Watch to learn about the role of BT as a PCI Principle Participating Organization (PPO).
The PCI SSC relies on participating organizations to support its efforts in card payment security.
Simon Turner (CISSP, CISM, CISA, VCP, ISA), Senior Manager, ISSCA Consultancy Services, BT Group (British Telecom), sat down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) at PCI Community Meeting North America to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Transcript of
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at at SecurityMetrics, and here is Portland. We're at the PCI community meeting, North America in Portland, Oregon right now, getting to talk to a lot of very interesting people in the industry. And today, I'm really excited to get to talk to Simon Turner. Simon, please tell us a little bit about yourself and and what you're part of right now.
Yeah. And thanks for the invite as well. I'm really excited to be here in Portland, especially in North America. Yeah. So I work for BT. So we're a a carrier network for, the UK.
Mhmm.
We also have a a big customer base where we're selling mobile phones, broadband, different various products.
So, obviously, my my area is in in payments. So is this British Telecom?
Yes.
Oh, that's massive.
Yes. Okay. Yeah. I wonder what you learn as well is that you think BT is a a large carrier network until you come over to North America and realize that, actually, you've got some larger carrier networks. But but, yes, we're one of the larger ones.
Yeah. We have a lot going on in the US for sure.
So one of the reasons that I was very interested in talking to you is that BT is a is a PPO.
Yep. And I thought maybe we should just talk. What is a PO? What is a PPO? What is what is BT's involvement as a PTO or PPO?
Yeah. No. So, I mean, I've been PCI compliance since two thousand and twelve when I was introduced to it. Yeah. I joined British Telecoms in, two thousand sixteen, I think it was.
Okay.
And, when I joined, so as far as I'm aware, we've always been a participating organization. Okay. And, obviously, the the council have recognized the value of having merchants and organizations Yeah. You know, feeding back and giving input and trying to drive the standard. So they've come up with a new principal participating organization.
So they brought in multiple levels. So, you know, for for me, raising from a principal organization sorry, from a prince from a participating organization to a principal PO gives me that extra bit of input and feedback into the council and and the way things work.
I think that it makes it the standard better, and it also kind of brings, more engagement into the whole process of how are we doing this security standard.
Yeah.
So I think there's a lot of value in that. And so welcome as a PPO, talking to me today, giving us a little insight into that. What made BT decide to join as a PPO?
So as an organization, we have, an objective to be seen to be influencing the standards and getting involved and engaging.
Mhmm.
As an organization, we've got a vast array of people with different technologies, and we've got a research center. So we've actually got a lot to give and help the, industry as such.
Right.
So that's really what drove us to do that. So, you know, we've we've been doing PCI since as far as I can find back. Uh-huh. I think, beta engaged since before the payment standard was engaged.
Oh, wow.
So it wasn't really a hard sell to the business to uplift to a principal participating organization because we have more of an influence.
Mhmm.
And based on, you know so we've got different payment channels, contact centers, various so we've got lots of experience and lots of knowledge.
And by going through the principal PO Uh-huh.
I get that little bit of extra kind of influence and say in in trying to advise and guidance of experience because that's what the PPOs are all about.
Right.
You know, the council want to know, what our experiences are and what our challenges are and where we see the future of payments going. So it's really just bringing all of that into a package and just just sharing that knowledge.
And I think large organizations like yours that do have a vast array of experience in cybersecurity topics Yeah.
You have a lot to say. It's it's not like, oh, we're everybody has to fit this standard.
You take your knowledge and you take your, experience and ability and and help shape the future of payment standards based on what you're already trying to do. Right?
Yeah. Exactly. And and as an organization, so, you know, we've got a team of about twenty of us that look after PCI. Mhmm. And, you know, every day is a different day, and it's never boring because of the amount of different subjects we get.
Yes.
You know?
So one day, I might be reviewing a rock from a third party. We might be doing a third party risk assessment, or I might have somebody come to me last minute on a Friday night and go, oh, Simon, we've developed this app, and we want to do mobile payments. You know, what's the compliance requirements there? So, you know, this this is why you didn't for today and this week, one of the things I'm really keen on is learning all about mobile payments. So we talk about tap to pay, tap to mobile phone, etcetera.
