AheevaCCS and the Payment Card Industry Data Security Standard



Similar documents
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

Information Sheet. PCI DSS Overview

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

White Paper On. PCI DSS Compliance And Voice Recording Implications

White paper. How to take your contact centre out of scope for PCI DSS. Reducing cost and risk in credit card transactions for contact centres

Credit Card Handling Security Standards

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

Guidance Notes PCI DSS Compliance as it relates to Call Recording

Information Technology

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI Policies Appalachian State University

How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

PCI Compliance. Reducing cost & risk in Credit Card Transactions for Contact Centres V1.0

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Appendix 1 Payment Card Industry Data Security Standards Program

Need to be PCI DSS compliant and reduce the risk of fraud?

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Finance & Ecommerce Systems

How To Complete A Pci Ds Self Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

University Policy Accepting and Handling Payment Cards to Conduct University Business

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standards

Credit Card Security

TERMINAL CONTROL MEASURES

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration

Credit Card Processing Overview

Payment Card Industry Data Security Standard

P R O G R E S S I V E S O L U T I O N S

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Frequently Asked Questions

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Intro to PCI Compliance

THE ROLE OF THE CONTACT CENTER IN PCI COMPLIANCE

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

CardControl. Credit Card Processing 101. Overview. Contents

Complying with PCI DSS

Your Compliance Classification Level and What it Means

PCI Data Security and Classification Standards Summary

UCSD Credit Card Processing Policy & Procedure

CREDIT CARD PROCESSING & SECURITY POLICY

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Compliance

Finance Office. Card Handling Policy

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Payment Application Data Security Standard

Adyen PCI DSS 3.0 Compliance Guide

Policies and Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

White Paper. Managing Risk to Sensitive Data with SecureSphere

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry Data Security Standard PCI DSS

Josiah Wilkinson Internal Security Assessor. Nationwide

2.1.2 CARDHOLDER DATA SECURITY

Appendix 1 - Credit Card Security Incident Response Plan

Attestation of Compliance for Onsite Assessments Service Providers

Version 15.3 (October 2009)

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Payment Card Industry (PCI) Data Security Standard

How To Comply With The Pci Ds.S.A.S

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Payment Card Industry (PCI) Data Security Standard

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

DalPay Internet Billing. Technical Integration Overview

Why Is Compliance with PCI DSS Important?

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

11/24/2014. PCI Compliance: Major Changes in e-quantum/quantum Net

Fraud Protection, You and Your Bank

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Industry (PCI) Data Security Standard

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

New York University University Policies

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Thoughts on PCI DSS 3.0. September, 2014

Guide to Data Field Encryption

Transcription:

Account Data PCI DSS White Paper by Aheeva, January 2012 AheevaCCS and the Payment Card Industry Data Security Standard Introduction In 2006, the major payment brands including American Express, MasterCard Worldwide, Visa Inc. Discover Financial Services, and JCB International, formed the Payment Card Industry (PCI) Security Standards Council (SSC), a global forum whose mission is the development and management of the PCI Security Standards, including the Data Security Standard (DSS). In March 2011, the council released the document Information Supplement: Protecting Telephone-based Payment Card Data specifically targeting merchants handling credit card data such as call centres. Call centres are often required by regulatory bodies to record and store telephone conversations, thus it becomes mandatory for them to comply with the PCI DSS guidelines. What exactly are the PCI DSS guidelines for Voice Recordings? Simply put, it is a direct violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. Therefore, digital audio and video recordings can not store CAV2, CVC2, CVV2 or CID codes after authorization. On the other hand, the primary account number (PAN) can be stored only if made unreadable by encryption or truncation and controlled access. The following table taken from the Information Supplement document, summarizes these guidelines: Cardholder Data Sensitive Authentication Data* Data Element Primary Account Number (PAN) Storage Permitted Yes Render Stored Account Data Unreadable per Requirement 3.4 Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Magnetic Stripe Data No Cannot store* CAV2/CVC2/CVV2/ CID No Cannot store* PIN/PIN Block No Cannot store* www.aheeva.com Page 1

In a call centre performing credit card transactions, the customer will most likely give his PAN to the agent by phone. The recordings of these calls must be treated in the same secure way as database storage or simple text files containing cardholder data. PCI DSS allows encryption and storage of the data if the appropriate security guidelines are respected. Access to encryption keys must be granted to the fewest number of custodians possible because those who obtain access will be able to decrypt data. On top of this comes a heavy and strict management process of encryption keys from their generation to their storage, distribution, replacement, and destruction. While technically feasible, this represents a heavy and complex work load and requires specialized resources. Luckily it is possible to eliminate this risk of non-compliancy by taking the audio and video recordings out of the scope of PCI DSS. This can be done by simply avoiding the recording of the PAN. For obvious reasons the same approach must also apply to the card validation codes since they can not be stored under no circumstances, encrypted or not. This is where AheevaCCS comes into play. AheevaCCS and PCI DSS Aheeva adapted its solution for call centres in order to help achieve PCI DSS compliancy by offering two possible ways to avoid having card numbers and validation codes stored in audio and video recordings. The two approaches are not mutually exclusive. Call centre operations can decide to use either one depending on their business need and operations procedures. The first approach mutes the recording and resumes it after some time. The second approach requests customers to enter the numbers using the keypad on their telephones. The following two sections explain in detail the two available options. Muting and resuming recording Muting the recording requires that the agent manually clicks on a button on the StarPhone, the Aheeva s softphone. Before prompting the customer for credit card information, the agent must click on the button. This action triggers an event that halts the audio and video recording for a pre-configured time. www.aheeva.com Page 2

