Teleperformance Colombia Optimizes Its Own Vulnerability Management

Qualys PCI proved to be the ideal way for Teleperformance Colombia to streamline its PCI DSS compliance efforts.

If your business is in the Americas or Spain, and you're interested in focusing more of your effort on innovation than running non-core business processes, you might want to talk with Teleperformance Colombia. Teleperformance Colombia designs, implements, and manages business process optimization services for contact center outsourcing, back office and related software services in the telecommunications, aeronautic, tourism & transport, retail, and health and social services industries. Its agents attend and process calls throughout North and South America and within Europe.

Teleperformance Colombia is also growing. And, like many companies, its customers are increasingly asking how Teleperformance Colombia manages its IT security efforts – as well as its PCI DSS compliance – as part of its own due diligence process.

"For many of our customers, PCI compliance has become a contractual requirement. In 2010, we decided, as part of our strategic plan, to become PCI DSS certified. That left us with the challenge to establish all the required procedures and controls," says Carlos Alberto Carrizosa, director of information security at Teleperformance Colombia.

The goal of PCI DSS is clear: to protect cardholder account information. And while that objective is very straightforward, it's not necessarily simple to achieve. Currently, PCI DSS requires continuous compliance with a dozen security practices. These include maintaining firewalls, tight access control, encryption, and an ongoing vulnerability management program that ensures devices, systems and applications are kept secure and up-to-date.

Optimizing PCI DSS Compliance Processes

Penalties for noncompliance can be steep. Companies that are not compliant can be blocked from processing credit cards and face higher per-transaction processing fees. Fortunately, one of the most important steps, the maintenance of a vulnerability management program, with the aid of the right toolset, can be enhanced through automation. A vulnerability management program, broadly, helps organizations to systematically find and update outdated software, system flaws and misconfigurations that jeopardize security.

A core part of those processes includes consistent vulnerability assessments of all systems that are involved in the processing, management and storage of cardholder information. Prior to its need to attain PCI DSS compliance, Teleperformance Colombia didn't have in place an easy and efficient way to conduct its own quarterly audits specifically designed to comply with the secure payments standard.

"We had processes in place to update security patches as they came out, but we wanted to become more effective, and automate what we could," Carrizosa says. It was that time that he began evaluating what applications or services were available to help his security team more effectively meet the challenge. "We checked into our options, and we concluded quickly that on-demand service was one of the key factors we were looking for," he says.

During the search, when it came to on-demand vulnerability assessment and PCI DSS compliance, one name came up. "We decided on Qualys. That decision was made for three reasons. One is the on-demand concept; the second was that Qualys was one of the QSA solutions accepted for PCI certification proposals. The third is that it came highly recommended from people whose opinion we respect," Carrizosa says.

PCI Certification: A Corporate Priority

Qualys PCI, delivered as an on-demand web service, is built upon the same technological foundation as Qualys Enterprise —and is used by organizations around the world to keep their IT infrastructures as secure as possible, and as cost-effectively available. Because it's delivered as a web service, Qualys PCI requires no software or infrastructure to deploy and manage. For these reasons, many Web merchants and QSAs alike turn to Qualys PCI for the most accurate, easiest to use way to attain PCI compliance testing, reporting and submission. Qualys PCI walks organizations through the PCI DSS compliance process in three steps, which include straightforward online completion of the annual PCI DSS self-assessment questionnaire, network security scanning, and automatic submission of the annual questionnaire and quarterly assessment results that validate compliance.

In the initial assessments, Qualys PCI uncovered a number of vulnerabilities that needed remediation so that they would be in compliance. "PCI certification was a corporate priority, and the remediation process is very smooth," he says.

For Teleperformance Colombia, Qualys reporting has grown central to its vulnerability remediation process. Currently, Qualys vulnerability reports are shared with Carrizosa's IT and software development teams; additionally, Carrizosa has built customized remediation workflows for his teams. "We've segregated responsibilities so we can readily identify who is responsible for each vulnerability. The Qualys findings and reports are essential for all of this," he says.

Building on its success with Qualys and with what Teleperformance Colombia learned as it became PCI DSS compliant, Carrizosa and his team are deploying Qualys Enterprise to further harden other areas of the company's internal network. Part of that increased security includes utilization of new best practices into the organization. "Every time a new server is built, the system is vetted with Qualys to make sure it is secure and up to date," says Carrizosa.

That's just another example, in addition to helping achieve PCI DSS compliance, of how Qualys helps Teleperformance Colombia remediate vulnerabilities on its internal and external networks and reduce IT security risk. "Qualys helps us to consistently maintain our security. Every time we reduce the number of vulnerabilities, we are reducing risk," Carrizosa says. "And Qualys’ on-demand service has proven to be very effective for us."