• Share
  • Email
  • Embed
  • Like
  • Private Content
How to Ensure PCI DSS Compliance

How to Ensure PCI DSS Compliance




Business Systems Best Practice Guide

Any organisation that is taking sensitive data from a customer, in particular credit or debit card details has a duty to ensure they are taking every step possible to protect customers and their data from fraudulent use and identity theft.

In 2012, according to the Financial Fraud Action (FFA UK) website, card fraud rose in the UK to £388m up 14% on 2011. Within this figure £32.1m was associated with Card ID theft, a staggering 42% increase on the previous year.

The Payment Card Industry Data Security Standard (PCI DSS) is now in force and applies to anyone taking credit/debit card payments in-person, over the internet or by telephone.

Yet in the UK, organisations have failed to put in place the necessary technology, processes and procedures to ensure full compliance. The main reasons for this failure to comply are: (i) they do not fully understand their obligations under PCI DSS or (ii) they wrongly assume the steps required for compliance to be too complex and costly.

This paper aims to provide an easy to follow, digestible and practical guide to what PCI DSS Compliance means, the different options for compliant call recording, the pros and cons of these options and a proven approach to protect your organisation and its customers.

Read more about PCI Compliance and how call recording should be deployed to comply in the latest guide in our Business Systems Best Practice series: “How to Ensure PCI DSS Compliance”.

Contact Business Systems on 0800 458 2988 or email us if you require further details about our Call Recording products and services.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    How to Ensure PCI DSS Compliance How to Ensure PCI DSS Compliance Document Transcript

