Published: May 04, 2016 | Comments
Contact centers today must comply with a plethora of requirements, government regulations and best practices to survive in a very competitive industry. So one is tempted to treat the PCI DSS standard as just one more hurdle in the path of successful contact center operations. Nothing could be further from the truth.
PCI DSS and Communications Recording
PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. It was formed in December 2004 and protect credit card holders during the storage, processing and transmission of their personal information. PCI DSS integrates previously separate efforts by five credit card organizations, Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau), to ensure security for their customers.
Communications recording technology plays an integral role in meeting the PCI DSS standard, because recorded customer interactions can intentionally or unintentionally store personal data, increasing the risk of theft by hackers or other nefarious individuals. At the same time, however, communications recording is essential for transaction verification, protection from liability and compliance with government regulations such as Dodd Frank and MiFID II.
Strategies for Compliance with PCI DSS
Two major strategies are used by communications recording solutions to comply with PCI DSS: encrypting personal data or, even better, not storing it in the first place. Avoiding the storage of data may be accomplished by a communications recording solution configured to mute the audio and exclude credit card input from screen recording. To further protect unintentionally stored data, communications recording solutions may use a variety of measures including:
- Encrypted storage of audio data,
- Encryption of audio transmission to players,
- Port scanners and security threat assessments,
- Virus scanners,
- Deletions of unintentional recorded credit card information, and
- Central logging of system and security events.
Some of these additional measures are especially critical for CVC data – the supplementary numbers on the back of the card – because the PCI DSS standard treats it as even more sensitive and mandates the avoidance of its storage in the first place.
Specific PCI DSS requirements
Communications recording solutions must address 12 general areas to ensure PCI DSS compliance. These areas, known as control objectives, include topics such as the firewall configuration, system passwords, protection of stored data, encrypted transmissions, anti-virus software, secure systems and applications, computer and physical access, unique IDs, tracking and monitoring, regular testing of security systems and policy education.
To meet them, communications recording solutions should apply secure transmission mechanisms (e.g., https, sftp, ssl), support LDAP and two-person integrity logins, use static code analyzers and security scanners, and much more. The ability to create a detailed audit trail is essential to monitor PCI DSS compliance. Other control objectives solely involve the contact center’s discretion such as regularly testing security systems and implementing a security policy for all employees. Many PCI DSS requirements mandate use of the strategies or measures described above.
In the end, complying with PCI DSS represents a matter of self-interest for contact centers. The hacking and loss of customer data has become all too frequent with massive enterprise-wide implications. PCI DSS provides essential protection to keep the customer happy and is an essential factor in choosing among communications recording solutions.