Tottenham Hotspur leads the field in PCI compliance

Companies in the sports, leisure and entertainment sectors handle large numbers of credit card transactions – online, over the telephone, and at the point of sale. Credit card transactions are convenient, but now subject to strict regulation. Failing to comply with the Payment Card Industry Data Security Standard (PCI DSS) can lead to huge fines, increased operational costs, and critical damage to consumer confidence.

With around 750,000 card transactions to process every year, Tottenham Hotspur FC has taken the PCI DSS compliance challenge seriously. The club had been successfully using NETconsent to manage IT security policies since 2006, when it decided to extend the solution to manage and distribute PCI compliance policies.

The club

Tottenham Hotspur FC is one of the most famous and traditional football clubs in the world. The winner of eight FA Cups, two First Division league titles, two UEFA Cups and two League Cups the club has been a member of the Premier League since its inception, and has grown to become a valuable global brand. Based in North London, the club’s administration employs 250 people – most of whom are customer-facing staff.

Reputation and brand loyalty vital

As a high-profile public company, Tottenham Hotspur FC faces constant scrutiny from regulators, media and the public. The club’s reputation on and off the field is essential in creating brand loyalty.

Years ago, the club created a staff manual, outlining the working practices and code of conduct for all employees. This helped to ensure that all employees were informed and educated about every aspect of their duties.

“New employees would read the staff manual and agree to follow it as part of signing their contract,” explains Philip Rose, IT Manager at Tottenham Hotspur FC. “But whenever a policy change occurred, it was difficult for us to ensure that existing staff were kept fully informed about the impact on their working practices. We run a lean enterprise, so it was difficult to organise face-to-face training without distracting our human resources department from their normal work. And if we just printed out the new policies and sent them out to employees, there was no way to guarantee that they’d actually read them.”

This was a particular problem when it came to IT security policies. To improve compliance, the club decided to use NETconsent to automate the management and distribution of these policies. When this approach proved successful, it seemed prudent to adopt the same system for the many staff who deal with customer credit card transactions.

Reducing business risk

Tottenham Hotspur FC processes around 750,000 card transactions every year for match ticket sales and club merchandise, that means it needs to complete a detailed annual self assessment of its compliance with Payment Card Industry Data Security Standards (PCI DSS).


These standards specify exactly how credit card information should be handled – over the Internet, over the phone, or at the point of sale – to ensure security and minimise the risk of fraud. The penalties for non-compliance can be severe. Philip Rose comments, “The business risk of a failure of PCI DSS compliance is huge. The credit-card companies will impose immediate penalties and ongoing fines of around $10,000 a month – they have their own interests and those of consumers to protect.

Evidence from the US suggests that some 85 percent of companies suffering a PCI DSS compliance failure subsequently go out of business. The financial penalties combined with the loss of consumer confidence can be terminal. Tottenham Hotspur had to find a way to minimise this risk to the business – and NETconsent underpins our strategy.”

“NETconsent distributes and enforces new or changed policies whenever a user logs on,” says Philip Rose. “Depending on the particular user’s role, NETconsent presents policies that must be accepted before that user can access the network. Once we saw NETconsent in action, we realised it would be an invaluable tool for the club’s PCI DSS compliance needs.”

Role-based policy management

The club has 24 separate PCI DSS related policies, many of which are relevant to different groups of employees. For example, credit card transactions for mail-order customers require staff to take details over the phone, so sales staff need to be aware of the rules regarding the destruction of confidential details. Meanwhile, back-office staff need to understand how to process credit card files that are awaiting submission to the bank, so a different set of policies apply.

All these role-based policies need to be periodically updated as PCI DSS standards change. This means that there is a constant need for training and education, that needs to be targeted at the correct individuals and groups.

Reducing training and management costs

“The club does not have the ability to support a large training department to distribute changed policies and check on understanding. We needed an effective way to communicate
 PCI policies to staff, without incurring significant costs,” says Philip Rose. “NETconsent
offered the ideal distribution, enforcement, validation and education tool.”

Equally, by providing a central repository for all policy documents, NETconsent significantly simplifies the management of PCI DSS related information. Updating, copying and distributing paper files would be a time-consuming and expensive process; holding the information electronically is much more efficient and cost-effective.

Distribution and enforcement

Using NETconsent, the policies on PCI DSS can be distributed to users based on their job roles as defined in Microsoft Active Directory. At the first log-on after a new or changed policy is issued, users must read the policy and click the ‘Accept’ button before continuing.

“For PCI rule changes issued to staff, the NETconsent server can monitor the time taken for them to click on ‘Accept’ or ‘Decline’, and compares it against the administrator-set estimate of average reading time. We can generate a central report that flags all the people who simply scroll to and click on ‘Accept’ in less time, and we will take a view on whether the policy is really being taken seriously, individually or collectively,” says Philip Rose. “If necessary, we can then test staff to see if the policies are understood, and if necessary provide additional training.”

Reducing business risk

These reporting functions will also make it easy for Tottenham Hotspur FC to provide a full audit of its PCI DSS related activity, helping to demonstrate the club’s commitment to compliance. Communicating security policies effectively is a key requirement of the PCI DSS standard; NETconsent provides vital evidence that the club takes this responsibility seriously.

“Both Tottenham Hotspur FC’s finances and its reputation depend on our ability to demonstrate compliance with PCI DSS,” says Philip Rose. “NETconsent gives us the tools we need to meet this critical requirement and mitigate a serious risk to our business.”

Looking to the future

As the club realises the advantages of managing its PCI policies using NETconsent, Philip Rose can see other parts of the business automating policy management too.

“More and more of our business is conducted through a computer screen, so it is a familiar working environment,” he comments. “The NETconsent implementation supports Tottenham Hotspur’s strategic goal of a paperless working environment – reducing costs and processing
time, as well as providing a ‘greener’ alternative to paper. Our aim is to ensure that employee behaviour reflects all our policy requirements to maintain a high level of professionalism and quality in our activities.”

“Many companies suffering a serious PCI DSS compliance failure will subsequently go out of business. The financial penalties combined with the loss of consumer confidence can be terminal. Tottenham Hotspur had to find a way to minimise this risk to the business – and NETconsent underpins our strategy.”
Philip Rose, IT Manager, Tottenham Hotspur FC