    • 1Any organisation that is taking sensitive data from acustomer, in particular credit or debit card details hasa duty to ensure they are taking every step possible toprotect customers and their data from fraudulent useand identity theft.In 2012, according to the Financial Fraud Action (FFA UK)website, card fraud rose in the UK to £388m up 14% on2011. Within this figure £32.1m was associated with CardID theft, a staggering 42% increase on the previous year.The Payment Card Industry Security Standards Council(PCI SSC) was established in September 2006 with theobjective of improving security standards throughoutthe payment transaction process. The subsequent DataSecurity Standard (PCI DSS) is now in force and appliesto anyone taking credit/debit card payments in-person,over the internet or by telephone.Despite these steps being taken by the payment cardindustry, many organisations in the UK have failed toput in place the necessary technology, processes andprocedures to ensure full compliance. The main reasonsfor this failure to comply are: (i) they do not fullyunderstand their obligations under PCI DSS or (ii) theywrongly assume the steps required for compliance to betoo complex and costly.This paper aims to provide an easy to follow, digestibleand practical guide to what PCI Compliance means, thedifferent options for compliant call recording, the prosand cons of these options and a proven approach toprotect your organisation and its customers.Introduction
    • BUSINESS SYSTEMS BEST PRACTICE GUIDE: ENSURING PCI DSS COMPLIANCE2In the past, uncertainty regarding the consequencesof non-compliance led to a number of organisationsadopting a wait and see approach before investingmoney in becoming compliant. However, our researchhighlights three very real consequences ofnon-compliance that make the wait and see approachwholly inappropriate.Monthly Fines forNon-CompliancePCI Security Standards Council was formed by theleading payment card providers including Amex, Discover,JCB, Mastercard and Visa. Merchants, banks, processors,and point-of-sale vendors are encouraged to join asParticipating Organisations.The payment card providers, at their discretion, canimpose penalties for instances of non-compliance. Todate, the scale of these fines is unclear. Initially finesranged between £3,500 and £65,000 per month for PCIcompliance violations. However, Mastercard has recentlyupdated its merchant compliance plan with fines for afourth PCI DSS violation now ranging up to £250,000.The ConsequencesOf Non-ComplianceWithdrawal ofMerchant ServicesThe ultimate penalty is the withdrawal of their MerchantID for organisations that repeatedly fail to comply withPCI DSS requirements. For any organisation that isdependent on taking card payment from customers, thiseffectively stops them from transacting business – a veryhigh price to pay.Erosion ofCustomer ConfidenceThe final area, and one that is often ignored, is customerconfidence. Eckoh plc recently commissioned OnePoll toconduct a survey. They questioned 1,000 people acrossthe UK about their attitude towards using contact centresas a way to make payments. A staggering 86% ofrespondents feared that the contact centre agent wouldmisuse their details.While PCI DSS is important, providing your customerswith the confidence that you are protecting their highlypersonal information is the critical factor here.
    • 3Much has been written about compliance withPCI DSS. Speaking frankly, a significant proportion ofthis commentary has added to the confusion rather thanproviding clear guidance. To correct this, here are thefacts about PCI DSS that are relevant to those peoplemanaging a credit card payment process, responsiblefor the technology supporting it or tasked with ensuringregulatory compliance.FAQ 1:What Payment Card Information Can Be Retained?The following table, published by the PCI SecurityStandard Council, clearly shows the facts aroundinformation retention. On no account can organisationsretain, in any format whether encrypted or not,sensitive authentication data including the full magneticstripe data, card validation codes or pin.What You Need To KnowReproduced from: PCI Standard Council Information Supplement:Protecting Telephone-based Payment Card Data, March 2011.Data Element Storage PermittedRender Stored Account DataUnreadable per Requirement3.4AccountDataCardholder DataPrimary Account Number (PAN) Yes YesCardholder Name Yes NoService Code Yes NoExpiration Date Yes NoSensitiveAuthenticationDataFull Magnetic Stripe Data NoCannot store perRequirement 3.2CAV2/CVC2/CVV2/CID NoCannot store perRequirement 3.2PIN/PIN Block NoCannot store perRequirement 3.2
    • BUSINESS SYSTEMS BEST PRACTICE GUIDE: ENSURING PCI DSS COMPLIANCE4FAQ 2:Who Does This Apply To?PCI DSS applies to all organisations or merchantsregardless of size or number of transactions. If any ofyour customers ever pay you directly using a credit ordebit card, then the PCI DSS requirements apply.Initially PCI DSS requirements applied only to merchantstransacting more than £1m per annum via credit card.However, from 1st October 2010, the standard wasextended to all merchants regardless of level.In summary, no organisation, regardless of size or volume oftransactions, is permitted under PCI DSS to record and retain sensitiveauthentication data associated with card payments either within theapplications they use or the technology they utilise to record calls.FAQ 3:Does this have any implications for Call Recording?The common misinterpretation of the requirements isthat they apply only to the capture and retention of datain transactional or CRM systems. However, they apply tothe capture and retention of information by any type ofapplication including call and screen recording solutions.The facts are articulated in PCI SSC FAQ 5362:Are audio/voice recordings containing cardholderdata and/or sensitive authentication data includedin the scope of PCI DSS?“It is a violation of PCI DSS Requirement 3.2to store any sensitive authentication data,including card validation codes and values,after authorisation even if encrypted. It istherefore prohibited to use any form of digitalaudio recording for storing CAV2, CVC2,CVV2 or CID codes if that data can be queried;recognizing that multiple tools exist thatpotentially could query a variety ofdigital recordings. Where technology exists to prevent recordingof these data elements, such technology shouldbe enabled.”
