Skip to main content

On-demand webinar coming soon...

SuccessKPI

SuccessKPI secures more customers with its focus on compliance

How the organization achieved compliance with three major frameworks in one year

Looking up at a blue sky between a set of modern office buildings.

Overview

Industry: Technology

Region: International

Company size: Mid-size

Featured solutions: OneTrust Certification Automation

 

As an insight and action platform for contact centers, SuccessKPI never planned to hold credit card information.    

“We don't process credit cards. We don't ever want to keep credit cards long term,” says Ian Macdonald, the Chief Information Security Officer at SuccessKPI. “But because of the interactions our customers have in the call centers, there's a possibility credit card information can be captured.”

An organization doesn’t need to process a single payment transaction to require Payment Card Industry Data Security Standard (PCI DSS) compliance — just holding credit card information is enough for a business to be subject to the standard. 

Working with some of the world's largest government, financial, healthcare, and technology contact centers, SuccessKPI has established security policies that meet the highest industry regulations, including PCI DSS, ISO 27001, SOC 2, GDPR, and more.

This enables the company to deliver a 360-degree view of all data across multiple touchpoints, analyze customer conversations at scale, and automate critical actions to drive business results for its clients.

 

"The first question you should always ask is 'Do I need PCI?' If you can work out a way to not be in possession of credit cards, that’s goal number one."

 

Ian Macdonald, Chief Information Security Officer at SuccessKPI

 

A head start on payment security

Macdonald had a long history with PCI DSS before joining SuccessKPI. He first heard about the framework while working at AOL as part of the security incident team. “There were discussions going on around the brands — Visa, MasterCard, etc. — basically saying here are the things we think you should be doing,” he says.

It wasn’t long before Macdonald experienced complying with the PCI DSS framework first-hand, taking it on as a side project during his time at Angel.com. He recalls managing the PCI requirements as a checklist: 

  • Are we monitoring this security control? 
  • Do we have log retention? 
  • Do we have password policies? 

“It was the first framework we did with an external auditor. We ended up getting level one compliance and, from a sales point of view, that really was our first tool to show that we take security seriously,” he says. 

 
 

"That's really what all our security frameworks are about — letting customers know we’ve had an external auditor look at our stuff and say, yes, we're doing what we say we do."

 

Ian Macdonald, Chief Information Security Officer at SuccessKPI

 

Committing to global standards

SuccessKPI built security and compliance frameworks into their core. It was already PCI DSS compliant when Macdonald joined the team. They had the basic policies and procedures to meet standard requirements. They had frameworks in place for PCI and SOC 2. And they were already using OneTrust Certification Automation in their daily workflow.  

Macdonald’s job was to make sure that policies aligned with the existing controls and to mature the company’s overall security program. “Most of the time with PCI, the first year is forward-looking,” he says. “There's a lot of lift and paperwork, but the second year is when you actually have to prove you’ve done them.”

Adding to this already ambitious goal, SuccessKPI committed to other regulatory standards to best serve its global clients. Macdonald selected three major frameworks to meet that year: SOC 2 for its US-based clients; ISO 27001 for Europe-based clients; and PCI for any involvement with credit cards. 

 

Establishing a strong foundation 

Macdonald started with renewals, focusing on PCI DSS. “If you're starting with PCI, it may not seem like it's easy. But the reality is that it's very prescriptive and binary — standards like SOC 2 and ISO 27001 leave more to your discretion,” he says. 

For example, a SOC 2 requirement is for organizations to perform background checks on their employees as a measure of due diligence. But how they choose to do this — whether through education verification, criminal record checks, drug screening tests, or other work authorizations — is up to the organization.  

“So in some ways, PCI is easier because you can go through it fairly quickly and check whether you’re meeting requirements,” says Macdonald. “That’s where the tools you have with OneTrust, like the ability to perform readiness assessments, are really helpful because you can see if everything is being done the way it should be before going to the auditor.”

 

"The last thing you want to do is walk into an audit and not be sure of what you’ve actually tested. You want to make sure you're testing ahead of time."

 

Ian Macdonald, Chief Information Security Officer at SuccessKPI

 

A system of continuous compliance 

The team didn’t stop there. They set out to make their entire compliance journey equally  simple. This meant taking advantage of OneTrust Certification Automation’s pre-built content and guidance at every step.  

Instead of creating policies from scratch, they now pull templates directly from the tool. They link their policies to controls and evidence tasks, effectively reducing the chances of duplicative work. By configuring common controls to cover any areas of overlap, the team is able to automatically apply the same evidence for multiple frameworks. 

“It makes life so much easier to have that all predefined and we're not reinventing the wheel every single audit,” says Macdonald. “It's rinse and repeat. It’s like, okay, we're done with PCI. Now we're moving on to SOC 2. We're done with SOC 2, now we're moving onto internal audits.”

Since then, SuccessKPI has also achieved compliance with HIPAA, ISO 27001, GDPR, FedRAMP, the California Consumer Privacy Act (CCPA), and Brazil's data protection law Lei Geral de Proteção de Dados Pessoais (LGPD). 

 

Transforming the audit process

Even getting audited has become a vastly better experience. “The first time I did it, we were sitting in a room with an auditor and arguing about whether something applied to our organization,” says Macdonald. 

With OneTrust, the team can now bring auditors directly into the portal to review all the policies and controls. It’s convenient for auditors and more assuring for SuccessKPI. By inviting collaboration and discussion early on, there are less surprises when it's time for the audit.

“The major milestone is really when we pass the audit and get the certificate,” says Macdonald. “Because that's when our sales team can do the deal.”


You may also like

Webinar

Technology Risk & Compliance

5 automation trends to modernize InfoSec compliance

Join our webinar for insights on transforming InfoSec program management. Navigate the complexities of modern security with a flexible, scalable, and cost-effective approach.

February 07, 2024

Learn more

Webinar

GRC & Security Assurance

Breaking down Europe’s top InfoSec & Cybersecurity frameworks: Tips to evaluate your current state or next steps

In this webinar, we examine the ISO/IEC 27001 and how it compares to other cybersecurity frameworks and regulations such as the SOC 2 and the EU Cybersecurity Act.

September 12, 2023

Learn more

eBook

Internal Audit Management

The future of PCI DSS: Prepare your organization for v4.0

Learn the new PCI DSS v4.0 requirements and prepare your organization for compliance in six steps.

July 28, 2023

Learn more

Infographic

Technology Risk & Compliance

Working toward compliance with PCI DSS v4.0

Learn the key considerations of the PCI DSS v4.0 security standard and plan your next steps towards compliance with this free infographic.

June 16, 2023

Learn more

Data Sheet

Technology Risk & Compliance

Compliance Automation external audit management

Take a look at how OneTrust Compliance Automation can help streamline your preparation for audits, drive accountability, and track results.

May 16, 2023

Learn more

Checklist

Ethics Program Management

Policy on development and administration of policies template

Get a head start on your ethics program and create a policy on development and administration of policies with our customizable template.

May 10, 2023

Learn more

Infographic

Internal Audit Management

How much does SOC 2 cost?

Determine the SOC 2 certification costs for your business and learn how to save time and money at each step.

September 09, 2022

Learn more