PCI DSS overview

Download this document as a pdf

The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council.

Compliance with PCI standards is mandatory. It is enforced by the major payment card brands that established the Council – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The standards have three components that cover all organisations which must protect cardholder data – from device manufacturers to developers of payment software applications (and their vendors) and merchant and processors.

Requirements for merchants and processors

If your business accepts or processes payment cards, it must comply with the third component of the PCI standards – PCI Data Security Standard (PCI DSS). The standard in fact governs all merchants and organisations that store, process and transmit cardholder payment data. It covers system elements included in or connected to cardholder data.

The PCI DSS is designed to help you protect customer account data and is comprehensive: it includes requirements for security management, policies, network architecture, software design and other critical protective measures.

It is important to note that no call recording systems can be regarded as being PCI DSS-compliant: it is the environment in which they are used that may be said to be compliant, as concluded by a security assessor. This is because the PCI DSS is subject to interpretation.

Summary of PCI standard requirements

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information

The full standard is at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. We recommend you review these standards independently.

Red Box Recorders and PCI DSS

Red Box recording solutions fall under the PCI DSS. Meeting the requirements of PCI DSS is made simple as our solutions are designed with the highest levels of resilience and compliance in mind.

Requirements 3, 4, 7, 8 and 9 below specifically relate to applications such as call recording. Our solutions address these requirements thus:

Red Box Recorders can provide an API for system integrators to develop an application to enable users to stop and start recording during a transaction. This prevents credit card and other personal data from being recorded via voice and/or screen. Your contact centre can therefore avoid the capture and storage of audio containing card validation codes, PINs or PAN numbers (requirements 3 and 9).

Red Box solutions temporarily cache recorded content in a proprietary format with read and write permissions disabled for all users. These files are compressed and encrypted before being transported over the network and stored on the NAS device. Where the transport of files includes any open public networks, we recommend you use a VPN for additional security. This prevents users accessing stored files or intercepting files while being transferred over the network (requirements 3 and 4).

Our solutions provide role-based access and user privileges. For example, you may block users from accessing certain recordings that include cardholder data. Users must be configured and licensed by an administrator before being able to access the system. The default configuration is ‘no access’ (requirement 7).

We enable the strong access control requirements of PCI by using Microsoft’s Active Directory Services for user authentication. Active Directory configuration options meet specific requirements for user ID assignment, first-time passwords, user termination, time-limited accounts, password strength, time limits and lockouts. In addition, our desktop application enforces configurable session timeout limits and re-authentication once a user exceeds the inactivity time limit (requirement 8).

PCI compliance with ‘no card data storage’

An optional application to assist call centres in complying with PCI DSS is to stop and re-start the call recording for the duration that payment details are being taken over the phone. This can be achieved either through CTI integration or by giving the agent control of the recording.

This type of solution addresses the immediate issue of call recording systems capturing card details during call but it still leaves the potential issue of call handlers hearing the sensitive data which can be deemed as a potential ‘leakage’ point for security breaches. To prevent a potential security breach, call centres may consider the option of ‘clean’ call rooms and paperless offices on top of the investment required in the underlying call recording solution.

For any organisation that needs to keep a full audit trail of any interaction with customers, the option of stopping and re-starting the call after card payment details have been given is not a feasible option as the call recording becomes segmented and is no longer an ‘end to end’ call record of the customer transaction. FSA regulated organisations in particular would need to be attentive to keeping the call recording complete.

Red Box Recorders can provide an additional application for total card security of telephone payments. The application enables customers to enter their card data via DTMF tones which keeps card data hidden from the agent whilst bypasses the call recorder. This not only means that card data does not get recorded, but it also ensures that the call recording remains uninterrupted, therefore capturing every part of the customer transaction.

In this scenario no card data at all is stored by the Red Box system and the risk of any fraudulent activity significantly reduced.

Call centre specific response from PCI Security Standards Council

When must audio recordings containing cardholder data and/or sensitive authentication data be protected or stored? (Adapted from PCI SSC website.)

This response is for call centres that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID by the payment brands). It is intended to provide clarification for call centres regarding potential storage of card validation codes and values, and their compliance with the PCI DSS.

1. It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after transaction authorisation.
2. Call centres may receive cardholder data that includes sensitive authentication data and be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording.
3. These call centres and all cardholder data are in scope for PCI DSS. However, if the storage of card validation codes and values meets the unique circumstances described in this response AND these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. If you use commercially reasonable technology to delete these data elements, then these elements should be deleted.
4. If the individual data elements within an audio file can never be queried, only the physical and logical protections defined in PCI DSS version 1.1 must be applied to these audio files.
5. Additionally, if these audio files that can never be queried are copied to magnetic tape media, that media must also be protected in accordance with PCI DSS.
6. However, if card validation codes and values stored on audio files are subject to technology that allows for the capture and transposition of the speech/audio data into a format that can be queried (for example, digital or other file formats), the sensitive authentication data, including card validation codes and values, must not be stored and must be deleted immediately after authorisation.
7. All other cardholder data captured by call centres must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4. All other entities must protect cardholder data in accordance with PCI DSS, including requirements 3.2 and 3.4.

Red Box recommendations to address PCI DSS

Address PCI requirements 1, 2, 6, 7, 8 and 10 through your network infrastructure environment; the network team or system integrator should incorporate the required features during deployment.

The IT/network team or your system integrator should address requirements 5, 6, 11 and 12.

Discuss the opportunity with your Red Box representative to evaluate the option of ‘no card data storage’ through the use of an additional application that allows customers a secure mode for entry of card payment details which bypass both the call recorder and the agent handling the call.

Red Box will work closely with your networks team, system integrators, QSAs and internal audit teams to ensure that we implement a call recording solution to enable customers to conform to PCI requirements.