The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions

The Right Choice for Call Recording

WWW.OAISYS.COMWWW.OAISYS.COM

OAISYS and PCI DSS ComplianceManaging Payment Card Industry Compliance with OAISYS Call Recording Solutions



What is PCI DSS?

Payment Card Industry (PCI) Data Security Standard (DSS)

Developed by the Credit Card Industry to encourage and enhance cardholder data security

Covers Network Security, Password Protection, Storage, Encryption, Software Vulnerability, etc.



PCI Core Principles

Implement Strong Access Control◦ Restrict access to cardholder data by business need-to-

know

◦ Assign a unique ID to each person with computer access

◦ Restrict physical access to cardholder data

Regularly Monitor and Test Networks◦ Track and monitor all access to network resources and data

◦ Regularly test security systems and processes

Maintain an Information Security Policy◦ Maintain a policy that address information security



Who is Impacted by PCI?

ANY company that stores, processes, or transmits credit card information is impacted and should be aware of the standards◦ Financial Services◦Collections◦Sales/Retail◦Charities/Donor Networks



Call Recording and PCI DSS

NO call recording software can actually be deemed “PCI compliant”

Only software used to accept and process payment cards, such as card readers and online payment card validation solutions, can be PCI compliant

Call recording software properly designed and developed with respect to PCI DSS can help facilitate compliance with the guidelines



How OAISYS Solutions Address PCI DSS

Permissions-Based User AccountsCall Segment SharingUser Security and AuditsData Transmission/Encryption StandardsData Storage/Encryption StandardsRecording Blackouts



Permissions-Based User Accounts

Only authorized users can access dataPermissions can be based on user type or

other criteria, such as:◦Outside Number◦Call Duration◦Extension◦ACD information



Call Segment Sharing

OAISYS Portable Voice Document (PVD™) technology provides for selective sharing of specific call segments (both internal and external)

Recipients can only hear selected segments of the call

Permissions can limit the length of time that a recipient will have access, or whether it can be shared further



User Security and AuditsThe OAISYS solution provides an

administrative interface that delivers activity tracking and reporting◦ Date, time, and user associated with access of any call

◦ User authentication controls are granular, which allows provisioning of the minimum access level required for tasks

Call recordings include a digital watermark◦ Proves call has not been altered in any way

◦ Can verify that sensitive information was not included or recorded



Data Transmission Standards

PCI requires use of strong cryptography (such as SSL or IPSEC) during transmission over open, public networks◦ The Internet◦Wireless Technologies◦Global System for Mobile (GSM)

If sharing/sending is done internally, this requirement does not apply



Data Transmission Standards

If needed, strong encryption during transmission can be obtained when using a VPN with IP Security (IPSEC) and Triple Data Encryption Standard (TDES)◦ IPSEC handles the connection to the outside

network◦ TDES encrypts the streaming data



Database Encryption Standards

OAISYS can utilize file-level encryption if necessary

Encryption is tied to the Operating System (Windows 7 or Server 2008)

Advanced Encryption Standard (AES) calls for 128-bit encryption minimum ◦Windows AES uses 256-bit key



Blackouts

If you do not record the Primary Account Number (PAN), PCI requirements DO NOT APPLY

PCI DSS requires that Card Verification Codes are NOT stored under any circumstance, even if encrypted

If you do not record the PAN or Card Verification Codes, you can easily comply with PCI standards



Wait a second… You provide call recording and you’re telling me

NOT to record?



Three Ways to NOT Record

1. Do not record stations collecting data requiring PCI adherence

2. Transfer calls to non-recorded stations when PCI data is collected

3. Stop recording of calls when obtaining data requiring PCI adherence, then start again after data is obtained – in other words, BLACKOUT the data



How can I blackout only during the period where I am capturing PCI

sensitive information?



OAISYS Desktop Client – Manual Recording Stop

User can manually click the start/stop button on the OAISYS Desktop Client

Requires manual intervention, but allows for flexible start/stop

Start/Stop Button



Desktop Client API – Automatically Start/Stop

Desktop Client utilizes a COM (ActiveX) interface to accept client-to-client commands to automatically start/stop recording

Start/Stop functionality can be engaged by placement of the cursor in the appropriate field on the client application



Desktop Client API – In Layman’s Terms

Place your cursor in the credit card # field on the client software and it sends a trigger to the OAISYS software to STOP recording automatically

Move your cursor to another field and the client software sends a follow up trigger to the OAISYS software to START recording again



Desktop Client API – Internet Explorer Plug-in

OAISYS has developed a plug-in utilizing IE7 and the Desktop Client which can automatically start/stop based on the position of the cursor in the browser window

Works for ANY website, not just client controlled addresses



Desktop Port API – Automatically Start/Stop

Desktop Port API utilizes server-to-server commands to automatically start/stop recording

Typically applies to systems like predictive dialers that have their own client access software

Essentially provides same functionality as Desktop API, but for different types of applications



Questions?OAISYS Sales Engineering

[email protected] option 3

Documents

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions