(Payment Card Industry Data Security Standard) is rapidly becoming the
international standard for credit card safety in contact center environments.
Recent failures to protect financial data provided in customer interactions
have resulted in legislation to protect the consumer, with a direct impact on
the selection and operation of call recording solutions.
stands for Payment Card Industry Data Security Standard, and is a
worldwide security standard assembled by the Payment Card Industry Security
Standards Council (PCI SSC).
standard was created to help organizations that process card payments prevent
credit card fraud, hacking and various other security vulnerabilities and threats.
A company processing, storing, or transmitting payment card data must be PCI
DSS compliant. Non-compliant companies who maintain a relationship with one or
more of the card brands, either directly or through an acquirer risk losing
their ability to process credit card payments and being audited and/or fined.
All in-scope companies must validate their compliance annually. This validation
can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security
Assessors (QSAs), however smaller companies have the option to use a
self-certification questionnaire. Whether this questionnaire needs to be
validated by a QSA depends on the requirements of the card brands in that
Voiced recording solutions may unintentionally record and store communications
containing credit card data (account numbers), if e.g. a customer reads out his
credit card account number (also called Primary Account Number (PAN)) to the
call centre agent via the telephone. Even more sensitive is the so called card validation
code (CVC) also called card verification value (CVV) or card security code
(CSC) (or Kartenprüfnummer (KPN)). This information must not be stored in any
case according to the PCI standard. When screen
recording is used, the PAN and CVC may also be captured unintentionally and
stored on the recorder.
primary goal shall be to avoid the recording of credit card data in the first
place by muting audio and excluding credit card data input from screen
In order to achieve this
goal IntegrITy Voiced will provide detailed instructions on how to configure
the audio and screen recording to avoid the capture of credit card information.
In addition templates for Standard Operating Procedures (SOP) for the customers
will be provided, detailing the procedures for muting audio. As long as the
system is configured correctly and the users adhere to the SOPs the recording
of credit card information will be reduced to exceptional recording due to human
error. In order to reduce the potential security vulnerabilities even further a
couple of measures will be taken within the IntegrITy Voiced recording solution
to avoid the misuse of such unintentionally and exceptionally recorded credit
card data. These measures comprise of:
Encrypted storage of audio data (Industry standard AES encryption)
Encryption of audio transmission to players
‘Hardening’ of recorders by
the means of port scanners and ongoing thorough security threat assessment
Virus scanner (upon request)
Deletion of unintentional recorded credit card information (with
two person integrity)
Central logging of system and security events
Please note that despite
some statements made by other players in the marketplace, encryption (even so called
end-to-end encryption) will not automatically make a recording solution PCI DSS
compliant. As stated before there is credit card information which must not be
recorded at all (CVC), even encrypted. Encryption will only help to reduce the
leakage of unintentionally recorded credit card information.