Interview with Frederic Jesupret

by Mathieu Gorge

Can you tell us about your safety and compliance journey?

I have over 20 years of experience in computer security (first IP protocols) and have followed technological developments as well as threats. Since 2006, I have been working on PCI DSS, with a first certification in 2008 and then coverage that extended to all subsidiaries worldwide on this pecificity.

Allianz Partners is one of the world’s B2B2C leaders in the areas of assistance, travel insurance, international health, and auto insurance. Focused on customer needs, our experts are rethinking insurance services by offering products and solutions of tomorrow, high tech, high touch that go well beyond traditional insurance. Our solutions are perfectly embedded in our partners’ offers or sold directly, and are marketed under four brands: Allianz Assistance, Allianz Care, Allianz utomotive and Allianz Travel. The group has more than 21,100 employees in 75 countries, speaking 70 languages and handling 71 million cases each year, protecting customers around the world.

What is your point of view on PCI DSS in your industry and within your company?

Within the framework of PCI DSS we do training and certification. We do several Self-Assessment and SAQ that I validate, while a few are validated by our single auditor (a single QSA).

In terms of training, we have 3 essential types of training

End User training essential for call centers and convenience stores

Training on the 2nd Level support which intervenes on the machines – IT support which makes the support of all this

Secure coding

Our scope of compliance is very variable – it can range from the car which repairs with its bank card terminal in the car, to the e-commerce site with 30 million transactions per year, to the call center which manages a certain number of cards . We have several types of assessments: Merchant, Service Provider and SAQ A for some. So in all 4 or 5 types of assessments.

What made PCI DSS important, well received and funded with budgets etc. ?

This came first from customers, in 2006 when we had an airline’s first tender on PCI DSS, and then a second on the same subject. We therefore started to take an interest in it and we took a little time to get there until we became “compliant” in 2008. It is a “plus” business that is capital in our relations with our partners, Whatever the type of assessment in the world.

We have had requests from our partners, such as airlines, very early in the history of the standard, which prompted us to comply. We had to demonstrate to its strategic partners that we were in compliance.

“Here we have a “turnkey” solution available to everyone.“

Has the evolution of the standard created any specific problems?

The advantage of PCI DSS is that it always gives us time to adapt, even if it takes time to convince and set up a project. But it can be tricky to see how we’ll evolve the standards next year with version 4.0.

You have been working for 3 years with VigiTrust and elearning. What is the importance and added value of team training for you?

This can be explained through 2 concepts: it is the same program for everyone and with the local language, which is fundamental in some countries that speak little or no English. Also, it would be difficult to ask HR to develop a training module such as this one, which is not within their competence. Here we have a “turnkey” solution available to everyone.

On the value of demystifying security and compliance issues (5 pillar model or other model) and in terms of the impact on compliance and on what users do, how do you see that?

The PCI standards are complete and may seem rigid and complex but they require a high level of results. This is the most demanding of standards for me.

In terms of understanding standards, I think the standard could be simplified. This is why we have created a security framework around the PCI DSS standard. We rewrote in our own way and in a more pragmatic way, so that we are PCI DSS compliant and that we know how to stay that way. It is this last aspect which is for me the most complex. There are great similarities with the 5 pillars of VigiTrust security which also aim to simplify compliance: personal security, physical security, data security, infrastructure and crisis management. It is also easy to make a mapping between these pillars and the main lines of PCI DSS.

This may seem redundant because we ask the same questions every month and have tables filled in, but the Framework that we have set up allows this ease of “re-assessment” over time. We organize monthly meetings and checklists to be always close to the standard. It is an integral part of the Framework and requires preparation for the test and the events, and that way we do not miss a thing. This is why we are entering the second year of certification on our platforms in an almost calm manner.

Allianz relationship with VigiTrust

Allianz Partners is one of the world’s B2B2C leaders in the areas of assistance, travel insurance, international health, and auto insurance. Focused on customer needs, our experts are rethinking insurance services by offering products and solutions of tomorrow, high tech, high touch that go well beyond traditional insurance.Our solutions are perfectly embedded in our partners’ offers or sold directly, and are marketed under four brands: Allianz Assistance, Allianz Care, Allianz utomotive and Allianz Travel. The group has more than 21,100 employees in 75 countries, speaking 70 languages and handling 71 million cases each year, protecting customers around the world.

VigiTrust is an award winning Integrated Risk management (IRM) solution provider. Its solution, VigiOne, is in in 120 countries in the hospitality, retail, transportation, higher education, Government, Healthcare and eCommerce industries to comply with legal and industry security standards and regulations including PCI DSS, GDPR, CCPA, NIST, ISO 27001 to name but a few. It is based in Dublin with support offices in Paris and New York.

Allianz WW has been working with VigiTrust since 2016 to provide PCI DSS security awareness training to several target audiences including in-scope employees, managers and development teams

Frederic Jesupret has been attending the VigiTrust Advisory Board since 2015 in Paris and in Dublin at global events. He is a regular contributor at industry experts brainstorming sessions

Download the Interview of Frederic Jesupret from Allianz

For more case studies and interviews, visit our blog : https://vigitrust.com/blog/

For more information, contact info@vgitrust.com

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
mgref	1 year	This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
visitorId	1 year	ZoomInfo sets this cookie to identify a user.

Cookie	Duration	Description
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
G	1 year	Cookie used to facilitate the translation into the preferred language of the visitor.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gat_gtag_UA_59241235_1	1 minute	Set by Google to distinguish users.
_gat_gtag_UA_89738490_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s	1 year	This cookie is associated with Shopify's analytics suite.
ajs_anonymous_id	never	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_group_id	never	This cookie is set by Segment to track visitor usage and events within the website.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.

Cookie	Duration	Description
_ad_session	session	No description available.
_cfuvid	session	Description is currently not available.
active_demand_cookie_cart	1 hour	No description
activedemand_session_guid	10 years	No description available.
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
debug	never	No description available.
lfuuid	9 years 3 months 9 days 10 hours	No description available.
li_gc	2 years	No description
session_uid	20 years	No description available.
timezone	1 month	No description available.
timezone_offset	1 month	No description available.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

VigiBlog

Interview with Frederic Jesupret

Interview with Frederic Jesupret

by Mathieu Gorge

“Here we have a “turnkey” solution available to everyone.“

Allianz relationship with VigiTrust