Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

Transcription

1 Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard August 2014 Table of Contents Introduction... 1 PCI Data Security Standard... 1 A Secure Avaya Quality Monitoring Solution... 2 Supporting PCI Readiness... 4 Learn More...12 Introduction This document describes the solution Avaya recommends to help enable Avaya Aura Workforce Optimization Quality Monitoring customers achieve compliance with the Payment Card Industry (PCI) Data Security Standard version 3. This document is also relevant to customers wishing to secure sensitive information irrespective of PCI. It is important to note that since Avaya is not a payment processor and since Avaya Quality Monitoring is not a payment processing application; neither Avaya nor Avaya Quality Monitoring can be certified as PCI compliant. In general, only organizations or applications that process credit card transactions can be so certified. This document represents Avaya s opinion and guidance, and in no way represents a guarantee that in following this course of action any customer or other entity will achieve PCI compliance. Only customers, with reliance upon sources from the PCI Security Standards Council or PCI Qualified Security Assessors (QSAs) where applicable, are able to make this judgment. PCI Data Security Standard Data security has become increasingly important with the popularity of e-commerce. The publicized losses of storage media containing customers payment card data have led to concerns about the security of personal data and the need to have standardized data security policies in the payment card industry. In response to these concerns, a Payment Card Industry (PCI) data security standard (DSS) was released in December of 2004 by Visa, based on the initiatives of Visa s CISP (Cardholder Information Security Program) and MasterCard s SDP (Site Data Protection) program. The PCI-DSS was most recently revised (v3.0) in August 2013 by the PCI Security Standards Council. The PCI Security Standards Council 1 is a Limited Liability Corporation (LLC) chartered in Delaware, USA. The council was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The PCI standard defines 12 data security requirements ranging from technology implementations and security policies, to environment configurations. These requirements outline how companies must comply with the PCI standard. 1 avaya.com 1

2 A Secure Avaya Quality Monitoring Solution Avaya Quality Monitoring is part of the Avaya Aura Workforce Optimization solution. Avaya Aura Workforce Optimization solutions are typically deployed internally to manage and optimize the business operations of contact centers or to help meet regulatory compliance. Avaya Aura Workforce Optimization solutions are typically deployed internally to manage and optimize the business operations of contact centers or to help meet regulatory compliance. This document describes and is limited to the security features and the PCI readiness of Avaya Quality Monitoring R12. Overview of Avaya Quality Monitoring R12 The primary functions of the Avaya Quality Monitoring solution include replaying and evaluation of interactions between contact center agents and customers. These interactions can be recorded as telephone audio data, telephony and contact metadata, screen images of agents desktop PCs, and data captured from the interactive voice response (IVR) system such as customer account information. The recorded interactions may contain personal payment card information. Therefore, as an integrated part of a company s contact center operations, Avaya Quality Monitoring provides security options to help our customers with PCI compliance. The Avaya Quality Monitoring solution leverages the Avaya Contact Recorder to record telephone calls by analyzing computer telephony integration (CTI) events received from telephony switches or by processing call control messages as well as audio data received either on the network adapter cards or PC voice cards. Screen images of agents desktop PCs may be recorded by deploying Screen Capture modules on agents desktop PCs to capture the screen images and to transfer them to recorder servers. In addition, the Avaya solution can archive the recorded data on various storage devices and retrieve recorded data. An overview of typical Avaya Quality Monitoring components is provided below. avaya.com 2

3 Figure 1. Overview of Avaya Quality Monitoring with optional encryption solution Avaya Quality Monitoring components consist of a set of logical servers, which can be deployed on a single machine or on multiple machines in a large enterprise environment. These servers can also be deployed in the form of clusters to scale with the size of an enterprise s systems. These servers include: Avaya Contact Recorder: Its primary functions include interfacing with the enterprise s telephony infrastructure, translating CTI events, consolidating metadata to databases, and instructing recorders to record calls based on configured business rules. Key Management Server (KMS): Its primary functions include generating, supplying, and managing symmetric encryption keys for components of the Avaya Quality Monitoring solution. This is a third-party software application provided by RSA, the Security Division of EMC. Platform Requirements of Avaya Quality Monitoring The following platforms and versions of third-party software are required by Avaya Quality Monitoring to fully achieve PCI readiness. Operating System: Framework/QM - Microsoft Windows 2008 Server R2 KMS Server - Microsoft Windows 2008 Server R2 Avaya Contact Recorder - Microsoft Windows 2008 Server R2 or RHEL 6 Database: Framework/QM or KMS Server Microsoft Windows 2008 Server R2 Avaya Contact Recorder Microsoft Windows 2008 Server R2 or RHEL 6 Key Management RSA Key Manager 2.x avaya.com 3

