Executive Briefing on PCI Compliance

Transcription

1 Executive Briefing on PCI Compliance 3 rd March 2011 Ashley Unitt, CTO, NewVoiceMedia

2 What is PCI DSS? Payment Card Industry Data Security Standard developed to help reduce fraudulent transactions States that credit card data should be handled and stored in such a way that the information required to make a purchase is not accessible after the purchase has been made Implications for non-compliance: Merchants can be penalised up to $200,000/ 125,000 per breach plus $25/ 16 per account reissued, and have their services suspended Damage to reputation, brand and adverse PR which can have a long term impact on customer confidence Cost of the fraud

3 Why is telephone card payment security important? Chip & PIN has been the main fraud reduction driver in face-to-face transactions, and Verified by Visa has helped in the e-commerce sector But, there remains a limited amount of solutions that can fight fraud in the Mail Order/ Telephone Order (MOTO) space The FSA and other regulatory bodies across Europe require some companies to record and store telephone conversations in a range of situations The PCI DSS, however, stipulates that the CVV2 (Credit Card Validation Value) cannot be kept post-authorisation, and full Personal Account Numbers (PANs) cannot be kept without further protection measures Therefore, there is a risk that organisations who take customer credit card details over the telephone may be recording the full cardholder details, and therefore be in contravention of the mandatory requirements of the PCI DSS Source: Call Recording Fact Sheet UK May 2010

4 Achieving PCI Compliance How do breaches occur? Agent fraud when processing card payments over the phone Recordings of the call may be accessed divulging card information Homeworkers may operate in less secure environments How can breaches be avoided? re-engineer the business process to automate the credit card transaction and remove agents from the payment process Suspend call recording for credit card transactions to ensure card details are not accessible Implement a mid-call IVR to automatically collect card payments with the option for secure agent assistance Never let cardholder details get on to a customer s site

5 Who are NewVoiceMedia? Established 10 years, serving 300 customers in 11 countries ContactWorld platform launched in 2006 to provide a cloud based business telephony solution Stable % service delivered from 3 UK data centres Processed over 90 Million Calls in 2010 Partnerships with BT, salesforce.com, China Telecom

6 What do we do? NewVoiceMedia delivers cloud-based technology that offers enterprise class business telephony at a fraction of the cost of traditional systems Smaller businesses take advantage of a sophisticated telephony solution that identifies callers, prioritises and routes them effectively Larger companies operating a call centre benefit from a more flexible system that doesn t require specialist expertise or months to implement or adapt.

7 NewVoiceMedia Solutions Cloud Contact Centre Solution ACD, IVR, CTI, Call Recording and Management Information Available as Pay as you go service Full CTI integration into Salesforce CRM Provides a single, seamless view of all customer interactions Innovative dynamic routing of calls on Salesforce data PCI DSS compliant payment system for contact centres Mid-call IVR securely collects card payments Removes opportunities for fraud

8 Some of our Reference Customers

9 ContactWorld PCI NewVoiceMedia are a validated Level 1 PCI DSS service provider Makes PCI DSS compliance a lot easier by reducing our customer s PCI DSS scope Can be simply added to existing call centre infrastructures and, unlike the alternatives, doesn't come with a hefty price tag Links directly to the payment gateway companies to speed up transaction processing Reduces the opportunities for fraud NewVoiceMedia technology is currently processing approximately 100K/day in payments

10 NewVoiceMedia Architecture Customers PSTN NewVoiceMedia ContactWorld NewVoiceMedia Data Centres NewVoiceMedia ContactWorld PCI PSTN Traffic PSTN SSL/HTTPS Payment Gateway WorldPay WWW PSTN or VoIP Client Officers PBX SSL/HTTPS Firewall Router Virtual Teams Homeworkers & DR LAN

11 How Does a Mid Call IVR work? Client Public Telephone Network Agent No Data Network

12 Summary Anyone who takes credit card payments needs to be PCI DSS compliant With the advent of chip and PIN and 3D Secure more fraud switching to telephone based transactions Solutions such as ContactWorld PCI that provide tokenisation of card holder data are the way forward View a demo of ContactWorld PCI: