SERVICE SCHEDULE ANNEX 1 CONTENTS 1. SERVICE DESCRIPTION 2. ORDERING AND DELIVERY OF THE SERVICE 3. FAULT MANAGEMENT 4. SERVICE LEVEL AGREEMENT 5. DDI NUMBERS 6. AGENT INTERFACE AND NETWORK ACCESS 7. PAYMENT SERVICE PROVIDER (PSP) INTEGRATION 8. REPORTING 9. CARDHOLDER DATA STANDARDS 10. GENERAL TERMS 11. DEFINITIONS 1 of 7
1. SERVICE DESCRIPTION In order to process Cardholder Data in a PCI DSS compliant way, Calls into a Customer Contact Centre will be handled in accordance with the following process: i) If no Cardholder Data details are required during the Call, the Agent will not be required to activate the Service. ii) iii) iv) If Cardholder Data details are required, the Agent will activate the Service via the Web Panel (or the CRM if API is used). The Service provides a whisper ID to the Agent who will enter this into the Web Panel on their desktop (or their CRM if API is used) along with any Customer details required for the transaction. The Agent then asks the Caller to enter the Cardholder Data details using their telephone keypad to generate DTMF tones. v) The Service intercepts the DTMF tones as sensitive information or Cardholder Data.and false/synthetic tones are passed on to the Agent to indicate progress and visual progress indicators are given on the Web Panel (or CRM if API is used). vi) vii) viii) ix) If the Caller is unable to use DTMF, then the Agent can override this and allow the Caller to enter Cardholder Data using speech recognition. In such cases, the Caller s Cardholder Data details are not heard by the Agent and progress is reflected on the Web Panel (or CRM if API is used). The Cardholder Data is sent to the Customer s PSP to authorise the payment and the Agent receives confirmation that this has happened via the Web Panel (or CRM if API is used). Once the Cardholder Data entry is complete, this is shown on the Web Panel (or CRM if API is used) The Agent can converse with the Caller during the Call and can assist in the event of any difficulty entering Cardholder Data information. 2. ORDERING AND DELIVERY OF THE SERVICE 2.1 The Customer will order the Service from BT via the Order Form. 2.2 The Service Start Date will be finalised once BT and the Customer have agreed and completed the Service Specification. 2.3 Before the Service is provided to the Customer, the Customer shall have the right to carry out Acceptance testing. Such Acceptance shall not be unreasonably withheld by the Customer. 3. FAULT MANAGEMENT 3.1 The Customer may report technical faults with the Service to BT via the 24 hour helpdesk on 0800 110011. 2 of 7
3.2 When report a fault with the Service, the Customer will be required to provide the following information: i) a contact name; ii) contact number; iii) the time and date of the Call; iv) Calling line identity and dialled number; and v) a description of the fault in as much detail as possible. 3.3 Faults raised by the Customer will be processed by BT and allocated a Severity Level. BT will aim to respond to and resolve faults in accordance with the following Service Levels. Fault Severity Level Initial Response Time Target Fix Time Critical (24/7 Support) 4 Hour 5 Hours High 2 Business Hours 6 Business Hours Medium 2 Business Hours 4 Business Days Low 24 Business Hours 28 Business Days 3.4 Fault Severity Level Definitions Critical i) affect all Calls; and/or ii) cause unavailability of Service. and/or iii) prevent Callers being routed to the Customer s Site. High i) affect more than 10% of Calls at any time; and/or ii) cause the absence of a significant function of the Service (e.g the inability to take payment or Calls not being forwarded or DTMF not being recognised correctly). Medium i) affect more than 1% of Calls at any time: and/or ii) cause the absence of a significant function of the Service (e.g the inability to take payment or Calls not being forwarded or DTMF not being recognised correctly). Low i) affect 1% or less than 1% of Calls; or ii) affect more than 1% of Calls but do not cause the absence of any significant function of the Service (e.g cosmetic changes to the Service which do not affect the ability for Calls to be made to obtain the relevant information). 3.5 Once a fault is resolved, BT will advise the Customer via the Nominated Contact. 3 of 7
3.6 Following fault resolution, BT will, where appropriate, assess whether any changes need to be made to the Service. Where BT considers that changes do need to be made to the Service, BT will produce a report detailing the steps that need to be taken to prevent a recurrence of the fault which will be forwarded to the Customer for approval prior to implementation. 4. SERVICE LEVEL AGREEMENT 4.1 Where BT does not deliver the Service by the Service Start Date, the Customer shall be entitled to receive compensation in accordance with clause 3 of the Inbound Service Schedule save that compensation will only apply where the delays are attributable to events solely within BTs reasonable control. 4.2 Where BT does not resolve a fault within the above Service Levels the Customer shall be entitled to receive compensation in accordance with clause 3 of the Inbound Service Schedule save that compensation will only apply for faults which: i) affect all Calls; and ii) prevent operation of the Customer s entire Service; and iii) are attributable to events solely within BTs reasonable control. 4.3 BTs responsibility to provide Service (and liability to provide compensation) will only apply in relation to the following points of demarcation: i) The point of receipt of the Call at a BT exchange ii) the Web Panel (or the CRM if API is used). iii) The web access point for the Customers PSP for the provision of payments iv) The external interface to the Customers accounting system (If applicable for reconciliation purposes). 5. DDI NUMBERS 5.1 All Calls which may result in Cardholder Data being disclosed must use the Platform and BT will provide a set of DDI numbers to the Customer that Calls must be distributed to. 5.2 The Customer will provide to BT details of the terminating DDI numbers for the Calls to be delivered. 6. AGENT INTERFACE AND NETWORK ACCESS 6.1 Subject to clause 6.2 below, BT will provide the Customer with either a customised Web Panel or an API. 6.2 In order to access either the Web Panel or the API, the Customer and its Agents will require internet access to BT s web servers. Where modifications are required on both the Platform and the customer s firewalls to access such web servers, BT will provide details of any modifications that may be required. Any modifications required shall be at the Customer s expense. 7. PAYMENT SERVICE PROVIDER (PSP) INTEGRATION 4 of 7