So it's just really, you know, bringing that experience and trying to understand what's going on, but also sharing the knowledge and background.
We've got quite a large contact center Mhmm.
Footfall. So we got lots of different payment journeys. So really trying to understand where's the future of contact centers, for example, as well.
So when we talked earlier, just kind of preparing for this, you you mentioned that there are some payment security topics that that you're especially interested in collaborating on as an organization.
Let me let me just I think I've got them here. Technology guidance group.
Yep. So the TDG.
The roadmap working group.
Yep. That's right.
And the special interest groups.
Yep.
So tell me a little bit about what technology guidance group, what is that about, and how are you involved there?
So the technology guidance group is really about what where we see the, the future of payments Mhmm.
Based on what we see, you know, in and around us and payments and technology. So so so things around the technology, group or, you know, future payments around where we see payments going for, you know, face to face channels, for example.
Oh, okay.
We talked a lot today at the community meeting about, mobile phone payments. Mhmm. So there was a a chart showing on how cash is getting less, and we think that plastic is peaked, as it was called on there. Okay. And we're seeing through COVID a lot of people using tap to pay or tap on mobile.
You know, so for example, BT, we've got, we sell the iPhone.
Mhmm.
We have an offering for small merchants to buy the phone from us with a product, and we will give them the ability to go and do small markets and pay.
For example, you know, when you go to festivals Right.
Like to Astonbury, for example, and you might be selling your twenty pounds bar of soap, pulling someone else's example.
Mhmm.
So just really being able to say, well, where do we see that going in the future? Is it always gonna be credit cards?
And it's and it's probably not.
It's probably gonna be, so I I remember when Tap to Pay first came out Yep.
And it was just credit cards to have to pay, and that was one thing. And then tapping your phone, and everybody was nervous about, well, what is this a privacy issue? Is this a security issue? How do we know this is a good thing? But so many people are using it now. It's very, very common.
And and there was a chat earlier about eMVco, how the council work with the eMVco standards in terms of, you know, for example, sometimes you get frustrated with tapping it near the the payment terminal rather than on the payment terminals. So it's quite interesting about the the distances you can have, you know, and they're trying to make it so you don't have to tap it right on. You can have a five centimeter gap.
Uh-huh.
And then I think, well, actually, if my credit card's in my wallet, do I want someone to be able to walk past me on the tube and get in close proximity?
Yeah. Yeah. So yeah. So but, no, it's really interesting. So, you know, being able to influence based on experience and others. So, you know, we have third party service providers, so the big payment companies Mhmm. Were involved as well, and they give their view from a service provider point of view and what products and services might have been.
And I like to think that I can take the industry experience from our organization Absolutely.
And kind of relate that, you know, because we've got a big retail estate as well. So it's what are our retail customers doing? What are retailers, a business, actually see the future being? You know? Because we want seamless. Everybody talks about seamless and frictionless payments. The easier it is to get the customer engaged and pay for that device, the the quicker they're out the door.
Well and and the less chance they're they're going to say, I just don't wanna do this anymore.
Yeah. No.
Well, that's, that's an interesting group to be part of. But what about the road map working group? That seems like it kind of overlaps a little bit what we just were already talking about.
Yeah. So that's all about looking at what standards we think we might be needing. So we're not there to prescribe what's in a standard.
Mhmm.
But we'll look at the existing standards that are there and which ones we think are relevant or prevalent. Okay. And then also what standards we see in the future. So, you know, with upcoming technologies, is this something that might be needed? And, you know, we'll discuss and provide feedback on that.
Okay. Terrific.
I'll bet you that AI is is a part of that Yeah. I mean conversation.
That seems to be the top hot topic. Right?
Topic, and it's been a while for around it's been around for a while, but, obviously, it's just do people know exactly what it is, and it's all in the, you know, in in the papers and Mhmm. You know, on the websites, etcetera.
But How's it going to affect us, and how's it going to affect PCI standards?
Yeah. I mean, I've not had personally enough time to research in it, but it is one of the things on my to do list when I have five minutes.
