PCI DSS Call Recording Resources and Solutions

Making it easy to comply with PCI DSS requirements.

VPI EMPOWER™
PCI Compliance Solutions
PCI DSS Call Recording Software Solution Resource Library

Please fill out this form to get the VPI PCI Compliance Recording Solution fact sheet

You’ll also get access to dozens of other valuable white papers, research reports, Webcasts and more in the VPI Resource Center.

Safeguarding personal customer information such as credit card data has become a major concern for many organizations it not only protects your customers, it is also mandatory for complying with the Payment Card Industry Data Security Standard (PCI DSS). In November 2013, the PCI Standards Council announced tightened restrictions to recording and access to data that must be encrypted if stored (PAN) and data that must not be stored at all (full-track credit card data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks). PCI DSS 3.0 went effective on January 1, 2014. Organizations that do not ensure compliance could face costly fines.

Challenges with Most Recording Systems in Use Today

In order to comply with the new PCI Data Security Standard, many organizations will be forced to either abandon call and screen recording or delete all recordings that may contain verbal receipts. Identifying sensitive content in potentially hundreds of thousands of recordings would be too laborious and cost prohibitive when done through manual review.

VPI Empower offers 3 Reliable PCI Compliance Options

VPI offers three reliable and cost effective solutions to help you ensure compliance with PCI DSS requirements:

Automated Pause/Resume of Call Recording

Automated Pause/Resume of Call Recording

The VPI recording system can automatically identify calls with sensitive card holder information. It uses VPI Fact Finder™ technology to identify audio and video segments of calls where the sensitive events and data occur these parts are then omitted from the recorded media files, via automated triggers that pause/resume the recording process.

Identification of sensitive card holder information flow can be achieved in several automated ways:

Web API (Application Programming Interface) direct integration to third-party (i.e. CRM, order processing, etc.) or homegrown application databases.
Internet Explorer® Plug-in uses unique Web URL addresses to trigger start and stop events.
Screen Activity-Based VPI’s Desktop Analytics solution can detect specific start and stop events on the agent’s screen and trigger recording stop/re-start between events.

PCI DSS Certified Virtual Agents Process Credit Cards

PCI DSS Certified Virtual Agents Process Credit Cards

PCI DSS Certified Virtual Agents Process Credit CardsVPI VirtualSource™ provides a scalable workforce in the cloud that can securely capture sensitive credit card information so that human agents never have to do so. VPI VirtualSource leverages hosted virtual call agents that have been certified PCI DSS compliant by a Qualified Security Assessor (QSA).

VPI VirtualSource does not store sensitive personally identifiable information (PII) including social security number, credit card number, CVV, expiration dates. If required, we will collect it during a call and pass it to your back-end systems for processing through an encrypted channel, without recording and storing it. Sensitive PII is never recorded, always encrypted when it is transmitted over the internet (generally using SSL (HTTPS), SFTP, etc.), and omitted from log files.

VPI VirtualSource is a hosted solution with no setup fees and no capital investment to get started only a low per minute rate with a monthly minimum number of transactions.

Access to Playback of Interactions Limited by Security Roles

Access to Playback of Interactions Limited by Security Roles

Many organizations review calls for quality assurance purposes and need to limit user access to specific types of recorded calls such as those involving financial transactions. VPI offers roles-based access to recordings for playback, selectively limiting user privileges according to administrator-definable criteria. Authorized playback provides access to those sections of recordings that do not include any regulated credit card information. Any user access to data and recordings requires a secure login. All user passwords are encrypted and securely stored, per PCI DSS 3.0 requirements.

Maximum Security to Ensure Compliance with PCI DSS Requirements

To further ensure maximum security and compliance with PCI DSS requirements, VPI also provides:

Encrypted Storage and Transmission of All Data across Open Networks

The intent of strong cryptography is that the encryption be based on an industry-tested and accepted algorithm. VPI supports AES 256 data and file encryption with strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure storage and transmission of all recorded voice and screen recordings and associated data over the network. (PCI DSS Requirement 4.1)

Using Strong Cryptography for System Login with a Unique ID and Password for Each User

The system requires user authentication with a unique User ID and password to permit access. Password complexity can be managed via Active Directory integration. It tracks all user data-access activities within the system by User ID, date, activity type and ID of each recording accessed displaying who has logged into the system, searched for calls, played back or exported calls, and when. The status and history of all activities can be reported on, used for triggering rules-based alerts, and monitored in heat maps that present audit log data in a visual, easy-to-analyze manner. (PCI DSS Requirements 2.3, 8)

Detailed Audit Log Tracks and Monitors All Access to Network Resources and Applications

This is achieved by providing a detailed audit trail of all user activities linking specific actions to specific users and specific recordings, thereby providing high degree of visibility and transparency so that organizations can conduct full trace audits to determine who accessed any recording in the system and when - for playback, export, or any other critical events. (PCI DSS Requirement 10) The VPI system also provides an interface for reconstructing multi-call events user actions can be searched, categorized, sorted, reported and viewed by user or activity type. They can be visualized in heat maps by category. (PCI DSS Requirement 10.2)