Pharmacy Retailer

Profile

Industry: Retail Pharmaceuticals Employees: 70,000 UK Revenue: £498 million

Business: UK high street pharmacy, health and beauty retailer, formed in 1849, with around 2,500 stores, a strong web presence, and loyalty scheme. They operate one contact center.

Challenge: Achieving PCI DSS compliance to secure payments and reduce risk to the business, the contact center, and the customer.

Solution: CallGuard Hosted solution that de-scopes the contact center from PCI DSS audit.

Benefit

• Agent and customer stay in contact throughout the call
• PCI DSS compliant every minute, of every day
• No sensitive data is available to steal

Background

This leading pharmacy-led health and beauty retailer was formed in 1849. With around 2,500 stores in the UK, ranging from local community pharmacies to large destination health and beauty stores it is part of the Retail Pharmacy International Division of a large US organization which was the first global pharmacy-led health and wellbeing enterprise. Today the business sells their products in the UK and internationally.

Challenge

Information security is a major focus for this business as they seek to address the rise in data breaches, payment card fraud, and other security risks that businesses face today.

Their commitment to tightening security led them to seek a solution to their contact center telephone card payments where cardholder data is exposed to the agents and potentially stored in the company's IT environment. With several hundred agents, operating from their contact center in Nottingham, the business wanted, as well as needed, to achieve PCI DSS compliance and maintain it, year-on-year.

Solution

Eckoh implemented its fully managed, CallGuard Hosted solution.

When a customer keys in their card details using their phone's keypad, audio tones (DTMF) are generated which match the card number. Eckoh's solution instantly replaces these tones with whispered audio 'tokens' which are then 'spoken' to the agent, who types these into the payment screen. As the token data is not real card information, it is completely meaningless to thieves or fraudsters and so can be stored safely. The token data will be switched to the actual cardholder data when it passes through the Eckoh secure platform.

This solution is extremely quick to implement and does not involve complex changes to databases, payment processes, security systems, or other IT areas.

With information security playing an important part in this pharmacy-led health and beauty retailer's business strategy, a PCI DSS secure payment solution was sought that would provide robust and continuous compliance.

Value

This means that the agent never sees or hears, sees, or is exposed to the real card data. Neither is the real card data held in any call recordings or storage devices. There is, in effect, nothing meaningful to steal.

• Agent can stay in conversation with the customer
• Customer data is protected
• Agent is not exposed to the data
• Reduce risk to the business, the agent, and the customer
• PCI DSS compliance achieved

Looking Forward

As a solution unique to Eckoh, we recognize that this example is likely a challenge many other enterprise organizations struggle with when they begin tackling payment security within their contact centers. Some organizations may even feel like their only option is to either deploy hardware on-premise – likely disrupting long-term cloud transformation strategies – or only achieve partial PCI DSS de-scoping.

As a result, the methodology innovated for The Client is now part of the Eckoh architecture. In fact, multiple other clients have also taken advantage of this solution, allowing them to maintain their existing telephony architecture while maintaining the strictest possible standard for payment security.

To learn more about how Eckoh secures payments across all engagement channels, please contact one of our trusted advisors.