So I have a friend that, often will send me, hey. I asked Chatbeat TpT this thing. I'm like, how? When? When did you have time?
Yeah. No. Exactly.
Some people are very interested in it. Okay. So the third topic we, kind of were interested in is special interest groups. So tell me a little bit more about what is the special interest groups part of PCI, and and how is BT involved in that?
So special interest groups are there to help explain and focus on a particular topic.
Mhmm.
So one one area that I'm keen on is contact centers, for example. It is very easy to descope a contact center by the use of third parties with something called DTMF masking.
Mhmm.
And you have to remember the masking. Otherwise, I get told off our technology guys because DTMF is a term, and masking is the technology that removes the payment data.
But but really, when you start looking at the details, so, what I'm working on at the moment is segmentation and scoping state.
And it really looks at the nitty gritty bits of exactly what is it we're looking for. So giving advice and guidance to, merchants or service providers or assessors or, you know, people to get more clarification.
And and one thing as we move from traditional on prem to cloud services, you talk start talking to VoIP services and, you know, one thing's that I'm cons to BT, we resell cloud contact systems.
Uh-huh.
And I have to assure the products we're selling to protect the customers and BT, you know, making sure we're not selling, misselling something.
Right.
And, you know, it comes down to core routing, for example.
You know, remembering that on traditional on prem, you've got the recorders and you've got the telephone boxes in the building.
Now they're in the cloud, and it's kind of how does that work. So Right.
Who's protecting it? How is it encrypted?
I'm just understanding that the end to end journey, you know, it's it's VoIP and digital, so it should be in scope.
And there's things like the definition of a carrier. You know, this might cause, you know, prob cause problems in in the industry because, you know, there is no real definition of a carrier. But my take on that is, you know, we're heavily regulated by industry, by Ofcom in the UK.
Mhmm.
So the definition for me as a carrier is that, you know, you are regulated by Ofcom and you have to provide.
So when you talk about core routing and technology Uh-huh.
Is being able to understand, you know, where is that core routing and and what's the scope. You know? If you're using, a big you know, call Microsoft Azure, for example, they use Teams and they have compliance. There's no where where which AOC am I using and how far back am I going? Mhmm. And am I able to descope?
Exactly.
So those kind of things come out in the SIG and the special interest groups. So you've got QSAs, you've got merchants, you've got service providers.
So we work over time to put the outline of the topics, and then we come up with the detail. And then the council go away and they review it and they tweak it, and then we have to review and approve, and then it gets published.
Mhmm.
And and there's quite a long journey for those. And there's there's lots of SIGs. There's SIGs on cryptography, cloud computing, software as a service service providers, you know, like Qualys and Dynatrace offering security services Right. Other brands available. So it's really just, you know, giving advice and guidance. So quite a lot of work and knowledge goes into those.
K. And just to make sure, I I understand exactly what you mean by large contact center. Is that what we call a call center over here? Yeah. Okay. Just wanna make sure that I wasn't confusing with other things. So, you can use your weird words if you want to.
So that's fine.
I was I was reminded.
So so when I came over and, I went out for a drink and I went up to the bar and I ordered a, a Sprite. Mhmm. Well, actually, I ordered a lemonade.
Oh.
And then when the guy was making up the lemonade, I realized, of course, it's different in the UK.
Want a lemonade. I didn't want You actually wanted a Sprite. Well and so I I spent a lot of time, living in different places. I've lived in the south of of, the US, and I've lived in Canada.
And and so sometimes I'll be in a conversation with my kids, and they just blank stare at me. Yeah. And I realized, oh, I used a word we don't use here. So Yes.
We all think we're we're speaking English, but, and I wonder if technology, if it makes it even more difficult sometimes, you know, when we talk about this.
I think we use a lot of acronyms, though, in our industry and technology as well, don't we? So, you know, especially when I recruit new members onto the team, you kind of almost wanna point them to the do you remember the old telephone directories, the papers that you used today?
I just certainly like a glossary of terms for, the industry and and PCI.
Mhmm. So, yeah, I do know what you mean.