4 Avaya Quality Monitoring provides a rich set of security enhancements designed to protect the recorded data that might contain a customer s payment card information and authentication parameters used by applications within the recording system. Overview of Security Features of Avaya Quality Monitoring Avaya Quality Monitoring provides a rich set of security enhancements designed to protect the recorded data that might contain a customer s payment card information and authentication parameters used by applications within the recording system. These enhancements provide security options including: Access control and audit Encryption of recorded data on all storage devices used by the recording systems using strong cryptographic algorithms such as the AES256 encryption algorithm and the RSA Key Manager module Encryption of recorded data when transmitted over the network Encryption of authentication parameters persisted on file systems Ability to pause and resume recording of sensitive content from an external source, such as an application running on the agent desktop Ability to configure all authentication account credentials Ability to encrypt all application administration commands and data in transit Documentation of a minimum list of services and protocols necessary for recording systems Identification of the Microsoft Windows services/privileges, protocols, and ports that are required to install or run applications of Avaya Quality Monitoring. This includes operating successfully in locked down environments based on a number of published security benchmarks Audio received from the full time recording systems protected through the use of HTTPS secure protocol Supporting PCI Readiness PCI compliance relates to data security compliance of the entire business operation of companies that involve customer payment card information. In addition to requirements on security technologies, a large portion of PCI requirements is about what security policies and procedures these companies, which are required to be PCI compliant, should have in place and how these companies should enforce these polices. Avaya Quality Monitoring is deployed as a software solution, as part of contact center business operations, to internally monitor service quality. The solution and the derived services are owned and operated by the contact centers. Therefore, the PCI compliance requirement on an enterprise s business operations is translated into security feature requirements on Avaya Quality Monitoring. In other words, to help enterprises achieve security and PCI compliance, we provide flexible security features to allow them to configure and operate the solution based on the policies specified by the compliance standards. avaya.com 4

5 This document describes the security features of Avaya Quality Monitoring against each PCI requirement, focusing on those PCI requirements that are relevant to the operations of Avaya Quality Monitoring. In a few cases, security features against several related PCI requirements are described within the same context to avoid redundancy. PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data Avaya Quality Monitoring is deployed as a system component in a contact center s business operation system, and does not contain network components as defined by PCI DSS. It is, therefore, an enterprises responsibility to install, configure, and maintain proper firewalls in its networks to meet PCI requirements. Avaya Quality Monitoring is typically utilized, as part of the contact centers business operations, to internally monitor service qualities and/or meet regulatory compliance. It is typically deployed within a contact center s internal networks as shown in Figure 1. No servers of Avaya Quality Monitoring should be placed in any demilitarized zone (DMZ). The Web-based configuration and replay applications of Avaya Quality Monitoring are intended for contact center administrators, supervisors, and/or auditors to configure the recording systems and/or to access recorded data within the contact centers internal networks or via secure connections, such as Virtual Private Network. Configuration and replay applications are not accessible to contact center customers, and are not accessible directly from the Internet. Inter-server communications of Avaya Quality Monitoring use standard HTTP (HTTPS), TCP, and UDP protocols. All communications containing recorded audio or video data can be secured either using AES256 encryption or standard HTTPS technologies. The standard TCP protocol, without the option of using SSL, is used only for transmitting recording control commands and metadata associated with the recorded calls. Recording control commands and associated metadata do not contain any customer-sensitive data. This is further explained in the section for PCI Requirement 4. Avaya Quality Monitoring provides the flexibility to deploy application servers, including database servers and Web servers, either on a single machine or on separate machines. Communications between the components of Avaya Quality Monitoring over the networks are all IP-based. Therefore, application servers of Avaya Quality Monitoring can be deployed in different internal zones on an enterprises networks based on PCI or other security requirements. avaya.com 5