When pressed, the look of the button changes to indicate that the recording has been halted and a countdown timer appears to signal how much time is left before the recording resumes automatically. At any time, while muted, the agent can click again on the button to resume recording the call. AheevaCCS allows the supervisor to configure this functionality per Agent Group. The Supervisor can specify whether the button is enabled on the agents softphone, whether recording resumes automatically or not, and the maximum mute time before an automatic resumption. www.aheeva.com Page 3

Customer DTMF input The second approach consists of having the customer himself entering the PAN and possible verification code directly using the keypad on his telephone. The following shows a step by step of the procedure: The agent expands the list of attached data on his softphone and adds a new variable of type Credit Card, CVV, Expiry Year, or Expiry Month. These four types are already pre-defined in the Aheeva StarPhone so the agent can easily choose the desired one. www.aheeva.com Page 4

Once one of these pre-defined entries is created, a pre-recorded message will get played automatically to the customer prompting him to enter the number by pressing the DTMF keys on his telephone keypad. The playback of this message is optional and can be skipped should the agent ask the customer for the information himself. When the customer enters the DTMF sequence, AheevaCCS detects the keys pressed and automatically populates the Credit Card and CVV fields. The agent does not hear the tones and the sequence entered is masked in the selected field. This keeps the audio and video recordings from containing the information and storing it. www.aheeva.com Page 5

After the customer enters the PAN, the StarPhone validates the sequence entered using the Luhn algorithm and length validation. If successful, then the entry is accepted. If not, the agent will notify the customer who can then try again. Once the customer finishes entering the numbers and they get validated correctly, the agent presses a button to copy the content of the fields to the local clipboard, giving him the possibility to paste the information into a payment processing application without having to hear it, see it or re-enter it. Since the payment processing application is usually a third party application, we have no control over its behaviour and most likely it will display the PAN and verification code in clear. In order to avoid having the numbers recorded in the video after they get copied to the payment application fields, the Aheeva StarPhone automatically sends a control signal to pause the video recording as soon as the agent clicks on the Copy button. The video recording remains paused for a pre-defined time, giving the agent enough time to paste the data and process the transaction. Aheeva Form Builder The Aheeva Form Builder is a friendly tool integrated into the Aheeva Manager that allows the user to build web forms that can pop-up on the agents desktop upon reception of a call. The Aheeva Form Builder offers a new block of elements called Payment Card. This group of elements could be used for capturing the PAN and the verification code. A Payment Card block comprises the following elements: Combo box, listing the types of payment cards : American Express, MasterCard, Visa Primary Account Number, formed of: o Text element: For the first 6 numbers that should be shown o Masked text element: Variable length depending on payment card type o Text element: For the last 4 numbers that should be shown Masked text element for the PIN List box element for the Expiry Month List box element for the Expiry Year Button: Mute/Continue, to pause and continue recording after all the fields are filled Initially all fields are disabled. Upon pressing the Mute button on the form, a control message is sent to an agent s softphone to mute the audio and video recording. Once a confirmation is received that the StarPhone muted the recording, all the fields get enabled. This mechanism guarantees that the agent will not start entering the information while the recordings are still active. www.aheeva.com Page 6

Upon pressing the Resume button, a script validates the PAN entered using the Luhn algorithm and length validation. If successful, all the fields are disabled, and a control message is sent to the StarPhone to resume audio and video recording. The forms created using the Aheeva Form Builder can present the elements to capture the credit card information but they have to be customized to include the code to process the payment transaction with a payment service. By default, the Aheeva forms do not store the sensitive data in the database. The client/user can choose otherwise and customize the form to do so, but he has to be aware of the consequences and implications of doing so as not to violate the PCI DSS Requirement 3.2. Quality Monitoring Using the Aheeva Manager, a web-based configuration and management application, a supervisor can retrieve the recordings list using different criteria. The fetched list shows the number of times a recording had been muted by the agent. The supervisor can then click on that number and a new window pops-up that will show him when that event took place and how long did it last. This allows supervisors to make sure that agents use the new mechanism properly and correctly and do not over use it. www.aheeva.com Page 7

Summary The main objective of PCI DSS is to help merchants put in place the procedures and best practices to minimize the risk of credit card fraud and protect the personal information of cardholders. The scope of work for a call centre to become compliant to PCI DSS is much larger than muting the recordings and encrypting stored data. Often a drastic shift in operations and procedures is necessary along with a serious commitment from all levels in the organization, and the will to invest time and money in order to achieve compliancy. On top of this, the biggest challenge is not in attaining compliancy, but in keeping it year after year. It s expected the biggest challenge won t be in achieving compliancy, but ensuring the standard is maintained. Sooner or later, all merchants processing credit card transactions, especially over the telephone, will be required by the credit card companies to comply with PCI DSS. Aheeva with its AheevaCCS solution had developed a flexible and reliable tool to help call centres take a significant step towards being compliant with the PCI DSS requirements. Aheeva is committed to always offering the best possible solution to ensure the confidentiality and security of sensitive data. The culture and values of Aheeva ensure that the AheevaCCS will continue evolving and uncover better ways to make it the solution of choice for call centres seeking compliancy. www.aheeva.com Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information