Morgan:

absolutely. And actually the compromise does not seem as bad as I thought it was going to. Like, it sounds like the agent can't actually see the card details anyway if they're being keyed in. Like, that's, I, I've got history, like, back in a million years ago working in a, like a retail company. We would sort of IT for that. And, and that process, like the, the agents, you'd read it over the phone, and the agents would care in to like the. Yeah. Like the, you know, the website for the PCI provider, like website or their application and stuff. But like the agent was in the middle of that process. But yeah, it sounds like by, by keying it in, like you're, you're removing that ability for the agent to kind of skim it off on the way through.

Dmitri Muntean:

Yeah. And also, also you don't have to pause your audio and video recording because no data is on on the call recording on the audio recording. The the agent uses key the customer uses. keypad to enter the data. And because that page shows just the masked information, which is, you know, PCI allows you to show the last four digits. So and the card type, so they can that's the only information they see about the, the information they provide. That sort of manual

Alex Baker:

pause and resume always kind of struck me as a little bit of a, like a failure in the process, almost. So if you had an agent that was. But for some reason, intent on capturing card details, putting that manual process in place for them to have to pause and resume the recording just seemed like it was fairly, fairly insecure.

Dmitri Muntean:

Yeah. And as we've discussed you show you, you're pausing the call recording. So we, we had a, we had a customer where they would use a pause and resume method, but it would fail sometimes and what they had to do is they have, they had to send off their recordings just straight after they were recorded. They couldn't get access to those that were sending them off to a third party to actually listen to through the call and make sure there's no cut data that it was actually paused and then send it back. It cost them tens of thousands of dollars per month, and the earliest they could get access to the recording was over 30 days. So imagine, imagine that, so, yeah,

Tom Morgan:

it's crazy. Wow. Okay. So, and this, this is, you do this for Amazon connect. Do you do how, I mean, how long have you been working with Amazon

Dmitri Muntean:

connect? Yeah. So we started working with Amazon connect since it became the became, became public service. So we know that it was a closed better trial with a few customers. But in 2017, when it became public we realized that there's a gap in the markets and we've we switched our focus we switched, we basically developed our solutions and switched our focus to Amazon Connect. Got it. So you were with them really from the beginning, I guess. Yeah, just from very beginning. And yeah, we, we just quickly saw the potential of that platform, the, the way it you know, the way it the flexibility and running this as a cloud service and a typical AWS fashion, we just quickly saw that this is just an untapped opportunity.

Tom Morgan:

One of the interesting things that we noticed when we were kind of just talking about You know what to talk to you about is you use Amazon Marketplace as well. You advertise an Amazon Marketplace. So do you, how do you find that? Like, how was that for you as a, like how, you know, setting it up, you know, managing it. Do you, do you find it's useful? Do you find you get good engagement through Marketplace?

Dmitri Muntean:

Oh, there's quite a few questions in that. So how do we in terms of setting it up obviously, you know, there's documentation, many, many pages for documentation. Reading through that and making sure, you know, your systems are ready for that is, is quite important. But it, it achieves the ultimate goal where you can onboard the customer or at least sign up the customer without. Having to talk to anyone. So we do see a lot of marketplace offering where people, when they click sign up, you know, someone has to email them and then they create account manually on the platform and things like that. AWS marketplace provides all the tools for automatically signing up customers. So when the customer clicks subscribe to your service or to your product or on the marketplace listing, there is a way of getting all that information and set up the customer on your platform. So that's that's very important., if you're really looking into onboarding, you know, customer anywhere, anytime, that's, I think one of the important, most important things to have is the ability for the customer to sign up by themselves without having to talk to anyone.

Tom Morgan:

Yeah, absolutely. Like it, it, like, it plays into the whole AWS story of like self sufficient provisioning and like, yeah, absolutely. If you can show up get going without like instantly. You know, without having to wait for somebody else to do something on the back end. I think that's really powerful. Yeah. And

Dmitri Muntean:

if you look at it, having a credit card and, and a lot of AWS allows you by just having a credit card allows you to run the infrastructure. Of any complexity, you can run you know, the, the infrastructure of the same size as, you know, largest enterprises of the world. And , we thought that it would be really differentiating to have to provide a PCR compliant solution that has kind of the same the same approach by just having AWS accounts. You can go and subscribe to a solution and get access to the management console, just the way AWS does it. So you have a management console where everything is self service. You have access to the documentation. You have access to all the tools and you can go and set up the solution without talking to anyone.

Tom Morgan:

That's nice. That's really cool. We're almost at the end of our time, but I just want to ask you just because it's a good opportunity for us just to get some feedback from, from you over sort of on the Australian, New Zealand side of the world, that market for, for connect, how do you find? That because obviously we're blessed in the UK that most of the time, you know, updates come out for the US and they come out for the UK kind of the same time. Do you get them? What's that like for you on Amazon connect? Do you, is there, do you perceive a lag or like,

Dmitri Muntean:

So and this is my personal experience. Usually we get features prior to other regions. And, and the reason, the reason for that is Australia is relatively small markets. And it's much easier, you know, to, to do gradual rollout here where you, where you trying out new features, well, not trying out, but gradually rolling out, ensuring that all the processes, you know, still work and everything's still in order. But we're also, Australia and New Zealand we're also have. A lot of innovation coming out of our region. So there's quite a few startups that focus on Amazon connect coming out of Australia, there's local measure, there's a Parata and others. So yeah, it's we, we, we don't, we don't feel left behind. We actually get access to a lot of features either at the same time or a bit earlier than everyone

Tom Morgan:

else. That's good. It's always, I don't know. I find it. Fascinating how to how you run like a global infrastructure at scale like that. And so, like, I'm, I'm always trying to find out, like, things like that, like rollouts and whether you have parts of the world that lag behind. But no, that's, that's great. Like, sounds like, sounds like you're in a good place. So, yeah, that's really cool.

Alex Baker:

It does quite often seem like, you know, you look at the Amazon Connect blog pages and almost a disproportionate number of the interesting blogs are coming from that region. So you mentioned people like Local Measure and Operata. Doing some great sort of pioneering stuff in the connect ecosystem.

Dmitri Muntean:

Well, what can I say? We love our technology.

Tom Morgan:

Yeah, no, it's good. And it's good to have a strong, strong worldwide, you know, ecosystem of partners. I think that's, that's good for the platform. Fascinating. Like I, we could talk about this stuff all day and it's been really, really good talking to you, but I think we, we should bring this episode to an end. Thank you ever so much, Dmitri for your time. It's been really, really interesting. Thank you very much, Alex, as well. And thank you all for listening. Today we talked all about PCI compliance with Dmitri from SequenceShift. Next week on ACP, we're going to be talking to Scott Budding from Collaborio about workforce management in Amazon Connect. So be sure to subscribe in your favorite podcast player, that way you won't miss it. Whilst you're there, we'd love it if you would rate and review us, and as a new podcast, if you have colleagues that you think would benefit from this content, please let them know. To find out more about how Cloud Interact can help you on your contact center journey, visit cloudinteract. io. We're wrapping this call up now and we'll connect with you next time.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

AWS Podcast Artwork

AWS Podcast

Amazon Web Services