6 Avaya Quality Monitoring applications do not use services/ protocols, which are commonly considered insecure, such as Telnet or FTP. Enterprises can choose to remove or disable all unnecessary and insecure services and protocols based on their selected security benchmarks. PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Avaya Quality Monitoring Recording provides organizations with the option to change all default account login credentials set at installation time. These include: Windows system accounts used by applications for authentication Database user accounts Administrative user accounts Avaya Quality Monitoring provides documentation on Microsoft Windows services/ privileges, protocols, and ports that are necessary to install and run applications of the recording systems. Avaya Quality Monitoring applications do not use services/ protocols that are commonly considered insecure, such as Telnet or FTP. Enterprises can choose to remove or disable all unnecessary and insecure services and protocols based on their selected security benchmarks. Avaya Quality Monitoring R12 also provides users with an option to secure all non-console administrative access using standard SSL/TLS technology. PCI Requirement 3: Protect stored cardholder data Avaya Quality Monitoring provides an option to encrypt all the recorded data persisted on any storage devices used by the recording system with a strong encryption algorithm such as AES256. This includes the metadata as well as the recorded media data. Storage devices include: Fixed hard drives Clustered or networked storage devices such as SAN Avaya Quality Monitoring also leverages RSA s Key Manager software to generate and manage all encryption keys for encrypting stored data. RSA, the Security Division of EMC, is a leader in the data security industry. RSA s Key Manager software provides centralized key management with functions including: Generating strong (256 bit) symmetric encryption keys Securely distributing keys to applications by using mutually authenticated SSL connections Providing optional local key caching Storing of keys in encrypted form in the database Protecting master encryption keys by using a master password. We recommend strongly that our customers split the master password into subwords and that they be maintained by different security administrators avaya.com 6

7 Changing keys periodically based on the key policies. We recommend that a single encryption key be used for no longer than 24 hours Managing the deletion of compromised keys Providing failover solutions The RSA Key Manager process is fully documented in its User Guide. Avaya Quality Monitoring also utilizes Microsoft Windows 2008 Servers Encrypting File System (EFS) feature to secure transitional and temporary data generated and used by replay applications. This data is typically used during trans-coding and/or stitching of recorded data, and needs to be stored only in file systems for the time when the associated calls are being replayed. We also recommend that contact center system/security administrators enable and lock down advanced security settings, as listed in Table 1, of Microsoft Windows Internet Explorer on all PCs in the domain using the domain controller s group policies. This helps ensure that the recorded data remains encrypted even on supervisors PCs. Advanced Security Setting Do Not Save Encrypted Pages to Disk Empty Temporary Internet Files Folder When Browser is Closed Recommended Value Enable Enable Table 1. Recommended Advanced Internet Explorer Security Settings PCI requirement 3.2 states, Do not store sensitive authentication data subsequent to authorization (even if encrypted). The requirement further defines the sensitive authentication data as full contents of any track from the magnetic stripe and card-validation code. This requirement can present a concern for users of quality monitoring applications, such as those in Avaya Quality Monitoring. In February 2010, the PCI SSC provided updated guidance on this topic in the form of the following Question and Answer: Question: Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS? This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands). It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. avaya.com 7

