NewVoiceMedia: Resilience
and PCI Compliance in the Cloud

Background

NewVoiceMedia (NVM) is Europe’s leading provider of online hosted contact centre solutions. NVM’s solutions can be deployed to establish new or enhance existing contact centres at a fraction of the cost of traditional hardware-based solutions. Each of the NVM multi-tenant nodes can handle 5,000 simultaneous calls, making it one of the most powerful call centre solution that is available from any supplier.

Founded ten years ago, NVM was delivering cloud computing telephony solutions long before the phrase cloud computing became fashionable. These days NVM’s clients range from large corporations such as Jardine Lloyd Thompson, Grant Thornton, AQA and the Royal Mail with multi-site contact centres and hundreds of agents - to SMEs with less than five people taking calls who don't even think of themselves as a traditional call centre.

The Challenges

NVM hosts thousands of calls daily and processes huge volumes of card holder data.  For example, for one customer alone it processes over £100k a day in card payments. In an industry where business continuity is mission critical, NVM required a solution that would not only protect its hosted telephony services from any downtime but also make NVM compliant with Payment Card Industry Data Security Standard (PCI DSS).

The PCI is an industry body initially founded by card companies such as Visa, MasterCard and American Express. The DSS is a standard that has the goal of ensuring that all companies that process payment cards protect customers’ card information. The scope of the standard includes prevention of fraud, hacking and various other security vulnerabilities and threats.

All contact centres should be PCI DSS compliant by now as the deadline expired in 2007. Unfortunately, few have seen this as a priority as it is not a legal requirement but a commercial code of best practice. However the card companies are now applying pressure ranging from threats of penalties if fraud does occur, to increasing the costs per transaction for non-compliant companies. NVM has developed a mid-call automated process that takes the caller’s details. Use of this service is normally sufficient for a call centre to become compliant itself.

“Many call centres are putting customers’ financial information at risk because they have refused to invest in suitable technology,” says Ashley Unitt, NVM’s chief security officer.

 

Ashley continues, “We have a responsibility towards our customers to not only ensure that they consistently get the service they pay for, but that their personal financial information is kept secure and confidential. As part of the process of becoming PCI-DSS compliant we were looking for a solution that would protect our internal networks from malicious attacks and downtime. If our services were interrupted for even ten minutes our reputation would be ruined.”

The Solutions

In an open tender, NVM chose Stonesoft‘s StoneGate Firewall/VPN products to provide network security and Session Initiation Protocol (SIP) support for its customers.

One of the key differentiators behind selecting Stonesoft was the company’s ability to demonstrate a high level of support for SIP, a key technology widely used for controlling multimedia communication sessions such as VoIP telephony.

Stonesoft provided NVM with a border firewall that sits in front of its web-facing tools such as its interactive voice response system (IVR) to stop attacks before they reach the web application.

“Having full SIP support was very important for NVM as evolving security threats are making it easier for third parties to intercept VoIP traffic by using technologies such as sniffer tools that are readily available on the internet,” says Ash Patel, country manager UK & Ireland at Stonesoft.

 

Stonesoft is protecting NVM against ‘ eavesdropping’ and other security risks such as denial of service attacks. Another reason for picking Stonesoft was the clustering capabilities of the StoneGate Firewall solution, which allows network traffic to be split across multiple firewalls. This ensures protection against network downtime as traffic is routed across multiple firewalls and continues without interruption in the event of hardware failure.

StoneGate’s multi-link technology also provides load balancing, fault tolerance and failover capabilities across all connected networks, eliminating the single point of failure that can arise when a network is connected to a single provider. This function is providing NVM with increased bandwidth availability and ensuring business continuity.

“Stonesoft worked closely with our team to ensure a smooth and efficient implementation. We had really strong project team and the implementation was executed well. The Stonesoft team were very focussed and responded professionally and with expertise when any problems did arise,” continues Ashley.

Outcomes

In June 2009, with the help of Stonesoft’s solutions NVM became a Supplier Level One PCI-DSS Compliant: the highest level possible to achieve. This is a massive leap for the company as now any contact centre that wants to use NVM’s service can choose to outsource PCI responsibility to the company, bringing new revenue to the business.

“We really found that the Stonesoft solution does what it says on the box. The firewalls that have been installed work brilliantly. When first implemented we tested the firewalls with an external QSA qualified investigator who conducted penetration testing. The solution passed with flying colours,” says Ashley.

Ashley concludes, “We are also finding that it is now easier to migrate to new sites and manage everything from one location with the single management centre that Stonesoft provides. We are rapidly expanding overseas and this solution is allowing us to do this much more quickly.”