PCI DSS compliance when recording calls in contact centres. Application note. Ian Colville, Product Manager, Aculab



Similar documents
A dual redundant SIP service. White paper

Implementing telco grade functionality for enterprise VoIP solutions. White paper. Ian Colville, Product Manager, Aculab

Dual Chassis Fault and the Advantages of Designing a SS7 Network

Distributed architecture for VoIP telephony solutions White paper

Version: 0.102c. Date: 17 th December Information Supplement:

SIP trunks Deployment note

Application Note. Configuring Dialogic Host Media Processing Software Release 3.0 for Windows Software Licenses

Guidance Notes PCI DSS Compliance as it relates to Call Recording

Information Sheet. PCI DSS Overview

Keeping your Telephone Payments Watertight: Making your Contact Centre PCI Compliant

SIP-Based Solutions in the Contact Center: Using Dialogic Media Gateways with the Genesys Voice Platform

OXY GEN GROUP. pay. payment solutions

White paper. How to take your contact centre out of scope for PCI DSS. Reducing cost and risk in credit card transactions for contact centres

How Does Fax over IP Work?

How To Use Blackberry Mobile Voice System On A Blackberry Phone

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Business Communications Solutions

How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

Quick Setup Guide. Integration of Aastra MX-ONE / Aastra 700 and Microsoft Lync Server 2010

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Application Note. Configuring Dialogic Host Media Processing Software Release 3.1LIN Software Licenses

IP Voice Reseller. Deliver the VoIP services your customers demand without costly infrastructure investment or increased management complexity.

PCI Compliance. Reducing cost & risk in Credit Card Transactions for Contact Centres V1.0

Credit Card Processing Overview

AheevaCCS and the Payment Card Industry Data Security Standard

Sage 100 ERP I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

Adyen PCI DSS 3.0 Compliance Guide

<COMPANY> P07 - Third Parties Policy

Introduction to PCI DSS

Migration from TDM to IP in Public Safety Environments: The Challenge for Voice Recording

Qualified Integrators and Resellers (QIR) Implementation Statement

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

White Paper On. PCI DSS Compliance And Voice Recording Implications

Dialogic Vision VG Media Gateway

PCI Compliance Overview

CardControl. Credit Card Processing 101. Overview. Contents

Application Note. Using Dialogic Boards to Enhance Interactive Voice Response Applications

Call Center Solution. From

Need to be PCI DSS compliant and reduce the risk of fraud?

Choosing a Dialogic Product Option for Creating a PSTN-HMP Interface

AudioCodes Mediant 1000 Configuration Guide

Xarios EMEA Xarios Asia / Pacific Xarios North America

SIP Trunking Configuration with

Avaya IP Office 8.1 Configuration Guide

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Product Specifications

Application Notes for Configuring Broadvox SIP Trunking with Avaya IP Office - Issue 1.0

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

WiMAX Forum Network Requirements

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

The MOST Affordable HD Video Conferencing. Conferencing for Enterprises, Conferencing for SMBs

NCR CONNECTED PAYMENTS

Application Notes for BT Wholesale/HIPCOM SIP Trunk Service and Avaya IP Office 8.0 Issue 1.0

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

Aculab digital network access cards

PRODUCT GUIDE Version 1.2 HELPDESK EXPRESS 1.0

IBM WebSphere Application Server Communications Enabled Applications

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

syntec.co.uk Cloud services for efficiency & customer service

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

BlackBerry Mobile Voice System

Application Notes for Configuring Avaya IP Office 9.0 with HIPCOM SIP Trunk Issue 1.0

IBM Payment Services. Service Definition. IBM Payment Services 1

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

EMV mobile Point of Sale (mpos) Initial Considerations

Application Note. Using a Dialogic Media Gateway Series as a PSTN Gateway with an Asterisk IP-PBX Server

NCR CONNECTED PAYMENTS The vision for payment acceptance in restaurants

Using CIM Systems for Regulatory Compliance

OAISYS and ShoreTel: Call Recording Solution Configuration. An OAISYS White Paper

BT for Financial Services. Payments. A forward-thinking approach to get ahead of payment trends

PAYWARE MERCHANT MANAGED SERVICE

Complying with PCI DSS

RT Series IP PBX Products Introduction. All in one telephone system

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Whitepaper: Voice Call Notifications via VoIP and existing Dialogic Diva Boards

