AheevaCCS and the Payment Card Industry Data Security Standard

Transcription

1 Account Data PCI DSS White Paper by Aheeva, January 2012 AheevaCCS and the Payment Card Industry Data Security Standard Introduction In 2006, the major payment brands including American Express, MasterCard Worldwide, Visa Inc. Discover Financial Services, and JCB International, formed the Payment Card Industry (PCI) Security Standards Council (SSC), a global forum whose mission is the development and management of the PCI Security Standards, including the Data Security Standard (DSS). In March 2011, the council released the document Information Supplement: Protecting Telephone-based Payment Card Data specifically targeting merchants handling credit card data such as call centres. Call centres are often required by regulatory bodies to record and store telephone conversations, thus it becomes mandatory for them to comply with the PCI DSS guidelines. What exactly are the PCI DSS guidelines for Voice Recordings? Simply put, it is a direct violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. Therefore, digital audio and video recordings can not store CAV2, CVC2, CVV2 or CID codes after authorization. On the other hand, the primary account number (PAN) can be stored only if made unreadable by encryption or truncation and controlled access. The following table taken from the Information Supplement document, summarizes these guidelines: Cardholder Data Sensitive Authentication Data* Data Element Primary Account Number (PAN) Storage Permitted Yes Render Stored Account Data Unreadable per Requirement 3.4 Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Magnetic Stripe Data No Cannot store* CAV2/CVC2/CVV2/ CID No Cannot store* PIN/PIN Block No Cannot store* Page 1

2 In a call centre performing credit card transactions, the customer will most likely give his PAN to the agent by phone. The recordings of these calls must be treated in the same secure way as database storage or simple text files containing cardholder data. PCI DSS allows encryption and storage of the data if the appropriate security guidelines are respected. Access to encryption keys must be granted to the fewest number of custodians possible because those who obtain access will be able to decrypt data. On top of this comes a heavy and strict management process of encryption keys from their generation to their storage, distribution, replacement, and destruction. While technically feasible, this represents a heavy and complex work load and requires specialized resources. Luckily it is possible to eliminate this risk of non-compliancy by taking the audio and video recordings out of the scope of PCI DSS. This can be done by simply avoiding the recording of the PAN. For obvious reasons the same approach must also apply to the card validation codes since they can not be stored under no circumstances, encrypted or not. This is where AheevaCCS comes into play. AheevaCCS and PCI DSS Aheeva adapted its solution for call centres in order to help achieve PCI DSS compliancy by offering two possible ways to avoid having card numbers and validation codes stored in audio and video recordings. The two approaches are not mutually exclusive. Call centre operations can decide to use either one depending on their business need and operations procedures. The first approach mutes the recording and resumes it after some time. The second approach requests customers to enter the numbers using the keypad on their telephones. The following two sections explain in detail the two available options. Muting and resuming recording Muting the recording requires that the agent manually clicks on a button on the StarPhone, the Aheeva s softphone. Before prompting the customer for credit card information, the agent must click on the button. This action triggers an event that halts the audio and video recording for a pre-configured time. Page 2

3 When pressed, the look of the button changes to indicate that the recording has been halted and a countdown timer appears to signal how much time is left before the recording resumes automatically. At any time, while muted, the agent can click again on the button to resume recording the call. AheevaCCS allows the supervisor to configure this functionality per Agent Group. The Supervisor can specify whether the button is enabled on the agents softphone, whether recording resumes automatically or not, and the maximum mute time before an automatic resumption. Page 3

4 Customer DTMF input The second approach consists of having the customer himself entering the PAN and possible verification code directly using the keypad on his telephone. The following shows a step by step of the procedure: The agent expands the list of attached data on his softphone and adds a new variable of type Credit Card, CVV, Expiry Year, or Expiry Month. These four types are already pre-defined in the Aheeva StarPhone so the agent can easily choose the desired one. Page 4