7.1 In order to collect Payments Card Data, the Customer will need to be contracted with their chosen PSP. 7.2 Where BT is not integrated with the Customer s PSP, then the Customer may Instruct BT to integrate with a new PSP and pay BT an additional set up cost as detailed in the Order Form. 8. REPORTING 8.1 BT will provide Reporting relating to the Service to the Customer via a secure web page. 8.2 Reporting data will be retained for a rolling 12 month period. 9 CARDHOLDER DATA SECURITY STANDARDS 9.1 BT warrants and represents that it has complied with all applicable requirements necessary to be considered PCI DSS compliant at Tier 1 status and has performed all steps necessary to validate its compliance with PCI DSS by a Qualified Security Assessor (QSA). 9.2 BT agrees that it is responsible for the security of all Cardholder Data in its possession including responsibility for all actions involved in Processing the Cardholder Data. 9.3 BT agrees that all Relevant Supplies coming within the scope of the Service will be performed by BT. 9.4 BT shall ensure that the Relevant Supplies conform to the PCI DSS set out at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml and such later versions or guidance and advisories which the PCI Security Standards Council may issue. 9.5 BT shall promptly notify the Customer on becoming aware of any non-compliance or receiving any allegation of non-compliance with PCI DSS and the steps it is taking to remedy such non-compliance. 9.6 Any breach of this clause by BT shall be deemed to be a material breach of this Service and subject to Clause 7 of the Conditions, BT shall indemnify the Customer from and against any costs, losses, damages proceedings, claims, expenses or demands incurred or suffered by the Customer which arise as a result of such breach. 9.7 BT shall allow the Customer or its authorised representatives reasonable access to premises, systems and records containing any relevant Information as is reasonably necessary to assess BT's compliance with this clause. 10. GENERAL TERMS 10.1 Notwithstanding the provisions of Clause 9.1(c) of the Conditions, if BT or the Customer is unable to perform, or is delayed in performing, any obligation under this Service because of any of the events detailed in clauses 9.1(a) or 9.1(b) of the Conditions and the period of delay exceeds 30 days, the Customer or BT may terminate this Service in whole or part by written notice to the other. 11 DEFINITIONS Acceptance 5 of 7 written acknowledgement by the Customer that Supplies, or
Agent API Application Cardholder Data Cardholder Data Environment CRM Customer Contact Centre DDI DTMF Helpdesk Nominated Contact Nominated BT Service Manager part of them, have been completed in accordance with this Service, subject to any deficiencies stated in such acknowledgement. "Accept" and "Accepted" shall be construed accordingly. the person at the Customer Contact Centre who converses with the Caller. the Application Programming Interface which is integrated with the CRM by the Customer and used by the Agent to activate the Service (where applicable). a speech recognition or interactive voice response software program. the Primary Account Number (PAN) together with any or all of the following items which may be retained with the PAN:- Cardholder Name, Service Code and Expiration Date (as those terms are commonly understood in the payment card industry). that part of the network or business operations that possess Cardholder Data or Sensitive Authentication Data. the Customer Relationship Management web interface used by the Customer. the Contact Centre that is operated by the Customer. Direct Dial In. Dual Tone Multi Frequency signalling. the 24 Hour helpdesk provided by BT which the Customer will use to report faults with the Service. the contact in BT and the Customer who will receive information relating to the Service. the person in BT to whom the Customer can discuss changes relating to the Service. PCI Payment Card Industry. PCI DSS the Payment Card Industry Data Security Standards issued by the PCI Security Standards Council ('the Council') from time to time and set out at https://www.pcisecuritystandards.org. Platform the platform provided by BT to enable the Service to be delivered to the Customer. PSP Payment Service Provider. Processing any processing, collection, transmission, managing or storing by any means and in any type of media including paper, or voice recording, or digital images in which Cardholder Data is held, such as hard disk drives, floppy disks, and credit /debit card receipts on which the full PAN is printed. Relevant Supplies those elements of the Supplies which include the formal or informal Processing of BT Customers' Cardholder Data forming the "cardholder data environment" Reporting a web based Management Information tool provided by BT to enable the Customer to view, and download to Excel, reports 6 of 7
Sensitive Authentication Data Service Service Levels Service Specification Severity Level Supplies Tier 1 Web Panel for a given date range. includes the following:- Full Magnetic Stripe Data, or CAV2/CVC2/CW2/CID, or PIN/PIN Block (as those terms are commonly understood in the payment card industry). the service provided by BT to enable the Customer to reduce or eliminate the handling of Cardholder Data by Agents and be compliant with PCI DSS. the service levels detailed in clause 4 of this Service Schedule Annex. the technical specification for the Service to be provided by BT. the severity level of a fault detailed in paragraph 3.4 of this Service Schedule Annex. all components, materials, tools, test equipment, Service Specification, documentation, firmware, Software, instructions and guidelines, spares and parts and things to be provided to the Customer pursuant to this Service together with all Information this Service requires be supplied to or performed for the Customer. merchants who process more than six million payment card (debit or credit card) transactions each year, and must meet the 12-step PCI DSS and undergo external attestation. the web panel customised by BT for use by the Customer and used by the Agent to activate the Service (where applicable). 7 of 7