PCI DSS and Call Recording

Why is PCI compliance such a big issue for contact centres?

When you consider that fraud can potentially account for between two and three percent of the bottom line for financial services companies, it’s hardly surprising that payment card providers and their merchants are targeting issues such as Card Holder Not Present Fraud.

That’s why the leading card operators came together to create the Payment Card Industry Data Security Standard (PCI DSS) – a set of industry-wide requirements and processes aimed at fighting payment card fraud.

Today’s UK contact centres handle millions of card-based financial transactions – and that’s across a wide range of sectors, not just financial services. PCI DSS can help minimise the potential for fraud, and that makes good business sense for contact centres.

The Payment Card Industry (PCI) launched the Data Security Standard (DSS) back in 2007 to protect merchants from the increasing risk of fraud. PCI DSS is a combination of security policies, technology and network changes aimed at minimising fraud by reducing system exposure.

The main issue addressed by PCI compliance is data storage, making it an offence to store both the credit card numbers and three-digit security codes on premises, which together can be used to make fraudulent transactions.

Mandatory Compliance

From 1st October 2010 every merchant in the UK will have to be compliant, but at present compliance is only mandatory for Level 1 & 2 merchants. These levels apply to the volume of transactions your business processes each year. Level 1 is more than £6 million, Level 2 £1-6 million, Level 3 20k – 1 million and Level 4 up to 20k.

If your business is in the lower levels then missing the October deadline will result in fines which could be in the region of £10,000, with Visa and Mastercard issuing ongoing fines on a monthly basis until compliance has been reached. In extreme cases merchants may even lose their merchant codes, effectively ended their ability to trade.

Are all contact centres aware of their responsibilities in this area?

More and more are, but we’re still surprised just how many UK contact centre operators are still unsure about the specifics of payment card industry compliance standards and how they impact their customer transactions. According to data collected during a seminar series, a third of respondents believed that their contact centre operations were still non-PCI compliant, while a further third were uncertain of their current PCI status.

The PCI standard is especially applicable to the contact centre environment, where many organisations are failing their PCI DSS compliance audits through the incorrect capture and storage of prohibited customer card data such as account PIN blocks and CVV2 security codes. This is obviously a particular concern for businesses that have to record their calls for FSA compliance reasons, but don’t have any means of consistently halting recordings during the exchange of sensitive payment card data.

What are the penalties for non-compliance with the PCI data security standard?

Non-compliant operations may lose the right to accept credit card transactions or be fined. In the US, for example, Mastercard has recently updated its merchant compliance plan, with fines for a fourth PCI DSS violation now ranging up to $400,000 for non-compliant merchants.

“It’s estimated that fraud can potentially account for between two and three percent of the bottom line for financial services companies, with Card Holder Not Present Fraud currently proving a key challenge for payment card providers and their merchants. As an industry, however, the contact centre sector still has a lot of work to do in helping organisations to meet their PCI compliance obligations,” commented Adam Faulkner, Director at Sabio.

What steps should a contact centre take to ensure compliance with industry standards?

Many contact centres are failing their PCI compliance audits because they capture and store prohibited customer card data such as account PINs and CVV2 security codes. Businesses that have to record their calls for FSA compliance reasons should look first at putting processes in place to allow them to consistently suspend recordings during the exchange of sensitive payment card data.

What costs are involved?

Clearly ensuring that your operations forbid the storage of a customer’s credit card details – specifically the card-validation code (the three or four digit number printed on the front or back of a payment card) used to verify card-not-present transactions – will have a project cost associated with it. There are contact centre technologies involved, but full PCI DSS compliance is a broad topic and can also involve issues around security, call recording, network, server and database management and control processes.

What are the key technologies that enable such compliance?

From the contact centre perspective you specifically need to look at compliance or quality recording platforms that automatically record customers speaking their card details, creating a potential breach of compliance.

The primary goal should be to avoid recording credit card data in the first place by muting audio and excluding credit card data input from screen recording.

An innovative approach here is to hand control of the call over to an automated credit card payment system at this point. This resolves this problem as call recording can be deactivated for the automated leg of the call and restarted when an agent takes back the call. In turn, customers buy-in to this process because of the obvious security benefits – we are creating a positive customer experience – particularly for those who are reluctant to disclose their credit card details to an agent.

Secure payments through an IVR system

One example of a secure payments solution combines self-service and call recording technologies to create an integrated answer to this challenge. The solution acknowledges that you can’t rely on live agents to always suspend interaction recording at the critical payment stage, so instead shields agents from the need to handle sensitive customer data (and exposure to potential fraud) by transferring customers to a secure, speech-enabled credit card payments line.

Muting of a conversation on certain fields

Customised development using an API may also provide for automated start/stop recording or muting of the conversation when completing certain fields within an application (subject to the appropriate telephony environment)

Removing accidental card data

The primary goal is not to record cardholder information in the first place. Exceptional cardholder data stored as a result of human error should only be accessed following a two-person integrity mechanism.

The PCI Requirements

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

Further Reading

If you visit the official PCI website you find advice on finding a QSA plus a list of approved assessors

Whilst more and more call centres are becoming aware of the PCI compliance there remains much confusion surrounding the costs for implementation, which to be fair haven’t been clearly communicated. Any call centre which is concerned about how much it will cost and what level of compliance they require should take the self assessment questionnaire found of the official PCI website official PCI website

• Call Recording Guidelines
• Data Protection Act and Call Recording

Contributors

• Mike Andrews of Sabio
• James King of Nice
• Mike Murley of ASC Telecom
• John Wood of C3