Home  »  Client Case Studies & Testimonials  »  One of the global top three entertainment companies using Harmony for Compliance

One of the global top three entertainment companies using Harmony for Compliance

Client Background & why Harmony was chosen

One of the world’s top three largest entertainment companies was looking to find a solution to manage their compliance to PCI (Payment Card Industry) standards.

Harmony was shortlisted, along with another product offered by Symantec, and subsequently selected. Harmony’s selection was based on feature set, usability, scalability, adaptability, security and price. Our team was chosen on the basis of deeply experienced staff, proven project & programme management experience, flexibility and industry & technical knowledge.

Client motivation for implementing Harmony

The client’s business was a high volume cash business with more than 95% of transactions involving credit/debit card payments. They were on the verge of incurring daily fines of $15,000 and were in urgent need of a way to manage a complex programme of control compliance.

Key modules and functionality used

The modules of Harmony that were implemented for the client were:

Harmony was used exclusively for compliance in this instance. All features not directly related to compliance were turned off on the client’s instruction.

Additional changes to Harmony were made to fit client-specific needs. These were:

Integration points

In addition to the above changes, the Risk module required integration with the client’s internal risk system, which was managed in PeopleSoft. This integration was straightforward as Harmony uses XML as a data transfer standard and PeopleSoft is able to import and export data in XML format. The integration (data mapping, establishing connectors, establishing data flows and testing) took 7 working days.

The data feed consists of real time export of risk data (all risk data for new risks, just the changes for established risks) from Harmony to PeopleSoft. Data also flows from PeopleSoft to Harmony when relevant risks are created in PeopleSoft (but this, as it turns out, is exceptional).

Client locations for implementation

Within Harmony, the client manages the compliance of 72 different locations, across the USA, Europe and Asia. Each location must comply with an average of 235 individual control points. (There are 233 controls in the PCI standard, but the client adds extra control points of their own, depending on the venue and the need).

In addition to multiple locations, the client has a need for multiple external user interest groups. The transaction volumes of the client run into the hundreds of millions. Seventeen external banks (the banks process the transactions, based on location), all have their own external login accounts and all only see the locations that relate to the transactions that they process. No bank can see the compliance status in any location other than those where they have a specific interest. In addition, the client is required to use an external auditor, a ‘Qualified Security Advisor’ (QSA), whose role is to provide assurance to the banks about the integrity of the client’s work in progressing their compliance levels. They also have external access to Harmony.

Implementation approach and timelines

Harmony was implemented in 5 weeks. This included deployment, configuration and testing of Harmony in the client’s data centre. The additional changes, which took a total of 10 working days to complete, and 5 days to implement, were done partly in parallel. The whole implementation, including the requested system changes, and data feeds into PeopleSoft, was completed in 40 working days.

The initial client project team was 25, but this decreased to 6 with the deployment of Harmony. This was 5 people less than the client had originally estimated, and was additional savings to their project.
As Harmony was being implemented by the technical team, our project team worked with the client project team to plan:

  • Training of the project team – 6 people (half day course)
  • Training of two system administrators (full day course)
  • Training of the auditors – 5 people (half day course)
  • Training of the bank representatives – 25 people (half day course)
  • Training of the client user community – 320 people – (fifteen minute course – delivered remotely with helpdesk support for follow-up queries)

In parallel to the technical implementation and the training planning, another team began mapping the client process workflows and intended project activities with Harmony and the features in Harmony which would automate the otherwise manual work of compliance tracking, gap analysis, incident management, risk capture and issue management. The additional changes (paragraph 3, above) were a consequence of this mapping of the client internal processes and project requirements.

Another team worked on a communications plan that was delivered in ‘doses’ as the project proceeded. At each stage, all of the users affected by the project knew in advance what was happening, why it was important to the firm and what their contribution would be.

Once Harmony was live, and the training programme delivered, all locations had completed their initial gap analysis within three months.

Key issues and how they were overcome

All the issues we faced fell into one of two categories:

  1. Lack of certainty / changes of mind by the client about the approach to the project: At the beginning of the project the client was not sure whether they wanted to run the project themselves or if the QSA should do it for them. This was important because they both had different approaches which resulted in different levels of visibility of project progress, depending on the approach and who led the project. We solved this by loading the project into the Harmony Programme and Project management system for the client – as a consequence, because the system is web-based and gives equal visibility to everyone, the client had no difficulty allowing the QSA to take the project lead.
  2. Uncertainty by the client about the hierarchy of their organisation: The client organisation had grown inorganically, by takeover more than by organic growth. As a consequence, different parts of the business were not all organised in the same way. This meant that there would be incongruencies in the way different parts of the business were handled and a lack of equality in compliance status. The solution was one of the changes that we made to Harmony – to let Harmony manage the different parts of the business in their own way and to ‘equalise’ the compliance reporting status within the system.

Benefits – financial and non-financial

Financial

  • On Software licence fees – 50% more competitive than other shortlisted company (Symantec)
  • Project team reduced from 25 to 6 resulting in annual saving of £855k / $1.28m for the life of the project
  • Unquantifiable cost savings across the business due to simplification of compliance processes, transparency of status, automation of all project workflows and ‘slim-line’ training courses
  • Cost avoidance savings of $15,000 a day, equivalent to $5.5m annual runrateNon-Financial
  • Simple implementation, training and operation
  • All appropriate processes automated
  • Since Harmony is designed to ‘adapt’ to client’s unique situations, changes were simple, quick and cheap
  • Internal project communications more efficient
  • External project communications more efficient

Key performance indicators

Support

  • Severity 1 support request – 1 hour response
  • Severity 2 support request – 1 day response
  • Severity 3 support request – 1 week response Incident Management (24/365)
  • Severity 1 incidents – 1 hour acknowledgement, 24 hour fix
  • Severity 2 incidents – 4 hour acknowledgment, 4 day fix
  • Severity 3 incidents – 1 day acknowledgment, 2 week fix
  • Severity 4 incidents – 1 week acknowledgment, 3 month fix Security
  • Annual Penetration Tests – performed by third party IT security firm