Succession Solutions. Voice over IP enabled Meridian

White Paper. SIP Trunking. Abstract

PCI PA-DSS Requirements. For hardware vendors

The MOST Affordable HD Video Conferencing. Conferencing for Enterprises, Conferencing for SMBs

FOUR WAYS TO ACHIEVE PCI DSS COMPLIANCE

Finance & Ecommerce Systems

Voice over IP Basics for IT Technicians

How To Achieve Pca Compliance With Redhat Enterprise Linux

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Beyond Connecting the Call: Empowering Corporate Strategy With Hosted IP-Based Contact Routing

Technical Configuration Notes

Benefits of Integrated Credit Card Processing Within Microsoft Dynamics GP. White Paper

Realex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1

SIP Trunking Configuration Guide for Barracuda Phone System Release 3.x. Document Version 0.5

BlackBerry Mobile Voice System

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Ultracomms Cloud Solutions

Transcription:

PCI DSS compliance when recording calls in contact centres Application note Ian Colville, Product Manager, Aculab APB0382 Issue 1 9 th October, 2014 Page 1 of 8 pages

Table of contents Introduction... 2 PCI standards... 3 Legislation... 3 The needs of developers... 3 Security requirements... 3 Call recording... 4 Tone elimination... 4 Technology options... 4 ApplianX IP Gateway... 5 DTMF elimination... 5 Tone elimination... 6 Application example... 6 Conclusion... 7 About Aculab... 8 Copyright and other notices... 8 Introduction Anyone doing business in what s known as the call centre or contact centre sector, regardless of their vertical market focus, will be aware of the Payment Card Industry standards. That is: the Payment Card Industry Data Security Standard (PCI DSS); and the associated Payment Application Data Security Standard (PA-DSS). Furthermore, anyone looking to develop a business application to serve the contact centre market will be aware of the need to comply with the PCI DSS and PA-DSS standards. Specifically, many will be concerned with technology solutions, either from a user point of view, or from the perspective of a vendor or solutions provider. This application note looks at one form of technology solution to solve the issue of tone elimination in recordings of calls between customers, clients or subscribers and contact centre agents or other staff members. It is addressed, primarily, at application developers those developing business focused contact centre applications for both business-to-consumer (B2C) and business-to-business (B2B) deployments. APB0382 Issue 1 9 th October, 2014 Page 2 of 8 pages

PCI standards The global PCI DSS mandates that any business, of any size, that stores, processes or transmits cardholder data obtained from payment cards, and/or sensitive authentication data (SAD), adheres to its information security best practices. Those are identified in a framework a minimum set of 12 specific requirements for protecting cardholder data. Those requirements are supported by the three-step process of assess, remediate and report, facilitating an ongoing process for continuous compliance. The PCI DSS applies to all entities involved in payment card processing, including merchants, payment card processors, financial institutions, and service providers. Legislation Significantly, the PCI DSS is not designed to supersede local, regional or sector laws, legislation, or other legal and regulatory requirements. On the other hand, its impact may well be reinforced by additional controls and practices, to further mitigate risks. The needs of developers An application developer, implementing a contact centre platform, will need a technology solution to enable the delivery of the controls and practices necessary to ensure ongoing compliance with the PCI DSS. An essential technology for developers of contact centre applications is that of media processing for telecommunications; what are often referred to as telephony resources. As many credit card transactions are conducted via telephone, whether through the legacy PSTN or over a next generation, IP-based network, the processing, storage and transmission of cardholder data naturally occurs during telecommunications. The sections of the PCI DSS relevant to a telephony-based transaction refer to sensitive authentication data (SAD), which includes magnetic-stripe data (or the equivalent on a chip), the 4/3-digit card security code, and personal identification numbers (PINs) or PIN blocks. Security requirements PCI DSS security requirements include the common sense obligation to protect stored cardholder data, by restricting access to system operators that have a business need to know and by restricting physical access to such data. Specific requirements go further in that they require that cardholder data must not be stored after authorisation, even if encrypted. Prior to authorisation, the temporary storage of SAD may be permitted by individual payment brands (e.g., Visa or Mastercard). The requirements apply to all system components included in or connected to the cardholder data environment (CDE), which spans people, processes and technologies. Those system components include network devices, application servers, and contact centre applications, whether internally provisioned or provided as a service by a third party. APB0382 Issue 1 9 th October, 2014 Page 3 of 8 pages

