Although 30th September 2010 was the deadline for call centres to become PCI/DSS (Payment Card Industry Data Security Standard) compliant, there are growing indications that a number of call centres are still struggling to get their heads around the requirements.
Call Centres which handle payment transactions over the telephone are now under considerable pressure to ensure that their recording solutions are PCI Compliant. Fraud is on the increase and call centres need to ensure that they are carrying out the necessary safeguards to protect the consumer.
Fines for data breaches arising from non-compliance can go up to $100,000 (£63,450) per month, and may result in having the ability to process credit card transactions frozen by the acquiring bank.
PCI DSS is rapidly becoming the international standard for credit card safety in contact centre environments. Recent failures to protect financial data provided in customer interactions have resulted in legislation to protect the consumer, with a direct impact on the call centre’s selection and operation of call recording solution.
“Sensitive credit card data includes the ‘Primary Account Number’ (PAN), which refers to the main number, usually 16 digits, on the front of the credit card. According to PCI DSS, storage of this information is permitted, but must be protected from unauthorized personnel”, said Peter Fernando, Marketing Manager, ASC Telecom.
In most cases, encryption ensures compliance with this requirement. Recording solutions can encrypt storage of audio data and audio transmissions to protect PANs from hackers invading the system. Network communications may also be protected by other secure transmission mechanisms.
Hardware and software used by call centres primarily to protect computer systems, such as firewalls and virus scanners, should be integrated into the entire system environment. Call recording solutions may also be “hardened” by port scanners, and central logging of system and security events.
Card security codes (CSC), also referred to as card validation codes (CVC) or card verification values (CVV), are printed on credit cards to ensure the customer is in physical possession of the card. Usually found on the back of the card next to the signature strip, this three or four digit number provides a secondary level of protection to guard against fraud. As such, PCI DSS mandates even greater security to safeguard its use. Card security codes (encrypted or not) must be discarded after authorization of a transaction.
This requirement suggests a different approach to card security for PANs as well: pausing or muting the audio by stopping and then re-starting the call recording. Automation of the stop and start can be achieved by intelligent content monitoring of the agent’s screen which represents the best way to avoid preserving card security codes without human error. Other methods include a manual stop-and-start by the agent.
“The primary goal for the call centre is to avoid the recording of credit card data in the first place, by muting audio and excluding credit card data input from screen recordings,” said Peter Fernando.
“In order for call centres to meet PCI DSS Compliance, it is essential that the Card Validation Code (CVC) is not recorded. Encryption alone will not meet the PCI DSS Compliance standard. Some call recorder vendors will claim that encryption, or so called end-to-end encryption, will meet the compliance standard, however, it is a prerequisite that sensitive information such as the CVC is not recorded at all, to ensure maximum security,” he continued.
Peter Fernando is the Marketing Manager at ASC Telecom (www.asctelecomuk.com)