As an insight and action platform for contact centers, SuccessKPI never planned to hold credit card information.    

“We don't process credit cards. We don't ever want to keep credit cards long term,” says Ian Macdonald, the Chief Information Security Officer at SuccessKPI. “But because of the interactions our customers have in the call centers, there's a possibility credit card information can be captured.”

An organization doesn’t need to process a single payment transaction to require Payment Card Industry Data Security Standard (PCI DSS) compliance — just holding credit card information is enough for a business to be subject to the standard. 

Working with some of the world's largest government, financial, healthcare, and technology contact centers, SuccessKPI has established security policies that meet the highest industry regulations, including PCI DSS, ISO 27001, SOC 2, GDPR, and more.

This enables the company to deliver a 360-degree view of all data across multiple touchpoints, analyze customer conversations at scale, and automate critical actions to drive business results for its clients.

A head start on payment security

Macdonald had a long history with PCI DSS before joining SuccessKPI. He first heard about the framework while working at AOL as part of the security incident team. “There were discussions going on around the brands — Visa, MasterCard, etc. — basically saying here are the things we think you should be doing,” he says.

It wasn’t long before Macdonald experienced complying with the PCI DSS framework first-hand, taking it on as a side project during his time at Angel.com. He recalls managing the PCI requirements as a checklist: 

• Are we monitoring this security control? 
• Do we have log retention? 
• Do we have password policies? 

“It was the first framework we did with an external auditor. We ended up getting level one compliance and, from a sales point of view, that really was our first tool to show that we take security seriously,” he says. 

Committing to global standards

SuccessKPI built security and compliance frameworks into their core. It was already PCI DSS compliant when Macdonald joined the team. They had the basic policies and procedures to meet standard requirements. They had frameworks in place for PCI and SOC 2. And they were already using OneTrust Certification Automation in their daily workflow.  

Macdonald’s job was to make sure that policies aligned with the existing controls and to mature the company’s overall security program. “Most of the time with PCI, the first year is forward-looking,” he says. “There's a lot of lift and paperwork, but the second year is when you actually have to prove you’ve done them.”

Adding to this already ambitious goal, SuccessKPI committed to other regulatory standards to best serve its global clients. Macdonald selected three major frameworks to meet that year: SOC 2 for its US-based clients; ISO 27001 for Europe-based clients; and PCI for any involvement with credit cards. 

Establishing a strong foundation 

Macdonald started with renewals, focusing on PCI DSS. “If you're starting with PCI, it may not seem like it's easy. But the reality is that it's very prescriptive and binary — standards like SOC 2 and ISO 27001 leave more to your discretion,” he says. 

For example, a SOC 2 requirement is for organizations to perform background checks on their employees as a measure of due diligence. But how they choose to do this — whether through education verification, criminal record checks, drug screening tests, or other work authorizations — is up to the organization.  

“So in some ways, PCI is easier because you can go through it fairly quickly and check whether you’re meeting requirements,” says Macdonald. “That’s where the tools you have with OneTrust, like the ability to perform readiness assessments, are really helpful because you can see if everything is being done the way it should be before going to the auditor.”

A system of continuous compliance 

The team didn’t stop there. They set out to make their entire compliance journey equally  simple. This meant taking advantage of OneTrust Certification Automation’s pre-built content and guidance at every step.  

Instead of creating policies from scratch, they now pull templates directly from the tool. They link their policies to controls and evidence tasks, effectively reducing the chances of duplicative work. By configuring common controls to cover any areas of overlap, the team is able to automatically apply the same evidence for multiple frameworks. 

“It makes life so much easier to have that all predefined and we're not reinventing the wheel every single audit,” says Macdonald. “It's rinse and repeat. It’s like, okay, we're done with PCI. Now we're moving on to SOC 2. We're done with SOC 2, now we're moving onto internal audits.”

Since then, SuccessKPI has also achieved compliance with HIPAA, ISO 27001, GDPR, FedRAMP, the California Consumer Privacy Act (CCPA), and Brazil's data protection law Lei Geral de Proteção de Dados Pessoais (LGPD). 

Transforming the audit process

Even getting audited has become a vastly better experience. “The first time I did it, we were sitting in a room with an auditor and arguing about whether something applied to our organization,” says Macdonald. 

With OneTrust, the team can now bring auditors directly into the portal to review all the policies and controls. It’s convenient for auditors and more assuring for SuccessKPI. By inviting collaboration and discussion early on, there are less surprises when it's time for the audit.

“The major milestone is really when we pass the audit and get the certificate,” says Macdonald. “Because that's when our sales team can do the deal.”