Oh, excellent. So okay. So, moving on to another way that, BT is involved, is, the board of advisors.
Yes. So very honored to be part of the board of advisors.
It's a a two year term, and it's people elected to represent. So there's there's over seven hundred and fifty merchants out there, and, obviously, you vote for people to go and represent your industry. So we're very fortunate that, you know, in the telecommunications industry as a as a as a merchant, we've been elected to come and, you know, represent those merchants on the on the board of advisers.
Excellent. What is the what is the board of advisers do?
So so the board of advisors is there really to give industry insight Uh-huh. Perspectives on there. And there was a really good, scenario used in one of the talks earlier as well, where it was, you know, kind of the board of advisors is like pit crew of the Formula One.
I don't know if you're into Formula One, but, you know, you've got the races and the Sure.
I've watched Formula One. Yeah.
Exactly. And then you've got the pit crew who do the changing the tide. They really keep things going. So the analogy was that, you know, the board of advisers was kind of like the pit crew that kind of, you know, help and support the council in what they do because they've got a heavy workload. And, yeah, you know, it it gives us plenty of experience and ability to to influence again. So really, the principal participating organization and the board of advisers kind of just bring that neat package together Mhmm. And we're there to support.
So this is, these community meetings are fantastic.
Yes.
You know, there's there's always I like going and talking to the different vendors. I know some people are you know, don't spend much time with that, but there's always something going on that that's interesting to find out about. The talks are fantastic.
Yes.
And then they have the, the tech talks that are a little less formal than the ones on the stage. But so when you think about all of the things that you've seen and listened to and participated in, what what, what what have you found most useful from being here?
So this trip is all about the mobile payments we talked about Yeah. Because that's the way the business is going.
So I've attended quite a few useful key well, useful, discussions Mhmm.
With people from Square, for example.
And obviously, we had EMV Co talking about the whole ecosystem. Yeah. So for me, it was like a learning exercise and, you know, through the council changing the way they are and having the ability to download these videos later on as well because you're busy learning the first time, aren't you? So, you know, you you want to be able to go and review them later. So that's been one of the key elements.
I've caught up with a couple of vendors because we've got the new PCR requirements that are coming out, especially for ecommerce. Yes. So I've been doing a lot of over the phone, you know, conference calls with the various vendors. So it's been really good for networking. And then also just, you know, I used to be a QSA as well.
Oh, terrific.
So, you know, meeting other QSA's in the industry from different organizations and just catching up and seeing where they are. Yeah. But I think one of the key things for me, especially this this time around, is to I like to try and at least make five new contacts Mhmm. When I'm here and expand that network because you realize that we're in a really small industry. Yes. And having the ability to actually reach out to somebody in a specific area when you need it is really useful.
Yes.
So through the board of advisers and the community meetings and the various groups we meet up, then, you know, it's just building that network of people and knowledge is is really there. Yeah. Yeah. So no. I I love coming to the community meetings.
Yeah. I I agree. I think I feel very fortunate to be here and be part of this and and, I'm grateful.
So if people wanna connect with you, hear more about what you have going on, or or is there something we missed? Or just to, you know, wrap up any final thoughts on things.
Yeah. I think my final thoughts would be, you know, everybody should make an effort to come to the community meetings. Yeah.
And I like to talk, hence why I'm really thankful to be here with you today.
And then in Dublin for the community meeting in there, I've got two discussion panels that I'm joining in.
Oh, wow.
So I really love the opportunity to engage with the audience as well and give something back, especially based on industry because you realize when you get to my age, you've actually got a lot to talk about.
It's And it's a good job they've got time limits because I could probably stand up there for a lot longer than I should do.
Well, I'm gonna have to make sure I schedule recording around when you talk. I'd love to hear some of your questions.
But I I'm I'm, you know, I'm quite happy for people to reach out over LinkedIn, etcetera, etcetera, and come and speak to me. I encourage people to come and speak to me. And, you know, if I talk too much, then I'll just walk away politely or just tell me you've had enough. So no. So thank thank you very much for bringing me on today. I really appreciate it.
Thanks, Sammy. Of course. We'll talk again. Thank you very much. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left.
If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
