Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI Compliance for Call Recording

655 views

Published on

Everything you need to know about achieving PCI compliance when recording calls where payments are made and the different options available.

  • Be the first to comment

  • Be the first to like this

PCI Compliance for Call Recording

  1. 1. PCI Compliance for Call Recording Atiq Rehman Copyright Business Systems UK Limited 2013
  2. 2. PCI Compliance – What Is It? • PCI – Payment Card Industry • PCI DSS – Payment Card Industry Data Security Standard - Security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards - PCI Security Standards Council formed by leading card providers … ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  3. 3. Who Does This Apply To? All organisations or merchants regardless of size or number of transactions. Are There Any Implications For Call Recording? Yes, As Per PCI SSC FAQ 5362: “It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data .... after authorisation even if encrypted. It is therefore prohibited to use any form of digital audio recording for storing CAV2, CVC2, CVV2 or CID codes if that data can be queried. Where technology exists to prevent recording of these data elements, such technology should be enabled.” ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  4. 4. PCI DSS – Storage Of Info ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  5. 5. PCI DSS – Storage Of Info km ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  6. 6. PCI DSS – Storage Of Info ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  7. 7. Consequences of Non Compliance • Monthly Fines for Non-Compliance • Withdrawal of Merchant Services • Erosion of Customer Confidence Only 5% of people are confident that financial data will be safe when given to an agent over the phone* 86% of consumers believe agents will misuse their personal card details* MONTHLY FINES Initially £3,500 - £65,000 Now up to £250,000 *Source: Survey of 1,000 UK consumers conducted by OnePoll on behalf of Eckoh ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  8. 8. PCI Compliance For Call Recording 1 – Automated Payments via IVR 2 – Transfer Callers To Non Recorded Agents 3 – Turn Off Call Recording Poor Customer Experience ∙∙→ Impact on operational processes & productivity Increase average call duration Implications for dispute resolution /fact verification Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  9. 9. PCI Compliance For Call Recording 4 – Modify the Recording Solution Security Permissions  Good practice but not enough Media Encryption “It is only the Primary Account Number (PAN) that can be retained in encrypted format. Sensitive Authentication Data, a key part in card transactions, cannot be stored whether encrypted or not.” Audio Masking  Audio tone inserted over card details, but still retains sensitive authentication data Manual Pause / Resume of Recordings “Organisations must remove sensitive authentication data from recordings with no manual intervention by your staff.” ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  10. 10. PCI Compliance For Call Recording 4 – Modify the Recording Solution Automated Pause / Resume of Recordings  When agent enters payment details on screen, a trigger is generated to stop the recording  API Driven Automated Mute / Un-mute of Recordings  Similar to pause & resume but mutes the recording rather than stops it so you don’t have 2 separate unlinked recordings DTMF Collection of Payment Details  Caller keys in credit card details via handset with phone system passing details directly to payment application ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  11. 11. Our Recommendations • Security – Permissions • Security - Firewall • Media Encryption  Used for Both Audio and Screen Recording • Automated Pause / Resume  Desktop Based or API Driven OR • DTMF Collection of Payment Details ∙∙→ Copyright Business Systems Copyright Business Systems UK Limited 2013 UK Limited 2010
  12. 12. Getting it right Continue to monitor – make changes if required Test & validate End to end testing Consult with a PCI DSS QSA PCI COMPLIANCE  Reduce cost & risk – suppliers who regularly integrate PCI solutions Leverage proven expertise ∙∙→ Minimise disruption and impact on business Options budget Copyright Business Systems UK Limited 2010 Copyright Business Systems UK Limited 2013
  13. 13. PCI Best Practice Guide Covers: • Options for compliance • Approaches to call recording • Getting PCI compliance right Complimentary copy:Available here > Copyright Business Systems UK Limited 2010

×