infoTECH Feature

February 10, 2009

Evaluating PCI DSS Compliance in Call Recording Solutions

PCI DSS (Payment Card Industry Data Security Standard) is rapidly becoming the international standard for credit card safety in contact center environments. Recent failures to protect financial data provided in customer interactions have resulted in legislation to protect the consumer, with a direct impact on the selection and operation of call recording solutions.
 
Primary Account Numbers
Primary account numbers (PAN) refer to the main number, usually 16 digits, on the front of the credit card. According to PCI DSS, storage of this information is permitted, but must be protected from unauthorized personnel.
 
In many systems, encryption ensures compliance with this requirement. Recording solutions can encrypt storage of audio data and audio transmissions to protect PANs from hackers invading the system. Network communications may also be protected by other secure transmission mechanisms such as https, sftp and ssl.  
 
Hardware and software used primarily to protect computer systems, such as firewalls and virus scanners, should be integrated into the entire system environment. Recording solutions may also be “hardened” by port scanners, and central logging of system and security events.
 
Specific measures in the development and deployment process can also help to safeguard storage of PANs. Regular source code reviews should be conducted, and the latest security patches for third-party software should be included in every new version of a recording solution. Similarly, vendor-supplied defaults for system passwords should always be changed before incorporation into a contact center’s infrastructure.
 
Other personnel procedures may be used to restrict access to sensitive data. These include restricting physical access through a need-to-know policy, assigning a unique ID to each agent using the system, and instituting a two-person integrity mechanism for replay of audio.
 
Card Security Code
Card security codes (CSC), also referred to as card validation codes (CVC) or card verification values (CVV), are printed on credit cards to ensure the customer is in physical possession of the card. Usually found on the back of the card next to the signature strip, this three or four digit number provides a secondary level of protection to guard against fraud. As such, PCI DSS mandates even greater security to safeguard its use. Card security codes (encrypted or not) must be discarded after authorization of a transaction.
 
This requirement suggests a different approach to card security for PANs as well: pausing or muting the audio by stopping and then re-starting the call recording. Automation of the stop and start can be achieved by intelligent content monitoring of the agent’s screen which represents the best way to avoid preserving card security codes without human error. Other methods include a manual stop-and-start by the agent.
 
Conclusion
New legislation to protect customer’s financial information is a serious matter. Organizations using this data must undergo annual reviews, are subject to audits, and may be severely fined if in violation. Before purchasing any call recording solution, you must evaluate its approach to PCI DSS.
 
 

Peter Schmitt is Director, Research & Development, ASC (News - Alert) telecom AG. For more information or to read more of his columns, please visit his columnist page.

Edited by Greg Galitzine
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers