CASE STUDY
QTel's Online Billing Rollout: Juggling Regulations and Service

QTel is one of the largest telecommunications firms in New York.

With a customer base of 10,000 companies, the firm provides small and medium-sized businesses with a comprehensive array of communications products and services, such as fully integrated broadband data and voice services.

The Challenge

One of the largest and growing areas of expense for QTel was billing. The company's printing and mailing costs were increasing, and its employees were spending more than 80 hours a week managing paper bills. Additionally, a large percentage of its customer service calls were due to billing-related questions.

In order to better compete with other competitive local exchange carriers (CLECs), QTel had to ensure that costs were kept at a minimum while it continued to provide efficient products and services to its customers. In an effort to reduce the costs associated with its paper bills while also making access to these bills more convenient for its customers, QTel needed a low-cost, quick-to-implement way to offer customers secure and easy access to billing information online.

In addition to ensuring secure access to its online bills, QTel also had to adhere to strict new Federal Communications Commission requirements, which mandated that companies comply with Consumer Proprietary Network Information (CPNI) regulations. These regulations state that telecom companies not only need to protect their customer data but also prove that the data is protected, potentially making controlling and auditing this access extremely complex.

QTel also needed to ensure that unauthorized access to this information was prevented, and that they could validate the integrity of online bills (prevent tampering and alterations) and prevent internal employees from accessing customer data inappropriately.

The Solution

Given the complexity of developing the system and addressing auditing requirements, QTel determined that developing its own system for auditing and security was too complex and cost-prohibitive to implement and maintain. So the company chose to work with New York-based P2 Security, a provider of Web access management technology, to help deploy a secure online billing system.

P2 Security began by analyzing QTel's architecture, and it worked with the company to deploy and populate a lightweight directory access protocol (LDAP) server with customer and employee information. P2 Security then deployed two low-cost, all-in-one maXecurity Web access management appliances. maXecurity's installation, one-time configuration and integration were simple due to its proxy-based architecture, which works with any Web server on any platform.

During the three weeks following the installation, QTel's programmers began developing the appropriate Web pages and electronic versions of the billing statements for the online system. Policies were set to protect these Web pages and the user information that would be sent along with them, ensuring that customers would only have access to bills tied to their accounts.

After the Web pages, electronic bills and policies were created, QTel spent two weeks testing the system. The company began by validating its security and made attempts to access an unauthorized bill, access bills without a proper login and to alter a bill. Once the security was validated, P2 Security helped QTel simulate a scenario of 500 customers simultaneously attempting to access their bills. This helped to mimic the potential response to a planned month-end e-mail , which alerted customers to their current bill. Finally, a subset of users were offered the opportunity to access their bills as part of a pilot program, in order to debug any final "kinks" prior to rolling out the system to its remaining customers.

After a month and a half of integrations and testing, QTel finally had the system to provide its customers with secure access to online billing information. The authentication and authorization capabilities of the new appliances provided the security that QTel needed with by restricting access to sensitive data from unauthorized persons. maXecurity built-in compliance functionality allowed QTel to generate entitlement reports and detailed logs of each administrative activity for complete auditing reports with a one-click process.

The Results

Before considering P2 Security, QTel had researched an alternative option: hiring an outside consulting firm. However, the firm's proposed plan was scheduled to take six months to implement with a cost of more than US$100,000. The P2 Security implementation was considerably less expensive and implementation took fewer than eight weeks.

While the implementation was significantly less costly and troublesome than anticipated, QTel experienced a few minor issues, such as the need to rent additional rack space for the maXecurity devices. However, this was not viewed as an insurmountable obstacle due to the future need of this space for additional firewalls.

By providing comprehensive Web access management capabilities, security concerns were mitigated and QTel was able to offer customers secure access to their billing information online. With maXecurity's built-in compliance functionality and on-demand reporting features, QTel can easily address the FCC's CPNI regulations and is now prepared for any future audits. maXecurity offered entitlement reporting based on all users who have access to a particular Web resource. Following the implementation, P2 Security also added functionality to enable QTel to specify a user, and report on all resources that can be accessed by that user.

With its new billing system online, QTel's costs have dropped significantly and customer satisfaction has increased. The company has already realized a cost-savings of approximately $8,000 per month. Customers now have access to a faster and more convenient way of retrieving their past and current statements, decreasing reliance on customer service. In addition, although not part of the original requirements, QTel can now accept credit card payments due to maXecurity's built-in compliance with the Payment Card Industry Data Security Standard (PCI DSS).