PCI DSS (Payment Card Industry Data Security Standard)

By: IntegrITy Voiced  11-20-2009
Keywords: Quality Assurance, Voice Recording, Screen Recording

PCI DSS (Payment Card Industry Data Security Standard) is rapidly becoming the international standard for credit card safety in contact center environments. Recent failures to protect financial data provided in customer interactions have resulted in legislation to protect the consumer, with a direct impact on the selection and operation of call recording solutions.

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC).

(http://www.pcisecuritystandards.org) The standard was created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined. All in-scope companies must validate their compliance annually. This validation can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security Assessors (QSAs), however smaller companies have the option to use a self-certification questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.

IntegrITy Voiced recording solutions may unintentionally record and store communications containing credit card data (account numbers), if e.g. a customer reads out his credit card account number (also called Primary Account Number (PAN)) to the call centre agent via the telephone. Even more sensitive is the so called card validation code (CVC) also called card verification value (CVV) or card security code (CSC) (or Kartenprüfnummer (KPN)). This information must not be stored in any case according to the PCI standard. When screen recording is used, the PAN and CVC may also be captured unintentionally and stored on the recorder.

The primary goal shall be to avoid the recording of credit card data in the first place by muting audio and excluding credit card data input from screen recording.

In order to achieve this goal IntegrITy Voiced will provide detailed instructions on how to configure the audio and screen recording to avoid the capture of credit card information. In addition templates for Standard Operating Procedures (SOP) for the customers will be provided, detailing the procedures for muting audio. As long as the system is configured correctly and the users adhere to the SOPs the recording of credit card information will be reduced to exceptional recording due to human error. In order to reduce the potential security vulnerabilities even further a couple of measures will be taken within the IntegrITy Voiced recording solution to avoid the misuse of such unintentionally and exceptionally recorded credit card data. These measures comprise of:

·         Encrypted storage of audio data (Industry standard AES encryption)

·         Encryption of audio transmission to players

·         ‘Hardening’ of  recorders by the means of port scanners and ongoing thorough security threat assessment

·         Virus scanner (upon request)

·         Firewall

·         Deletion of unintentional recorded credit card information (with two person integrity)

·         Central logging of system and security events

Please note that despite some statements made by other players in the marketplace, encryption (even so called end-to-end encryption) will not automatically make a recording solution PCI DSS compliant. As stated before there is credit card information which must not be recorded at all (CVC), even encrypted. Encryption will only help to reduce the leakage of unintentionally recorded credit card information.

Keywords: Quality Assurance, Recording Product, Screen Recording, Voice Recording