8 For enterprises with operations that involve sensitive authentication parameters such as Card Verification Code / Card Security Code and that wish to not record this sensitive data, Avaya Contact Recording provides an integration interface to allow users to instruct recorders to pause the audio and screen recordings while this information is spoken. It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings. Where technology exists to prevent recording of these data elements, such technology should be enabled. This is only a portion of the statement and Avaya strongly recommends that customers who record calls containing card validation code data review the entire question and answer with their legal advisor. This can be found at under the FAQ section (search on call center ). For enterprises with operations that involve sensitive authentication parameters such as Card Verification Code / Card Security Code and that wish to not record this sensitive data, Avaya Contact Recording provides an integration interface to allow users to instruct recorders to pause the audio and screen recordings while this information is spoken. With proper integration, this feature can be used to avoid recording of sensitive authentication data such as the card security code when necessary. This function will sound to the user on playback very much like a momentary muting of the audio recording with an overlaid audible tone, and a temporary blackout of screen recording. The use of pause / resume will not split the call into multiple segments but will retain the call as a single file. There are three ways to invoke this pause / resume functionality: a. Automatic via desktop activity: The Advanced Desktop Analytics (DPA) solution can detect application events that occur on the employee desktop to fire triggers that may be used to control voice and screen recordings, or to tag recorded interactions with relevant data like account number or other personal information and can be used to trigger the muting of the recording. To ensure that the desktop application can use DPA triggers, it is mandatory that a DPA Desktop Validation Test is carried out to make sure that it can capture and correctly trigger on the appropriate events to pause and resume recording. DPA allows desktop triggers to be configured to send specific events, including the Pause and Resume events, to the recorder. b. Automatic via direct API integration: Payment processing applications may be controlled via the external control API. In this scenario, the payment processing application will issue a pause command when the agent gets to a particular stage in the payment processing application (e.g., when clicking on or bringing into focus the CVV field). At this point, the agent will then ask for the CVV information, the caller speaks it and the agent types it in. The payment processing application then issues the resume command (e.g., after the final digit is keyed or the information submitted, etc.) and the audio and screen recordings resume. avaya.com 8

9 c. Manually by the agent: Agent Initiated Monitoring (AIM) is a desktop application that operates on the agents desktop to provide additional tagging and call control. AIM has been modified to allow agents to manually control muting the recording. If the manual method of using AIM is to be used, it must be done as part of the whole PCI DSS audit and have full approval of the auditors. Due to the manual nature of this option, it is typically not the recommended path to compliance. Avaya Quality Monitoring does not encrypt metadata associated with the recorded audio or video interactions in the databases. This is because Avaya Quality Monitoring currently stores only metadata that is necessary to search, re-construct, and replay these interactions. Avaya Quality Monitoring does not rely on the content of the recorded interactions to perform these operations and therefore does not need to store cardholders personal information or other customer-sensitive information as metadata in the databases. For those enterprises that include customer-sensitive information such as Social Security Number or taxpayer ID in the CTI tagging, Avaya Quality Monitoring can be configured to filter out sensitive information received from the CTI integration interfaces, preventing it from being consolidated into the metadata databases of the recorder. PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks Users of Avaya Quality Monitoring can choose to enable a SSL Only option via Enterprise Manager s user interface. By enabling this option, all communications over the networks, which might contain customer-sensitive data or application authentication parameters, will be secured by the standard SSL technology with a minimum of 128 bit keys or by standard AES256 encryptions. By enabling the SSL Only option, server applications of Avaya Quality Monitoring will either block non-ssl communications or re-direct non-ssl communications to SSL ports. Avaya Quality Monitoring also utilizes the default security features of SQL Server 2008 to encrypt database user account login credentials while transmitted over the networks. Avaya Quality Monitoring currently does not provide secure communications between Recorder Controllers and Recorders. This is because the data involved in these communications is either recording control commands or events/ metadata associated with the interactions to be recorded. Avaya Quality Monitoring does not rely on the content of the recorded interactions to perform necessary operations. The solution can be configured to filter out sensitive information received via the CTI integration interfaces of the Recorder Controllers, preventing it from being further communicated into the rest of the recorder. avaya.com 9