5 Once one of these pre-defined entries is created, a pre-recorded message will get played automatically to the customer prompting him to enter the number by pressing the DTMF keys on his telephone keypad. The playback of this message is optional and can be skipped should the agent ask the customer for the information himself. When the customer enters the DTMF sequence, AheevaCCS detects the keys pressed and automatically populates the Credit Card and CVV fields. The agent does not hear the tones and the sequence entered is masked in the selected field. This keeps the audio and video recordings from containing the information and storing it. Page 5

6 After the customer enters the PAN, the StarPhone validates the sequence entered using the Luhn algorithm and length validation. If successful, then the entry is accepted. If not, the agent will notify the customer who can then try again. Once the customer finishes entering the numbers and they get validated correctly, the agent presses a button to copy the content of the fields to the local clipboard, giving him the possibility to paste the information into a payment processing application without having to hear it, see it or re-enter it. Since the payment processing application is usually a third party application, we have no control over its behaviour and most likely it will display the PAN and verification code in clear. In order to avoid having the numbers recorded in the video after they get copied to the payment application fields, the Aheeva StarPhone automatically sends a control signal to pause the video recording as soon as the agent clicks on the Copy button. The video recording remains paused for a pre-defined time, giving the agent enough time to paste the data and process the transaction. Aheeva Form Builder The Aheeva Form Builder is a friendly tool integrated into the Aheeva Manager that allows the user to build web forms that can pop-up on the agents desktop upon reception of a call. The Aheeva Form Builder offers a new block of elements called Payment Card. This group of elements could be used for capturing the PAN and the verification code. A Payment Card block comprises the following elements: Combo box, listing the types of payment cards : American Express, MasterCard, Visa Primary Account Number, formed of: o Text element: For the first 6 numbers that should be shown o Masked text element: Variable length depending on payment card type o Text element: For the last 4 numbers that should be shown Masked text element for the PIN List box element for the Expiry Month List box element for the Expiry Year Button: Mute/Continue, to pause and continue recording after all the fields are filled Initially all fields are disabled. Upon pressing the Mute button on the form, a control message is sent to an agent s softphone to mute the audio and video recording. Once a confirmation is received that the StarPhone muted the recording, all the fields get enabled. This mechanism guarantees that the agent will not start entering the information while the recordings are still active. Page 6

7 Upon pressing the Resume button, a script validates the PAN entered using the Luhn algorithm and length validation. If successful, all the fields are disabled, and a control message is sent to the StarPhone to resume audio and video recording. The forms created using the Aheeva Form Builder can present the elements to capture the credit card information but they have to be customized to include the code to process the payment transaction with a payment service. By default, the Aheeva forms do not store the sensitive data in the database. The client/user can choose otherwise and customize the form to do so, but he has to be aware of the consequences and implications of doing so as not to violate the PCI DSS Requirement 3.2. Quality Monitoring Using the Aheeva Manager, a web-based configuration and management application, a supervisor can retrieve the recordings list using different criteria. The fetched list shows the number of times a recording had been muted by the agent. The supervisor can then click on that number and a new window pops-up that will show him when that event took place and how long did it last. This allows supervisors to make sure that agents use the new mechanism properly and correctly and do not over use it. Page 7

8 Summary The main objective of PCI DSS is to help merchants put in place the procedures and best practices to minimize the risk of credit card fraud and protect the personal information of cardholders. The scope of work for a call centre to become compliant to PCI DSS is much larger than muting the recordings and encrypting stored data. Often a drastic shift in operations and procedures is necessary along with a serious commitment from all levels in the organization, and the will to invest time and money in order to achieve compliancy. On top of this, the biggest challenge is not in attaining compliancy, but in keeping it year after year. It s expected the biggest challenge won t be in achieving compliancy, but ensuring the standard is maintained. Sooner or later, all merchants processing credit card transactions, especially over the telephone, will be required by the credit card companies to comply with PCI DSS. Aheeva with its AheevaCCS solution had developed a flexible and reliable tool to help call centres take a significant step towards being compliant with the PCI DSS requirements. Aheeva is committed to always offering the best possible solution to ensure the confidentiality and security of sensitive data. The culture and values of Aheeva ensure that the AheevaCCS will continue evolving and uncover better ways to make it the solution of choice for call centres seeking compliancy. Page 8