PCI Compliance for Call Recording

Copyright Business Systems UK Limited 2013

PCI Compliance for Call Recording

Atiq Rehman

Copyright Business Systems UK Limited 2010Copyright Business Systems UK Limited 2013∙∙→

PCI Compliance – What Is It?

• PCI – Payment Card Industry• PCI DSS – Payment Card Industry Data Security

Standard- Security standard for organisations that handle cardholder

information for the major debit, credit, prepaid, e-purse, ATM, and POS cards

- PCI Security Standards Council formed by leading card providers …

http://www.google.co.uk/url?sa=i&source=images&cd=&cad=rja&docid=nNbQrtJ6dv_p_M&tbnid=g7G_04aFE1qovM:&ved=0CAgQjRwwAA&url=http://www.what-prepaid-card.co.uk/features/prepaid-master-card.html&ei=kid5UoTKFaya7QbUuoG4DQ&psig=AFQjCNFzGLMLX3ek6xN-u7kGRqzBmd7EEA&ust=1383758098465282

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=88LikMt0Ibf6kM&tbnid=FH6KRkRmVbKO7M:&ved=0CAUQjRw&url=http://www.thedrum.com/news/2013/02/25/visa-and-samsung-strike-nfc-global-alliance&ei=wSd5UrDLBYP60gXluoDwBw&bvm=bv.55980276,d.ZGU&psig=AFQjCNEmg1qgN_jqF4oeGSHjzFtJx7YRYw&ust=1383758141462650

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=E9r6KCaMShmEZM&tbnid=SLevQLEQ-rqtXM:&ved=0CAUQjRw&url=http://www.vangviengtour.com/how-to-book/&ei=GSh5UpqYGsbN0QWt9ICwAQ&bvm=bv.55980276,d.ZGU&psig=AFQjCNFqfLzi8BQcbsPg5FIdhnIeTMAzPA&ust=1383758224722914

https://www.google.co.uk/imgres?imgurl&imgrefurl=http://financialcontrols.blogspot.com/2012/10/american-express-walmart-launch.html&h=0&w=0&sz=1&tbnid=9CaIdK8jQjCQQM&tbnh=221&tbnw=228&zoom=1&docid=10aEaX0AmDe3GM&ei=USh5UqayBqml0QXf-oHYCw&ved=0CAEQsCU


Who Does This Apply To?

All organisations or merchants regardless of size or number of transactions.

Are There Any Implications For Call Recording? Yes, As Per PCI SSC FAQ 5362:

“It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data .... after authorisation even if encrypted. It is therefore prohibited to use any form of digital audio recording for storing CAV2, CVC2, CVV2 or CID codes if that data can be queried.

Where technology exists to prevent recording of these data elements, such technology should be enabled.”


PCI DSS – Storage Of Info



km



http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=s2ogqz0hXA_z7M&tbnid=LIFQedV6D8enRM:&ved=0CAUQjRw&url=http://www.bris.ac.uk/online-payments/help/faq.html&ei=UCp5UvycLqmU0AXbtYCwDw&bvm=bv.55980276,d.ZG4&psig=AFQjCNElwVW1mpI9Wl3IBM1J4UGy5worYA&ust=1383758679595203


Consequences of Non Compliance

• Monthly Fines for Non-Compliance• Withdrawal of Merchant Services• Erosion of Customer Confidence

MONTHLY FINES

Initially £3,500 - £65,000Now up to £250,000

*Source: Survey of 1,000 UK consumers conducted by OnePoll on behalf of Eckoh

86% of consumers believe agents will misuse their personal card details*

Only 5% of people are confident that financial data will be safe when given to an agent over the phone*

http://www.onepoll.com/

http://www.onepoll.com/

http://www.eckoh.com/

http://www.eckoh.com/


PCI Compliance For Call Recording

1 – Automated Payments via IVR2 – Transfer Callers To Non Recorded Agents3 – Turn Off Call Recording

Poor Customer Experience

Impact on operational processes & productivity

Increase average call duration

Implications for dispute resolution /fact verification



4 – Modify the Recording Solution

Security Permissions Good practice but not enough

Media Encryption“It is only the Primary Account Number (PAN) that can be retained in encrypted format. Sensitive Authentication Data, a key part in card transactions, cannot be

stored whether encrypted or not.”

Audio Masking Audio tone inserted over card details, but still retains sensitive authentication data

Manual Pause / Resume of Recordings“Organisations must remove sensitive authentication data from recordings with no manual intervention by your staff.”



4 – Modify the Recording Solution

Automated Pause / Resume of Recordings When agent enters payment details on screen, a trigger is generated to

stop the recording

API Driven

Automated Mute / Un-mute of Recordings Similar to pause & resume but mutes the recording rather than stops it so you

don’t have 2 separate unlinked recordings

DTMF Collection of Payment Details Caller keys in credit card details via handset with phone system passing details

directly to payment application


Our Recommendations

• Security – Permissions

• Security - Firewall

• Media Encryption Used for Both Audio and Screen Recording

• Automated Pause / Resume Desktop Based or API Driven

OR

• DTMF Collection of Payment Details


Continue to monitor –

make changes if required

Options

Minimise disruption and impact on business

budget

Getting it right

Leverage proven expertise

Reduce cost & risk –suppliers who regularly integrate PCI solutions

Test & validate -End to end testing

PCI COMPLIANCE

Consult with a PCI DSS QSA

Copyright Business Systems UK Limited 2010

PCI Best Practice Guide

Covers:• Options for compliance• Approaches to call recording • Getting PCI compliance right

Complimentary copy:-Available here >

http://www.businesssystemsuk.co.uk/InformationCentre/WhitePapers/EnsuringPCIDSSCompliance/

http://www.businesssystemsuk.co.uk/InformationCentre/WhitePapers/EnsuringPCIDSSCompliance/

Technology

PCI Compliance for Call Recording