Xcina Case Study

PCI DSS: Attestation of Compliance for Telephony Outsourcing Business

The client

A business process and customer experience outsourcing company specialising in providing telephony based product support, ordering and booking services for major recognised client companies from over 25 locations across Europe. The company integrates their services with client systems many of whom require the company to process payments by payment cards and be compliant with PCI DSS.

The work

Maintaining annual compliance to Payment Card Industry Data Security Standard (PCI DSS) is a contractual requirement for the company with all of their clients for whom they process card payments. Achieving this effectively across all of the various payment systems in use is essential to maintain operating margins in what is a price competitive market. The company wanted to have independent assurance that they were able to meet the PCI DSS requirements on an ongoing basis, reduce the scope of their Card Data Environment (CDE) and maintain a consistent approach and process across all client operations to minimise the cost of operation.

How we helped

Starting with an initial review of the company’s operations we supplied Qualified Security Assessors (QSAs) to assist with reducing the scope of their CDE, establishing a consistent operating model across all client services, and ensuring that these operations complied with PCI DSS. From this we worked with the company to produce Self Assessment Questionnaires for Service Providers (SAQ-D) for all countries in which they are based and as a QSA company also provided Attestation of Compliance (AOC) reports to independently assure the validity of each SAQ-D. As the company has grown its operations, we have continued to provide ongoing advice of changes to the PCI DSS standard and its impact, have undertaken the production of AOCs for new locations, as well as the annual production of AOCs for existing operations.

Value added

We provided the client with PCI DSS knowledge, assisted them in reducing their PCI scope, considered the PCI DSS implications for new clients, and reduced compliance costs by implementing a common technical architecture and operating processes across all clients.

Industry and sector:


Solutions and service area:

What our clients say

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do. "

Getac Technology Corp, Legal Affairs Center

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do."

ParkMobileUK, Managing Director

"Xcina Consulting performed an annual review of our card data environment, and ensured that we are compliant with the PCI-DSS. We continue to work with their experienced QSAs, leveraging their guidance and best practices so we have the highest possible level of security controls in place."

DKB Brands, Data Protection Officer

"Xcina really helped us to kick start our data protection compliance process. They took the time to speak to all departments of the business and outlined our highest risk to lowest risk areas. The insight and guidance they provided was essential for our business to become GDPR compliant."

Portman Settled Estates Limited, Estate Secretary

"Xcina’s ongoing support has ensured that our employees feel confident when dealing with data protection matters, with best practice knowledge and expertise from consultants who have taken the time to get to know our business and our industry."

National Bank of Kuwait, Compliance Officer

"Xcina worked with us on a number of data protection matters, including subject access requests and gave helpful, practical advice which reflected their understanding of technology issues as well as legal matters."

Your World Recruitment, Group IT Director

"We have worked with with Xcina successfully for two years, initially on internal GDPR GAP analysis. We now have them engaged as our ‘Virtual DPO’ provider and regularly receive useful, pragmatic and, more importantly, actionable advice on all areas of Data Protection."

Quadrangle Research, Group Chief Operating Officer

Discover how we have supported businesses like yours >>

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>