Can you tell us about your safety and compliance journey?

I have over 20 years of experience in computer security (first IP protocols) and have followed technological developments as well as threats. Since 2006, I have been working on PCI DSS, with a first certification in 2008 and then coverage that extended to all subsidiaries worldwide on this pecificity.

Allianz Partners is one of the world’s B2B2C leaders in the areas of assistance, travel insurance, international health, and auto insurance. Focused on customer needs, our experts are rethinking insurance services by offering products and solutions of tomorrow, high tech, high touch that go well beyond traditional insurance. Our solutions are perfectly embedded in our partners’ offers or sold directly, and are marketed under four brands: Allianz Assistance, Allianz Care, Allianz utomotive and Allianz Travel. The group has more than 21,100 employees in 75 countries, speaking 70 languages ​​and handling 71 million cases each year, protecting customers around the world.

What is your point of view on PCI DSS in your industry and within your company?

Within the framework of PCI DSS we do training and certification. We do several Self-Assessment and SAQ that I validate, while a few are validated by our single auditor (a single QSA).

In terms of training, we have 3 essential types of training

• End User training essential for call centers and convenience stores

• Training on the 2nd Level support which intervenes on the machines – IT support which makes the support of all this

• Secure coding

Our scope of compliance is very variable – it can range from the car which repairs with its bank card terminal in the car, to the e-commerce site with 30 million transactions per year, to the call center which manages a certain number of cards . We have several types of assessments: Merchant, Service Provider and SAQ A for some. So in all 4 or 5 types of assessments.

What made PCI DSS important, well received and funded with budgets etc. ?

This came first from customers, in 2006 when we had an airline’s first tender on PCI DSS, and then a second on the same subject. We therefore started to take an interest in it and we took a little time to get there until we became “compliant” in 2008. It is a “plus” business that is capital in our relations with our partners, Whatever the type of assessment in the world.

We have had requests from our partners, such as airlines, very early in the history of the standard, which prompted us to comply. We had to demonstrate to its strategic partners that we were in compliance.

“Here we have a “turnkey” solution available to everyone.“

Has the evolution of the standard created any specific problems?

The advantage of PCI DSS is that it always gives us time to adapt, even if it takes time to convince and set up a project. But it can be tricky to see how we’ll evolve the standards next year with version 4.0.

You have been working for 3 years with VigiTrust and elearning. What is the importance and added value of team training for you?

This can be explained through 2 concepts: it is the same program for everyone and with the local language, which is fundamental in some countries that speak little or no English. Also, it would be difficult to ask HR to develop a training module such as this one, which is not within their competence. Here we have a “turnkey” solution available to everyone.

On the value of demystifying security and compliance issues (5 pillar model or other model) and in terms of the impact on compliance and on what users do, how do you see that?

The PCI standards are complete and may seem rigid and complex but they require a high level of results. This is the most demanding of standards for me.

In terms of understanding standards, I think the standard could be simplified. This is why we have created a security framework around the PCI DSS standard. We rewrote in our own way and in a more pragmatic way, so that we are PCI DSS compliant and that we know how to stay that way. It is this last aspect which is for me the most complex. There are great similarities with the 5 pillars of VigiTrust security which also aim to simplify compliance: personal security, physical security, data security, infrastructure and crisis management. It is also easy to make a mapping between these pillars and the main lines of PCI DSS.

This may seem redundant because we ask the same questions every month and have tables filled in, but the Framework that we have set up allows this ease of “re-assessment” over time. We organize monthly meetings and checklists to be always close to the standard. It is an integral part of the Framework and requires preparation for the test and the events, and that way we do not miss a thing. This is why we are entering the second year of certification on our platforms in an almost calm manner.

Allianz relationship with VigiTrust

Allianz WW has been working with VigiTrust since 2016 to provide PCI DSS security awareness training to several target audiences including in-scope employees, managers and development teams

Frederic Jesupret has been attending the VigiTrust Advisory Board since 2015 in Paris and in Dublin at global events. He is a regular contributor at industry experts brainstorming sessions