PCI Compliance Solutions
Please fill out this form to get the VPI PCI Compliance Recording Solution fact sheet
You’ll also get access to dozens of other valuable white papers, research reports, Webcasts and more in the VPI Resource Center.
Safeguarding personal customer information such as credit card data has become a major concern for many organizations – it not only protects your customers, it is also mandatory for complying with the Payment Card Industry Data Security Standard (PCI DSS). In November 2013, the PCI Standards Council announced tightened restrictions to recording and access to data that must be encrypted if stored (PAN) and data that must not be stored at all (full-track credit card data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks). PCI DSS 3.0 went effective on January 1, 2014. Organizations that do not ensure compliance could face costly fines.
In order to comply with the new PCI Data Security Standard, many organizations will be forced to either abandon call and screen recording or delete all recordings that may contain verbal receipts. Identifying sensitive content in potentially hundreds of thousands of recordings would be too laborious and cost prohibitive when done through manual review.
VPI offers three reliable and cost effective solutions to help you ensure compliance with PCI DSS requirements:
To further ensure maximum security and compliance with PCI DSS requirements, VPI also provides:
The intent of strong cryptography is that the encryption be based on an industry-tested and accepted algorithm. VPI supports AES 256 data and file encryption with strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure storage and transmission of all recorded voice and screen recordings and associated data over the network. (PCI DSS Requirement 4.1)
The system requires user authentication with a unique User ID and password to permit access. Password complexity can be managed via Active Directory integration. It tracks all user data-access activities within the system by User ID, date, activity type and ID of each recording accessed – displaying who has logged into the system, searched for calls, played back or exported calls, and when. The status and history of all activities can be reported on, used for triggering rules-based alerts, and monitored in heat maps that present audit log data in a visual, easy-to-analyze manner. (PCI DSS Requirements 2.3, 8)
This is achieved by providing a detailed audit trail of all user activities – linking specific actions to specific users and specific recordings, thereby providing high degree of visibility and transparency – so that organizations can conduct full trace audits to determine who accessed any recording in the system and when - for playback, export, or any other critical events. (PCI DSS Requirement 10) The VPI system also provides an interface for reconstructing multi-call events – user actions can be searched, categorized, sorted, reported and viewed by user or activity type. They can be visualized in heat maps by category. (PCI DSS Requirement 10.2)