PCI Compliance

Achieving PCI Compliance

We’re experienced in helping companies adhere to PCI Security Standards Council rules on credit card data storage.

Background to PCI Compliance

To prevent fraud and theft, the PCI Security Standards Council states that a company taking credit card numbers must comply with data storage rules. In pursuit of PCI compliance, many companies keep processes beyond the scope of PCI DSS.

Latest Information Supplement from PCI SSC March 2011: Protecting Telephone-based Payment Card Data

Card Security Fraud is on the increase and businesses need to ensure that they are carrying out the necessary safeguards to protect the consumer. Businesses handling payment transactions over the telephone are now under considerable pressure to ensure that their call recording system is PCI Compliant.

Recent failures to protect financial data provided in customer interactions have resulted in legislation to protect the consumer, with a direct impact on all businesses which take payments over the telephone in terms of increased security. Organisations which do not adhere to the PCI Compliance regulations can have their merchant numbers taken away and can be severely fined if in violation.

It is for this reason, before purchasing any call recording solution you must evaluate how well it conforms to PCI Compliance.

What is PCI Compliance?

PCI DSS (Payment Card Industry Data Security Standard) is rapidly becoming the international standard for credit card safety. The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The comprehensive standard is intended to help businesses to proactively protect customer account data.

Sensitive credit card data includes the ‘Primary Account Number’ (PAN), which refers to the main number, usually 16 digits, on the front of the credit card. According to PCI DSS, storage of this information is permitted, but must be protected from unauthorised personnel.

In most cases, encryption ensures compliance with this requirement. Recording solutions can encrypt storage of audio data and audio transmissions to protect PANs from hackers invading the system. Network communications may also be protected by other secure transmission mechanisms. Hardware and software used by businesses primarily to protect computer systems, such as firewalls and virus scanners, should be integrated into the entire system environment.

Card security codes (CSC), also referred to as card validation codes (CVC) or card verification values (CVV), are printed on credit cards to ensure the customer is in physical possession of the card. Usually found on the back of the card next to the signature strip, this three or four digit number provides a secondary level of protection to guard against fraud. As such, PCI DSS mandates even greater security to safeguard its use. Card security codes (encrypted or not) must be discarded after authorisation of a transaction.

This requirement suggests a different approach to card security for PANs as well: pausing or muting the audio by stopping and then re-starting the call recording.

How can Retell help you to achieve PCI Compliance?

Retell can help your business to meet PCI DSS Compliance with its award winning Sense recording platform. Retell offers three solutions for PCI Compliance:

Active Pause Record

This solution provides manual stop/start recording using DMTF (Direct Tone Multi Frequency), in other words the tones heard when dialing a call. This method includes a manual stop-and-start administered by the telephone agent by pressing a key or sequence keys on a handset. It has an override to restart recording just in case the agent forgets.

Passive Pause Record

This software solution provides automation of the stop and start and is achieved by intelligent content monitoring of the agent’s screen, which represents the best way to avoid preserving card security codes without human error. In this method, telephone agents would open the credit card screen or web URL and at this point when they request card details, the screen activates automatic mute to the call recording.

API Link

Retell can provide competent IT programmers with an API link in order that they may write their own code to pause recordings, for example via a CRM or database entry.

To find out more information about Retell’s Sense recording platform and PCI Compliance solutions, please Contact Us, or see the information below.

More Information about PCI Compliance