Non-compliancy brings about fines and penalties from the payment card industry and providers. Banks have been seizing money from client accounts for payment of fines.In the event of a breach customers are required to hire a forensic investigation team from a list of approved firms.
Developed by the PCI Standards Council this is a self-regulated group comprising global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Its purpose is for protecting Cardholder data to help prevent fraud. There are 12 principal controls which have been defined. Link to PCI websiteIts scope covers all entities that store, process or transmit cardholder data, including businesses accepting payment over the phone. If these calls are recorded they become subject to PCI DSS.Its requirement is the removal of the sensitive authentication data as per the table below. Violation is subject to fines.
From 1st October 2010 it became mandatory for Levels 1 & 2 to be compliant. It is not yet mandatory for Levels 3 & 4, although penalties could be enforced at all Levels.Penalties can vary dependent on the card issuer and the Merchant Level. However, a publicised guideline is as follows:Fines at the rate of €5 per compromised account A breach fee in excess of €100,000 per incident Possible restrictions on the merchant Permanent prohibition of the merchant’s participation in Visa and MasterCard programs Beyond compliance, business risks relative to brand, customer loyalty and company valuation exist
is not a legal or regulatory requirementData breaches of personal data are subject to Data Protection laws (£500k limit)
Stop start compatible with most phone systemsNo complex integration – can be applied to inbound (NGN/IVR) or outbound (CPS/LLU)Ideal for companies using Remote workers or 3rd partiesCan be used as part of a Disaster Recovery solutionSupplementing Premises Based systems
No set-up fee and low monthly chargeScales as your business growsSticky product not easy to move
Get PCI Compliant: Hosted Call Recording
How to tackle the PCI IssuePartner PresentationGrand Connaught Rooms – 1st May 2012Martin Gronow – Product Line Manager – TTBPeter Jackson – Head of Risk Consultancy Group - IRM
IRM Key Facts & Background Background Service Portfolio• Founded in 1998 to provide assurance • PCI DSS Services services to FTSE 250 companies • Security Risk Assessment • Technical Assurance • Security Management • Network Security • Technical Assurance • Data forensics • Network forensics managed services• Joined CESG CHECK Scheme in 2001 • Security Management Services• Joined PCI DSS Scheme in 2005• Progressed into business risk consulting Managed Services • Compliance • Standards • NetFACTS• Defined CREST standards for network • OmniPORT forensics• Virtual team supplier to MoD and GCHG “IRM has worked extremely hard to be flexible to meet our changing demands and requirements. They are our security partner Information Risk Management Plc of choice” CISO, Cable & Wireless Worldwide Information Risk Management Plc 3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
Our Capability Certifications CLAS and CHECK (Team Leader/ Team Member) PCI QSA / QFI CISCO CCSP CHECKPOINT CCSA / CCSE CISA / CISM SANS GIAC CHTQ OSSTMM OPST / OPSA / Trainer GSEC Lead Auditor ISO 27001 MBCS MSc EnCe CISMP ISC (2) CISSP “IRM’s consultants are active ISEB Business Continuity Practitioner within the security industry and sit on various panels and have Consultants background checked prior to been instrumental in employment establishing bodies such as Consultants are cleared up to DV as required CREST. “Information Risk Management Plc Security, Privacy, TrustInformation Risk Management Plc rd
Example Clients & FrameworksInformation Risk Management Plc3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 firstname.lastname@example.org http://www.irmplc.comIRM is a company registered in England with Company Number 3612719.
Requirement For PCI Fines for non-compliancy can include the following: • Fines of $500,000 per data security incident • Fines of $50,000 per day for non-compliance with published standards • Liability for all fraud losses incurred from compromised account numbers • Liability for the cost of re-issuing cards associated with the compromise • Suspension of merchant accounts
What is PCI DSS?Stands for Payment Card Industry Data Security StandardPurpose - Protecting Cardholder data to help prevent fraud.Scope – any business that stores, processes or transmitscardholder data – including taking payments over the phone.If these calls are recorded they become subject to PCI DSS.Its requirement is the removal of the sensitive authenticationdata as per the table below. Violation is subject to fines. CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA• Primary Account Number (PAN) • Full Magnetic Stripe Data• Cardholder name • CAV2/CVC2/CVV2/CID• Service Code • PIN/PIN Block• Expiration Date Data must encrypted or not stored Must not be stored
PCI EnforcementMerchants are classified according to the number of transactions processed.• Level 4 Level 3 Any merchant processing <20k or up to 1m Visa or MasterCard transactions per year Level 2 Any eCommerce merchant processing up to 1m Visa or MasterCard transactions per year Level 1 Any merchant processing 1m-6m Visa or MasterCard transactions per year Any merchant processing over 6m MasterCard and Visa card transactions per year
Is PCI Mandatory?• Yes – PCI compliance is a contractual obligation• Visa/Mastercard require all Merchants & Service providers to be validated against PCI DSS V2.0• Smaller merchants not required to explicitly validate compliance but….• None compliance but may trigger penalties and/or fines in the event of a breach.• Data breaches can be subject to Data Protection laws• The Information Commissioners Office regards compliance with PCI as basic best practice
Product/Proposition Overview The one big thing: Cloud- based Hosted call recording solution - Designed specifically to help customers meet PCI DSS - Delivered with minimal cost, effort or disruption The next big thing: Hosted Call Recording helps Prevent fraud. - Removes sensitive information from vulnerable areas - Live Agent telephone ordering Simple but flexible: - No complex integration - Ideal for Remote workers or 3rd party Call Handling - Disaster Recovery solution
Benefits of Hosted Call Recording High Value Proposition No Set-up fees or capital investment - Calls & Storage revenue streams - Simple monthly charge - PCI version – meet compliance & avoid fines Easy to provision Calls automatically recorded as they transit the network - Configurable feature for NTS or outbound or both - No line or equipment limits - Simple to use PCI solution Simple but flexible: - Ideal for Remote workers or 3rd party Call Handling - Disaster Recovery solution