All I Want for Christmas is PCI Compliant Call Recording

Thursday, December 8, 2011 by Patrick Botz
PCI DSS Compliance Call RecordingAhead of this year's holiday season, consumers charged more to their credit cards for second straight month. Robust holiday spending is driving the speculation that U.S. consumers are shifting their use of credit and debit toward credit. Early spending patterns do suggest that total credit card spending is increasing, as it has all year. Worldwide, consumers carry more than 1 billion Visa cards alone. More than 450 million of those cards are in the United States. The number of U.S. identity fraud victims rose 12 percent to 11.1 million adults last year. Credit and debit card fraud is the No. 1 fear of Americans in the midst of the global financial crisis. Concern about fraud supersedes that of terrorism, computer and health viruses and personal safety – one in ten Americans have already been victims of credit card fraud. Software.net found that as many as 40% of its transactions were fraudulent. Expedia.com lost $6 million due to fraudulent credit card purchases.

During the holidays and throughout the year, contact centers that engage in catalog sales, up-selling and/or cross-selling, service providers, and collection companies that take payments in the form of credit or debit cards can become unsuspecting targets of cyber criminals. The card information is typically entered by agents into a CRM or other sales automation software and may be recorded by voice and screen recorders. And there it resides - thousands and even millions of card records inviting remote criminals or even greedy employees to extract consumer card data for personal gain or sell into a sophisticated secondary market.

The payment card industry (PCI) established a Council to define technical standards aimed at minimizing the risk of cyber crime to the misuse of credit cards. The Council subsequently issued a Data Security Standard (PCI DSS) which details security requirements for members, merchants and service providers that store, process or transmit cardholder data. Contact centers and other organizations that accept credit card payments are generally prohibited from archiving sensitive information such as account numbers and security codes after payment authorization has been received. Compliance to PCI-DSS is now mandatory for all non-credit card 'issuing' organizations dealing with credit, debit and ATM cards, as defined by the PCI Security Standards Council - size of an organization and its annual sales are no longer a factor for exceptions. While being compliant to PCI DSS - an already daunting task - is the first part, it it also required that you prove your organization's compliance to PCI-DSS. This PCI Audit is performed either with a set of questionnaires or by a Qualified Security Assessor, external to the organization.

On October 28, 2010, the Payment Card Industry Standards Council made a major update to the PCI Data Security Standard to clarify it. PCI DSS version 2.0 went effective on January 1, 2011. In PCI DSS version 2.0, the PCI DSS standards were clarified to require that no sensitive credit card information be stored within recorded calls, even if those calls are encrypted. The standards committee made the change because of the availability of sophisticated malware that could penetrate encryption algorithms. Organizations that do not take action by December 31, 2011 to ensure compliance with these new PCI call recording requirements could face costly fines. 

Achieving PCI DSS Compliance

To help organizations ensure compliance and avoid costly fines, VPI has developed an effective, affordable solution. The VPI CAPTURE PCI call recording system has the ability to detect when an agent enters an application screen with sensitive information, when sensitive information is inputted, and when they leave a screen containing sensitive information.  The VPI telephone voice recording system then has the ability to promptly mute sections of recorded audio and mask screen video during this sensitive portion of the call.
VPI PCI Call Recording Software

To further secure sensitive information, the VPI CAPTURE PCI DSS call recording system help you:
  • Secure File and Data Transport and Storage Encryption – VPI uses built-in end-to-end data encryption and key management to secure the SQL database that holds attributes of all recordings. The media manager provides for AES 128, 192, 256 or variable bit encryption/decryption when files are stored and accessed from the media manager.
  •  Ensure Authenticity with File Watermarking - Every call within the VPI system is wartermarked in real time to ensure authenticity. VPI offers a powerful application to validate the authenticity of any WAV file.
  • Monitor User Activity with Detailed Audit Log Reporting – VPI records all user activity within the system so that organizations can conduct full trace audits to determine who accessed any recording in the system and when - for playback, export, or any other critical events.
As the December 31st deadline approaches, we're here to guide and help you in achieving your goals of becoming PCI compliant quickly and affordably.

Comments for All I Want for Christmas is PCI Compliant Call Recording

Leave a comment





Captcha