When telecom major Vodafone India chose to go for PCI DSS compliance in 2008, the operation’s scale was formidable. Vodafone India intended to bid for enterprise-wide PCI DSS — 23 circles and 11 operating companies. It operated 900 direct and indirect stores, as well as a host of direct selling agents (DSAs), collection agencies and other third parties. Four years on, Vodafone India’s PCI DSS compliance is in its third successful iteration, but the journey has been far from easy.
The PCI DSS bid: Needs and challenges
Suresh Srinivasan, the senior manager for information security and privacy at Vodafone India explains that though PCI DSS compliance was not mandatory, it was a matter of self-discipline. The move translated to better brand perception and customer confidence, through compliance. It would also address legal implications and resultant regulatory penalties that surround breaches. The team also saw it as an opportunity to standardize and streamline Vodafone India’s business processes.
The PCI DSS compliance initiative’s scope covered retail, billing, collections, online payments, kiosks, e-commerce and customer services. Since Vodafone India did not grow organically as an organization (it started off as Orange and later became Hutch), legacy systems and architectures had to be made compliant. Analysis of legacy architecture became critical to determine implementation of controls. Under PCI DSS, payment applications had to be validated against PA DSS requirements, which covered aspects like billing, point-of-sale and m-commerce. Since telecom relies heavily on outsourcing, third-parties part of Vodafone’s ecosystem had to be brought under the PCI DSS compliance umbrella.
Vodafone India’s PCI DSS compliance story unfolded in the following manner:
Data flow analysis: Vodafone India started with a card data flow analysis to identify processes capturing card information. All processes were looked into, says Srinivasan. Since Vodafone India’s internal team did not have the bandwidth for this, SISA Information Security was enlisted as external consultants.
Analysis involved meeting up with business stakeholders to understand the processes. Process flow diagrams were created for each business process within Vodafone India. This also resulted in identification and discontinuation of redundant processes.
Risk assessment: Post data flow analysis, Vodafone India conducted risk analysis to determine internal risks, as well as those associated with third parties or external agencies. This helped Vodafone India to determine location and form of the controls required to be auditable for PCI DSS compliance.
Control implementation: Following risk assessment, control implementation for PCI DSS compliance was split into phases, starting with a specific circle (Mumbai). It was essential to implement and stabilize controls at a single location, before replicating them organization-wide. Certain controls were driven centrally, whereas others were managed locally. Control implementation at the third-party level was also started as a parallel process.
Srinivasan reiterates that scoping is critical for PCI DSS compliance exercises. This simplifies PCI DSS implementation and manageability. At Vodafone India, only systems handling card data were brought into the scope to make PCI DSS compliance achievable and the control implementation effective.
Training and awareness: Spreading awareness regarding PCI DSS compliance was essential, says Srinivasan. Since PCI DSS is not point-in-time compliance but continuous, it’s important to reason with people on the ground for the success of a PCI DSS compliance exercise. This was undertaken for third parties as well. Srinivasan says that PCI DSS compliance at Vodafone India has become easier with every iteration.
Certification: According to Srinivasan, certification was the easiest part of the entire PCI DSS compliance exercise. It was just a matter of getting a QSA to conduct an audit. For the first certification, it took Vodafone nearly 20 months to roll out pan-India enterprise-wide PCI DSS compliance.
Dos and don’ts from Vodafone
According to Srinivasan, it’s important to interpret controls from your organization’s perspective for success of the PCI DSS compliance initiative. In principle, existing processes and systems can be tweaked to achieve PCI DSS compliance without investing in every control. However, be prepared for inevitable investments. An example from Vodafone India’s PCI DSS story is its self-service kiosks network. All kiosks had to undergo replacement to meet PA DSS compliance.
Yet another best practice is to prevent employees from analyzing card data on Excel sheets. This phenomenally increases the PCI DSS compliance exercise’s scope. The dos and don’ts from Vodafone’s experience can be summarized as follows:
Takeaways for Vodafone India
Alongside its PCI DSS compliance exercise, many processes at Vodafone India have undergone overhauling. Sensitive documents are now destroyed or discarded after a pre-defined retention period.
Card holder data storage has become more secure, and card data is no longer transmitted in the open. Applications not directly involved with card holder data only have access on a need-to-know basis — in such cases, all 16 digits are not available. Vodafone India has a role-based data access matrix, and data consent clauses have been incorporated into customer forms to promote customer awareness.
This article is based on excerpts from a case study presentation made by Suresh Srinivasan, the senior manager for information security and privacy at Vodafone India at PCI Mumbai on February 28, 2012.