10 Avaya Quality Monitoring does not directly use any wireless networks or wireless networking technologies. PCI Requirement 5: Use and regularly update anti-virus software or programs Although enterprise system/security administrators are responsible for using and regularly updating the anti-virus software, applications of Avaya Quality Monitoring have been tested against the most commonly used anti-virus software. These software programs include: McAfee Norton PCI Requirement 6: Develop and maintain secure systems and applications The software has been written using best industry practices in software development. These include: Established and structured software development and QA processes Separation of development and QA duties and environments Adhering to change control procedures for system and software configuration changes using ONYX and Rational ClearCase software Adopting OWASP s Guide to Building Secure Web Applications and Web Services as a guideline for developing Web-based applications Established process for reviewing developed code against well known attacks and newly discovered vulnerabilities PCI Requirement 7: Restrict access to cardholder data by business need-to-know PCI Requirement 8: Assign a unique ID to each person with computer access Requirements 7 and 8 are specifically about processes and policies that enterprises must execute and maintain in order to be in compliance with PCI DSS. They do not apply specifically to Avaya Quality Monitoring. PCI Requirement 9: Restrict physical access to cardholder data Access control to the recorded data is implemented at multiple layers in Avaya Quality Monitoring to help ensure maximum protection. The first layer of access control is implemented at the operating system level. We recommend that enterprise security/system administrators do the following: avaya.com 10

11 Restrict access by setting user accounts on servers in recording systems based on users need to know and set default policy to deny all. Enable Microsoft Windows 2008 Server account and password policies on all user accounts based on the recommendations in requirement 8. The second layer of access control is implemented at the application administration user interface level. The Enterprise Manager within not only supports role-based user accounts to achieve separation of duties, it also provides options to allow security/system administrators to set account and password policies to meet the requirements detailed on PCI requirement 8.5. This includes: Lockout of inactive accounts Lockout of accounts with a configurable number of failed access attempts Password length and complexity Periodic password change All user access requires user/password authentications. All authentication parameters are always encrypted while persisted on any storage devices. All authentication parameters are encrypted while transmitted over the network if the SSL option is enabled. The third layer of access control to recorded data is the enabling of encryption of recorded data. By encrypting all the recorded data stored anywhere in the system, Avaya Quality Monitoring impedes physical access to the recorded data by making it unreadable without authorized access to the encryption keys. The RSA Security Key Manager Module, utilized by Avaya Quality Monitoring for Key Management, provides further protection by restricting encryption key access only to authorized applications. By utilizing its core ClearTrust module, RSA Security Key Manager s separation of duties feature supports the separation of system administration from encryption key management. It can further restrict the access to encryption keys to a key class level for each key administrator. PCI Requirement 10: Track and monitor all access to network resources and cardholder data Similar to access controls, Avaya Quality Monitoring provides multiple layers of audit trails to monitor access to recorded data as well as configuration data. The recorded audit trails are stored in the Audit Database and are not editable by any users. Avaya Quality Monitoring provides audit trails to user events. These include: Access to configuration parameters Access to audit logs Reporting of invalid logical access attempts avaya.com 11

12 Initialization of audit logs Creation and deletion of system level objects Avaya recommends that enterprises enable audit policies provided by Microsoft Windows 2008 servers. This allows the auditing of direct access to recorded data through the file system by users who login directly to servers that host recording systems. Applications in Avaya Quality Monitoring also log events to Windows Event Logs as well as the Debug Logging Service. The Windows logging service provides multiple levels of logging including ERROR, WARNING, INFO, and DEBUG in a standardized format. Each logging statement is stamped with the name of the application, thread ID, time, and logging level. We also recommend that enterprises synchronize the system clock on all servers hosting applications of Avaya Quality Monitoring with a centralized time server via NTP. This can be set at a domain level. PCI Requirement 11: Regularly test security systems and processes PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors Requirements 11 and 12 are specifically about processes and policies that enterprises must execute and maintain in order to be in compliance with PCI DSS. They do not apply to Avaya Quality Monitoring or other solutions. Learn More To learn more about Avaya Aura Workforce Optimization Quality Monitoring, contact your Avaya Account Manager or Avaya Authorized Partner. Or, visit us online at avaya.com 12

13 About Avaya Avaya is a global provider of business collaboration and communications solutions, providing unified communications, contact centers, networking and related services to companies of all sizes around the world. For more information please visit Avaya Inc. All Rights Reserved. All trademarks identified by,, or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. 07/14 UC avaya.com 13