Comply with PCI DSS call recording requirements.
|
VPI CAPTURE PCI™
PCI Call Recording Solution
|
Please fill out this form to get the VPI PCI Compliance Recording Solution fact sheet |
|
You’ll also get access to dozens of other valuable white papers, research reports, Webcasts and more in the VPI Resource Center.
|
|
Safeguarding personal customer information such as credit card data has become a major concern for many organizations – it not only protects your customers, it is also mandatory for complying with the Payment Card Industry Data Security Standard (PCI DSS). In November 2013, the PCI Standards Council announced tightened restrictions to recording and access to data that must be encrypted if stored (PAN) and data that must not be stored at all (full-track credit card data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks). PCI DSS 3.0 went effective on January 1, 2014.
Organizations that do not ensure compliance could face costly fines.
Challenges with Most Recording Systems in Use Today
In order to comply with the new PCI Data Security Standard, many organizations will be forced to either abandon call and screen recording or delete all recordings that may contain verbal receipts. Identifying sensitive content in potentially hundreds of thousands of recordings would be too laborious and cost prohibitive when done through manual review.
VPI offers 2 Reliable PCI Compliance Options
VPI CAPTURE PCI call recording software offers two reliable and cost effective solutions to help you ensure compliance with PCI DSS requirements:
Automated Pause/Resume of Call Recording |
||||||
|
The VPI CAPTURE PCI call recording system can automatically identify calls with sensitive card holder information. It uses VPI Fact Finder™ technology to identify audio and video segments of calls where the sensitive events and data occur – these parts are then omitted from the recorded media files, via automated triggers that pause/resume the recording process. Identification of sensitive card holder information flow can be achieved in several automated ways: |
||||||
|
|
 Access to Playback of Interactions Limited by Security Roles |
|
Many organizations review calls for quality assurance purposes and need to limit user access to specific types of recorded calls such as those involving financial transactions. VPI offers roles-based access to recordings for playback, selectively limiting user privileges according to administrator-definable criteria. Authorized playback provides access to those sections of recordings that do not include any regulated credit card information. Any user access to data and recordings requires a secure login. All user passwords are encrypted and securely stored, per PCI DSS 3.0 requirements. |
Other Security Features to Ensure Compliance with PCI DSS Requirements
To further ensure maximum security and compliance with PCI call recording software requirements, VPI also provides:
Encrypted Storage and Transmission of All Data across Open Networks
The intent of strong cryptography is that the encryption be based on an industry-tested and accepted algorithm. VPI supports AES 256 data and file encryption with strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure storage and transmission of all recorded voice and screen recordings and associated data over the network. (PCI DSS Requirement 4.1)
Using Strong Cryptography for System Login with a Unique ID and Password for Each User
The system requires user authentication with a unique User ID and password to permit access. Password complexity can be managed via Active Directory integration. It tracks all user data-access activities within the system by User ID, date, activity type and ID of each recording accessed – displaying who has logged into the system, searched for calls, played back or exported calls, and when. The status and history of all activities can be reported on, used for triggering rules-based alerts, and monitored in heat maps that present audit log data in a visual, easy-to-analyze manner. (PCI DSS Requirements 2.3, 8)
Detailed Audit Log Tracks and Monitors All Access to Network Resources and Applications
This is achieved by providing a detailed audit trail of all user activities – linking specific actions to specific users and specific recordings, thereby providing high degree of visibility and transparency – so that organizations can conduct full trace audits to determine who accessed any recording in the system and when - for playback, export, or any other critical events. (PCI DSS Requirement 10) The VPI system also provides an interface for reconstructing multi-call events – user actions can be searched, categorized, sorted, reported and viewed by user or activity type. They can be visualized in heat maps by category. (PCI DSS Requirement 10.2)