    • 5The consequences of non-compliance are too severe tobe ignored. Action must therefore be taken to ensurethat no personal authorisation information is capturedand retained.The challenge faced is how to ensure compliance withoutmajor disruption to processes and significant costs tothe business. Here are what we believe to be the fourprimary options that are available to contact centres, andthe pros and cons of each.Automate PaymentA common approach for PCI Compliance is to passthe call to a self-service (IVR) solution at the point ofcollecting payment. The advantage this offers is thatby removing the agent from the loop there is no risk ofsensitive information being recorded and the approach istherefore fully compliant with PCI DSS.For any organisations selling products, for thosecollecting payment for services in the public sector, orthose involved in credit collection, and even for thoseprocessing charitable donations, the handoff to the IVRcan have a serious impact on positive outcomes. Thepayment process is the moment of truth, the point whenthe transaction is completed. To hand the caller off toan automated system at this point and take the agentout of the loop will undoubtedly reduce the amount ofcompleted transactions.The Options For ComplianceTransfer Callers toNon-Recorded AgentsSome organisations set up a separate team of agentswho are responsible for taking card payments and whoare not recorded. When payments need to be taken, thecaller is transferred to this non-recorded team.This approach allows you to retain the personal touchduring the payment process while also being able tocontinue to record calls where appropriate across the restof the organisation.The disadvantage of this approach is that it representsa major change to operational processes. Any hand-offduring a call is detrimental to the customer experienceand while not as severe as automation, it will have animpact on transactions completed. In the contact centrethis approach can have a severe impact on productivityas more agents will be required to ensure you havepayment collectors available without delay and theaverage call duration will be increased.
    • BUSINESS SYSTEMS BEST PRACTICE GUIDE: ENSURING PCI DSS COMPLIANCE6Turn-Off Call RecordingThis simplistic approach to compliance can beimplemented by a flick of the power switch. Theadvantages of this approach are clear. If you are notrecording calls there is no risk that you will retainpersonal authorisation information.However, for some organisations this is not possible,particularly where regulatory compliance requires that allcalls and transactions be recorded.For those that do not have to record for regulatorycompliance but view the capture of interactions asbest practice, all of the value from recording such astransaction protection, quality monitoring and agentperformance management will be instantly lost.This is a high price to pay for PCI compliance, and anavoidable one.Modify yourRecording SolutionThis approach minimises changes to existingprocesses and requires no IVR processing and notransfers to other agents. Instead, changes are madeto how your recording solution is deployed, ensuringthat it does not capture and retain any personalauthorisation information.Done correctly, this approach has no impact to the agentor the customer; they are unaware of the change and itensures that you are fully PCI DSS compliant.However, there have been many instances whereorganisations have modified their approach to recordingin the mistaken belief that the changes being madewould help them achieve PCI compliance.
    • 7Although the most effective way for organisations tobecome PCI DSS compliant is to make changes to theway they record calls, there is much confusion as to howthis is achieved and many promoted approaches do notactually result in PCI compliant recording.Password ProtectingYour RecorderLimiting access to your recording platform and ensuringthat each individual has a personal logon and passwordis good systems management practice, but it is not PCIDSS compliant. It does not satisfy Requirement 3.2 whichstipulates that no personal identification informationshould be captured or retained.EncryptionInitially a common belief was that if you encrypted therecordings then this would comply with PCI DSS. Furtherclarification in Information Supplement: ProtectingTelephone-Based Payment Card Data from PCI SSC,dispels this belief.“It is only the Primary Account Number (PAN)that can be retained in encrypted format.Sensitive Authentication Data, a key part incard transactions, cannot be stored whetherencrypted or not.”Audio MaskingWith this technique an audio tone is inserted over thepart of the call where payment details are being collected– a little like a TV Bleep machine. While this may seemlike a reasonable approach, it is not PCI DSS compliantas the sensitive authentication data is still being retained.Approaches To RecordingManual Pause & ResumeMany of the recording vendors have approached PCIcompliance by providing the facility for agents tomanually pause and resume the recording of calls. Thewhole point of recording calls and PCI DSS is to protectthe organisation and its customers from mis-selling,identity theft and fraudulent activity. So providing theagent with the ability to turn off the recording removesthis protection.More importantly, this approach depends upon the agentremembering to take the necessary action. It is becauseof this reliance on the agent that manual pause andresume is not considered by PCI SSC as being compliant.To quote the PCI SSC Information Supplement:Protecting Telephone-based Payment Card Details,organisations must:“remove sensitive authentication data fromrecordings with no manual intervention byyour staff.”Automated Pause & ResumeWith this approach, PCI DSS compliant recording isachieved by ensuring that the recording system stopsrecording during the payment process when sensitivecustomer information is being exchanged. This isachieved through integrating the call recorder with youragent desktop and/or transactional systems.In simple terms, when the agent enters the paymentdetails screen a trigger is generated to the recorderto stop recording. Once they have passed beyond thepayment screen to another screen, a second triggeris generated to restart the recording. With this approachthere is no manual intervention required and sensitiveauthentication data is neither captured norsubsequently stored.