Call recording The implications extend to components or devices located within or connected to the CDE, and a classic example of one such device is the call recorder. Those are used to monitor and record conversations between calling (or called, in the case of an outbound dialler application) customers and call centre agents. The practice of call recording is widespread, not least in the financial services sector, and is governed by other legislation and requirements, such as the Sarbanes-Oxley Act (in the United States), and the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Data Protection and Privacy) Regulations 1999 (in the [still] United Kingdom). When a call, during which a customer enters h[is/er] PIN using the keypad on a telephone, is recorded, the dual-tone, multi-frequency (DTMF) digital signature that represents the PIN is naturally captured automatically, together with the audio voice signal. That is, unless deliberately, something is done to remove or extract the DTMF digits from the recording. Tone elimination The need to suppress the DTMF in the recording is explicit in the PCI DSS, which requires that cardholder data, and that includes the PIN, must not be stored after authorisation. That means anyone involved in contact centre solutions needs a technology solution that will enable their system to eliminate DTMF tones in recordings, and so comply with the PCI DSS. Technology options In a telecommunications environment, which means any call centre, the technology solution involves telephony resources, which can be implemented in two ways. For those prepared to integrate third party telephony resources into their solutions, typically by means of a vendor API, the result will be a seamless, built-in system option that can be readily activated by the end user organisation. For developers who would rather shy away from such activity, the alternative is to employ an in-line, intermediary device as part of their solution. Integrated API-based option Technology platforms such as Aculab s Prosody S and Prosody X offer APIs that enable developers to readily integrate the functionality needed to suppress DTMF signals. Aculab s vast experience in telephony signal processing, and its knowledge and expertise in the field of DTMF handling (generation and detection), is second to none. Very many contact centre systems and solutions around the world are underpinned by Aculab s renowned Prosody X DSP boards and chassis, or its SIP-based Prosody S host media processing software. Intermediate device option Aculab also offers an intermediary solution, which is based on an application of its ApplianX IP Gateway, which can be used as a stand-alone, in-line, intermediary device for the purpose of eliminating the DTMF tones that are used to convey cardholder data, including PINs. Figure 1 Basic principle of DTMF elimination APB0382 Issue 1 9 th October, 2014 Page 4 of 8 pages

ApplianX IP Gateway The ApplianX IP Gateway s tone elimination (also known as DTMF clamping) feature can be applied to suppress DTMF signals during a call that is being recorded. By installing the gateway in-line, between the contact centre system and a call recorder, DTMF signals can be readily prevented from reaching the recorder. The gateway s DTMF clamping feature is a user configurable option that can be applied to suppress tones, in real-time. DTMF elimination To see how DTMF clamping can be configured, see the Tone Elimination section on pages 32 and 33 of the ApplianX IP Gateway user guide. That presents user options to customise the elimination of DTMF tones from calls. The following image represents a screenshot from the user guide, which shows the configuration options. Figure 2: Tone elimination configuration Note that configurations for tone elimination are applied on a per route basis. Configuration details The Minimum duration of tone specifies the amount of DTMF tone to be present before it is considered to be DTMF tone and hence eliminated, and by default, that is set to No minimum. That default value will trigger the gateway into eliminating tones as soon as a sample of audio can be identified as containing tone. Other valid values will require at least 40 milliseconds or 64 milliseconds of tone before identifying that a sample of incoming audio contains a DTMF tone, and only then excluding the tone from the outgoing audio. The Call leg option should be set according to whether tones are expected to arrive on the incoming or outgoing (from the perspective of the gateway) leg of a call. If an incoming call is expected to carry DTMF then Incoming call should be selected as the call leg on which to eliminate tones. If an outgoing call is expected to carry DTMF then Outgoing call should be selected as the call leg on which to eliminate tones. APB0382 Issue 1 9 th October, 2014 Page 5 of 8 pages

