CONNECT 13 - Regulatory and PCI Compliance

|

Regulatory and PCI Compliance

Eliminating Risk from Call Recording

Jackson TremaineEnterprise Solutions Engineer

Patrick Hall CMO

PCI Compliance

“PCI DSS represents the best available framework to guide better protection of cardholder data. It also presents an opportunity to leverage cardholder data security achieved through PCI DSS compliance for better protection of other sensitive business data – and to address compliance with other standards and regulations.”

Aberdeen GroupIT Industry Analyst

PCI Compliance• PCI bundle benefits

– Enables PCI compliance– Automatic blackouts

prevent SAD recording– Secure storage and

transmission of all audio and video recordings

– Configurable archiving complies with PCI rules

– Control and report on who has access to data

QSA Validation of Support of PCI DSS• “Congratulations on the development of a

secure and effective workforce optimization solution that effectively eliminates the capture of cardholder data for storage and processing!”– Dan Fritsche, Director, Application Validation

Services, Coalfire Systems

• Download the report at www.uptivity.com/pci

What Is PCI?

• Payment Card Industry Security Standards Council (PCI SSC) was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa “to enhance payment account data security by driving education and awareness of the PCI Security Standards.”

PCI and Call RecordingQ: Are audio and video recordings containing cardholder

data and/or sensitive authentication data (SAD) included in the scope of PCI DSS?

A: Yes! It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data (including card validation codes and values) after authorization, even if encryptedIt is prohibited to use any form of digital audio recording for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queriedSource: PCI SSC FAQ 5362

What Is Sensitive Authentication Data?

• For telephone operations, “Sensitive Authentication Data” means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call

Source:Protecting Telephone-based Payment Card

Data, PCI SSC

Defining “Queriable”• Data that can be retrieved by using a search tool or by issuing a

system instruction/task is queriable• Examples

– Defined searches based on character sets or data format– Database query functions– Decryption mechanisms– Sniffer tools– Data mining functions– Data analysis tools– t-in utilities for sorting, collating or retrieving dataSource: Protecting Telephone-based

Payment Card Data, PCI SSC

Ensuring SAD Cannot Be Queried• Methods to render SAD non-queriable

– Removing call recordings from the call recording system– Taking the call recordings offline– Vaulting the call recordings– Enforcing dual access controls to the vaulted call recordings– Allowing only single call recordings to be retrieved from vaults– Do not record SAD in the first place!

Source: Protecting Telephone-based Payment Card Data, PCI SSC

Does PCI DSS Apply to You?• Are customer payment card details received by phone?

– If so, processing and transmission of cardholder data are in scope for PCI DSS compliance

• Do customer calls contain Sensitive Authentication Data (SAD)?– If so, call data must be protected in accordance with PCI DSS

Keys to PCI DSS Compliance

• Protect stored cardholder data• Encrypt transmission of cardholder

data across open, public networks• Prevent SAD from being recorded

PCI DSS Requirement #3

• Protect stored cardholder data

• How?

Uptivity’s Recording Solution• 256-bit file-level encryption of all stored

audio and video files• Key management

– Ability to rotate and retire keys– Separation of duties– Integration with key management systems,

such as Thales’ nShield

PCI DSS Requirement #4

• Encrypt transmission of cardholder data across open, public networks

Uptivity Recording Solution

• SSL encryption for all client-server communications, both in recording and playback mode

PCI DSS Requirement #3.2

• Do not store sensitive authentication data after authorization, even if it is encrypted

Uptivity’s Recording Solution

• Automated blackouts to ensure that sensitive data is not stored in interactions– By detecting the point in time when SAD is being

transmitted, the recording application should be able to pause both the audio and video recording and resume recording after the transmission has been completed

Achieving Blackouts - Desktop Analytics

• Call recording application is configured to detect events on your agents workstations

• Recording is automatically paused when sensitive customer information is about to be entered

Agent Workflow Database

Achieving Blackouts - Desktop Analytics

Agent WorkflowDatabase

Achieving Blackouts - Desktop Analytics

Agent Workflow Database

Achieving Blackouts - Desktop Analytics

Automatically detects SAD information and pauses audio and screen recording while SAD is being transmitted

Agent Workflow Database

Achieving Blackouts - Desktop Analytics

Automatically detects SAD information and pauses audio and screen recording while SAD is being transmitted

Agent Workflow Database

Achieving Blackouts - Desktop Analytics

Recording is resumed when the SAD is no longer on the agent’s screen

Agent Workflow Database

Achieving Blackouts - Desktop Analytics

Achieving Blackouts - API

• Configure payment processing applications to send commands to call recording application

• Recording is automatically paused when sensitive customer information is about to be entered

Additional Resources

web | www.uptivity.comphone | 888.922.5526email | [email protected]/pci