    • BUSINESS SYSTEMS BEST PRACTICE GUIDE: ENSURING PCI DSS COMPLIANCE8This approach does not just apply to the capture ofthe audio (the conversation) it can also be applied tothose recording solutions that capture the agent screen,ensuring that this is also paused and resumed.From an implementation point of view, this requires acertain degree of integration work. One approach tothis is to embed the recording Application ProgrammingInterface (API) code directly into the payment processingapplication. Where this is either not possible or provestoo complex, desktop tools can be utilised that can detectwhen certain screen pages or fields are accessed and usethis information to trigger the pausing and subsequentresumption of recording.Automated Mute & UnmuteThis approach is similar in principle to pause & resume,but rather than stopping the recording and restartingit, this approach mutes both the agent and the calleraudio within the recorder while the agent is in thepayment details screen. The recording isn’t “stopped”but, importantly, nothing is recorded, so on subsequentplayback, only silence or an audible tone is heard.Both the pause/resume and mute/unmute approachesmeet the requirements of PCI DSS. The differencebetween them relates to how the subsequent recordingsare stored and retrieved.With pause and resume the actual recording is stoppedand then started again. For some basic recordingsolutions this results in two separate recordings withtwo separate, unlinked, call detail records. This producesissues when trying to find and playback recordings – youhave to find two calls instead of one. Even when pauseand resume maintains a single call recording, it can resultin apparent anomalies in reporting. The missing segmentof the recording suggests differences in common contactcentre reporting measures for call start and end times,call duration, talk time etc.In the mute and unmute solution, the sensitiveauthentication data is not recorded but the callnevertheless is captured as a single instance with a fulland accurate call detail record.DTMF-based collection ofpayment detailsConsumers are very familiar with the process wherebythey use their telephone to key in information – they areoften asked to do so when using IVR systems. DTMF or“Dual tone, multi frequency” is the formal name for thisapproach to data-capture and it can be used in a positiveway to achieve PCI compliance.When the agent gets to the payment capture point in atelephone call, they invite the caller to key in their creditcard number, expiry date and authentication code. Thephone system then passes the card details directly intothe payment application. The agent stays on the line, sothere is no transfer involved, but they don’t hear eitherthe card numbers or the DTMF tones.This approach helps you meet your PCI obligationsbecause the credit card data is not spoken aloud andcrucially, the solution suppresses the recording of theDTMF tones. Furthermore, for organisations that carryout screen recording in conjunction with call recording,the solution masks the credit details so that they don’tappear on the screen.
    • 9It is a common misconception that there is an off-the-shelf solution for PCI Compliant Recording. There is not.First, it is not your recorder that is PCI DSS compliant butthe way you deploy it. Second, the combination of yourbusiness type, your processes, the transactional systemsyou use and your recorder makes you unique.However, there is a proven and repeatable approach toproviding PCI Compliant recording that can be leveragedby your organisation. Below is an overview of theapproach taken by Business Systems to enableour clients to continue to record their customerinteractions while ensuring that they fully comply withPCI DSS requirements.Understand Your Business& Your OptionsWe take the time to understand your business andrecommend the best approach for you to achieve PCIcompliance with the minimum disruption and impact toyour business. As experts in call recording we are ableto evaluate your current recording solution and desktopenvironment and propose the most cost effective way foryou to create a compliant recording environment.Access to API’sRather than charging a per-user licence fee for theirrecording API’s, many recording vendors charge insteadfor a developer license. These developer licencesare expensive and can make the cost-per-seat ofthe compliant solution prohibitive for many smallercontact centres. With partnerships in place with manyof the leading recording vendors, Business Systems isuniquely positioned with access to these developmentenvironments so that we are able to provide costeffective integration.Getting PCI Compliance RightWhat’s more, we are ideally placed to assist organisationswho have multiple recording platforms or versions to takea single, best practice approach to PCI DSS complianceacross a hybrid environment.Leveraging Proven ExpertiseTo many organisations, performing the developmentrequired to make their recording platform PCI compliantis both daunting and potentially a lengthy process.At Business Systems we perform these integrations ona regular basis. We have done it many times before formany different types of organisations with many differenttypes of systems in place. By leveraging our expertiseyou are able to expedite the process at the same time asreducing associated cost and risk.Testing & ValidationA key part of any PCI DSS recording project is full andcomprehensive testing. Having a solution in place doesnot necessarily make you compliant. You need to beable to prove that you are not retaining any SensitiveCustomer Authentication Data.As part of our PCI projects, Business Systems undertakedetailed and thorough end-to-end testing. We validatethat you are no longer capturing or storing paymentdetails and that there are no exceptions.
    • BUSINESS SYSTEMS BEST PRACTICE GUIDE: ENSURING PCI DSS COMPLIANCE10This Business Systems Best Practice Guide sets out todemystify PCI DSS compliance and its implications forcall recording.To summarise:• If you take credit card payments you are required tocomply with PCI DSS requirements. This applies toeveryone and it applies now.• Failure to comply could result in significant fines ofup to £250,000, loss of customer confidence andhaving your ability to take card payments withdrawn.• If you are recording calls, you are not permitted tocapture and hold Sensitive Customer AuthenticationData whether this information is encrypted or not.• Ensuring that you are recording calls in a PCIDSS compliant way does not have to be daunting,complex or costly. It just needs access to theright expertise.The costs of achieving PCI Compliance within yourcall recording are negligible in comparison to theconsequences of non-compliance. At Business Systemswe have the experience and technical expertise todeploy compliant solutions simply and effectivelywithout the need for you to change the way you engagewith customers.Conclusion
    • Business Systems (UK) Ltd462 London RoadIsleworthMiddlesexTW7 4EDTel: 0800 458 2988Email: marketing@businesssystemsuk.comWeb: www.businesssystemsuk.co.uk©2013 Business Systems UK Limited.The information contained in thisBest Practice Guide is believed correctat the time of publication; such informationis subject to change without notice.