Tone elimination The following figure illustrates the process of elimination of DTMF tones. The upper waveform shows DTMF and audio, whereas the lower waveform contains no DTMF signals. Figure 3 Showing tones present and eliminated Application example The ApplianX IP Gateway can be deployed between a contact centre system and a call recorder as shown in Figure 4 below. In this case, the system is controlled by the call centre agent who passes the caller to a secure, payment processing sub-system, by means of a hot-key. Whilst the agent is not a party to the call, the caller makes the payment by using the telephone keypad to enter card details. If successful, the caller is informed via the sub-system IVR and the database is updated, before the transaction details are sent to a payment gateway and the call is automatically returned to the agent. The process is effectively the same in an outbound dialler scenario. The system is secure, because the agent is not exposed to the card details and the card details are not stored. Therefore, the opportunities for fraud are reduced considerably. Furthermore, the agent's session is recorded from start to finish, with no breaks or pauses, and critically, without the DTMF signals representing the caller s data, which are suppressed by the ApplianX IP Gateway. Such a system is very easy for the agent to understand and helps to reduce the average cost per transaction, in addition to preventing the agent from being exposed to callers credit card details. APB0382 Issue 1 9 th October, 2014 Page 6 of 8 pages

The ApplianX IP Gateway receives inbound SIP or TDM signalled calls from the contact centre system, eliminates the DTMF signals in real-time and makes a corresponding outbound SIP call to the recorder. The RTP audio media reaching the recorder contains no DTMF and so the recording can be stored or archived in full compliance with the PCI DSS. In this scenario, the ApplianX IP Gateway can be configured for TDM-to-TDM, TDM-to-SIP or SIP-to-SIP calls, with a capacity of up to 4 E1/T1 trunks and 120 SIP calls. Figure 4: Application example Conclusion In any contact centre offering payment processing functionality via telephone, whether calls are handled by legacy TDM-based or next generation, SIP-based systems, there will be DTMF digital signatures present in the audio signals received as a result of data input by the caller. Those DTMF signals represent sensitive data, such as a customer s PIN. When calls are recorded, for whatever purposes, by the contact centre, in order to protect customer data and comply with the PCI DSS, those DTMF signals must be excluded from all call recordings. Unless such a capability is built in to the contact centre s payment processing system, an intermediate device will be needed to perform that function i.e., suppress or eliminate the DTMF signals so that they are not present in stored recordings. Clearly, the tone elimination feature of Aculab s ApplianX IP Gateway means it can be used as a stand-alone, in-line, intermediary device for eliminating the DTMF tones used to convey cardholder data, including PINs. The ApplianX IP Gateway s tone elimination or DTMF clamping feature will suppress, in realtime, any DTMF signals in the audio of calls fed to a recording device. By installing the gateway in-line, between the transaction processing system and the call recorder, DTMF signals can be prevented from reaching the recorder. With such a ready made, off-the-shelf solution, the contact centre manager can gain peace of mind, secure in the knowledge that customer data is protected and PCI DSS compliance is assured. APB0382 Issue 1 9 th October, 2014 Page 7 of 8 pages

About Aculab Aculab is an innovative, market leading company that provides world class telephony resources: via Aculab Cloud; or as licensed software; or on hardware (boards and chassis). With many years of experience in helping to drive our customers success, our gateways and enabling technology provide the essential components required to deliver telecommunications solutions (voice, data, fax, SMS) for use within IP, PSTN and mobile networks with performance levels that are second to none. Aculab serves the evolving needs of developers, integrators, service providers and equipment manufacturers, etc., with cost-effective, deployment proven, high performance products. Companies worldwide have adopted our technology for a wide variety of business critical services and solutions. Copyright and other notices 2014 Aculab plc. All rights reserved. Aculab, The Groomer, Prosody, Connected With Aculab, Aculab Worldwide Digital Connectivity and Aculab Your Connection To The Future are registered trademarks of Aculab plc. ApplianX, Prosody S, TiNG and GroomerII are trademarks of Aculab plc. All other product or company references or registered and unregistered trademarks are the sole property of their respective owners. For more information, visit Aculab s website at www.aculab.com Aculab plc, Lakeside, Bramley Road, Mount Farm, Milton Keynes. Buckinghamshire. MK1 1PT. United Kingdom. Tel: +44 (0) 1908 273 800 The information in this document is provided by Aculab plc for informational purposes only. Nothing in this publication forms any part of any contract. The information contained herein is based on material, which Aculab, based on its best efforts, believes to be reliable, but no representation is made as to its completeness or accuracy. Aculab makes no warranties, express or implied, in this document. E&OE. APB0382 Issue 1 9 th October, 2014 Page 8 of 8 pages

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information