Download - PCI Compliance for Call Recording
Copyright Business Systems UK Limited 2013
PCI Compliance for Call Recording
Atiq Rehman
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI Compliance – What Is It?
• PCI – Payment Card Industry• PCI DSS – Payment Card Industry Data Security
Standard- Security standard for organisations that handle cardholder
information for the major debit, credit, prepaid, e-purse, ATM, and POS cards
- PCI Security Standards Council formed by leading card providers …
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
Who Does This Apply To?
All organisations or merchants regardless of size or number of transactions.
Are There Any Implications For Call Recording? Yes, As Per PCI SSC FAQ 5362:
“It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data .... after authorisation even if encrypted. It is therefore prohibited to use any form of digital audio recording for storing CAV2, CVC2, CVV2 or CID codes if that data can be queried.
Where technology exists to prevent recording of these data elements, such technology should be enabled.”
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI DSS – Storage Of Info
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI DSS – Storage Of Info
km
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI DSS – Storage Of Info
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
Consequences of Non Compliance
• Monthly Fines for Non-Compliance• Withdrawal of Merchant Services• Erosion of Customer Confidence
MONTHLY FINES
Initially £3,500 - £65,000Now up to £250,000
*Source: Survey of 1,000 UK consumers conducted by OnePoll on behalf of Eckoh
86% of consumers believe agents will misuse their personal card details*
Only 5% of people are confident that financial data will be safe when given to an agent over the phone*
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI Compliance For Call Recording
1 – Automated Payments via IVR2 – Transfer Callers To Non Recorded Agents3 – Turn Off Call Recording
Poor Customer Experience
Impact on operational processes & productivity
Increase average call duration
Implications for dispute resolution /fact verification
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI Compliance For Call Recording
4 – Modify the Recording Solution
Security Permissions Good practice but not enough
Media Encryption“It is only the Primary Account Number (PAN) that can be retained in encrypted format. Sensitive Authentication Data, a key part in card transactions, cannot be
stored whether encrypted or not.”
Audio Masking Audio tone inserted over card details, but still retains sensitive authentication data
Manual Pause / Resume of Recordings“Organisations must remove sensitive authentication data from recordings with no manual intervention by your staff.”
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
PCI Compliance For Call Recording
4 – Modify the Recording Solution
Automated Pause / Resume of Recordings When agent enters payment details on screen, a trigger is generated to
stop the recording
API Driven
Automated Mute / Un-mute of Recordings Similar to pause & resume but mutes the recording rather than stops it so you
don’t have 2 separate unlinked recordings
DTMF Collection of Payment Details Caller keys in credit card details via handset with phone system passing details
directly to payment application
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
Our Recommendations
• Security – Permissions
• Security - Firewall
• Media Encryption Used for Both Audio and Screen Recording
• Automated Pause / Resume Desktop Based or API Driven
OR
• DTMF Collection of Payment Details
Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→
Continue to monitor –
make changes if required
Options
Minimise disruption and impact on business
budget
Getting it right
Leverage proven expertise
Reduce cost & risk –suppliers who regularly integrate PCI solutions
Test & validate -End to end testing
PCI COMPLIANCE
Consult with a PCI DSS QSA
Copyright Business Systems UK Limited 2010
PCI Best Practice Guide
Covers:• Options for compliance• Approaches to call recording • Getting PCI compliance right
Complimentary copy:-Available here >