VPI, the premier global provider of interaction recording and analytics, contact center quality management and workforce optimization solutions for enterprises, trading floors, government agencies, and emergency service providers, today announced the availability of its latest interactions recording solution designed to meet strict new Payment Card Industry Data Security Standard (PCI DSS) requirements
The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. Announced in January 2010, PCI DSS requirement 3.2 states that organizations must not store sensitive authentication data subsequent to authorization – even if encrypted. Sensitive authentication data consists of magnetic stripe (or track) data, card validation code or value, and PIN data. This data is deemed particularly sensitive as it can be used to generate fake payment cards and create fraudulent transactions.
The PCI SSC's full statement as of February 2010 reads:
This response is intended to provide
clarification for call centers that record cardholder data in audio
recordings, and applies only to the storage of card validation codes
and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment
is a violation of PCI DSS requirement 3.2 to store any sensitive authentication
data, including card validation codes and values, after authorization
even if encrypted.
is therefore prohibited to use any form of digital audio recording
(using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2
or CID codes after authorization if that data can be queried; as card data can easily be extracted
using freely available software.
an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an
analog format after authorization is allowed; as these recordings
cannot be data mined easily. However the physical and logical protections
defined in PCI DSS must still be applied to these analog call recording
recording solutions that prevent the storage or facilitate the deletion
of CAV2, CVC2, CVV2 or CID codes and other card data are commercially
available from a number of vendors. All other recordings containing
cardholder data captured by call centers must be protected in accordance
with the PCI DSS, including PCI DSS requirement 3.4.
"The new PCI DSS requirement is requiring organizations that handle credit card transactions over the phone to delete all recorded audio containing sensitive authentication data from their archives," said Mike Mercadante, vice president of product management and CTO at VPI. "In order to comply with these new regulations, many organizations will be forced to delete all of these verbal receipts because the process of listening to the contents of potentially hundreds of thousands of call recordings would be cost prohibitive and labor intensive. Unfortunately, the many calls that do not contain sensitive data will also be deleted -- calls that should be retained for quality assurance (QA) purposes and liability management.
The VPI CAPTURE PRO™ call recording solution leverages unique desktop screen analytics that can detect events and data directly from application screens – such as an employee entering sensitive credit card authentication data into a field on screen – and tags them to the recorded interactions. This enables automated classification for deletion or muting and masking of all audio and video recording files containing sensitive authentication data and helps ensure compliance with the latest PCI DSS regulations. As an added bonus, VPI CAPTURE PRO can retain non-sensitive data related to the interaction – such as call date/time, call direction, Customer ID, Agent ID, sales or collections amount, number of transfers and hold time. Instead of being deleted along with the sensitive audio and screen recordings, this valuable data is made available in interactive reports for analysis into key business issues and opportunities. For more information on VPI’s compliance recording solution, visit: http://www.VPI-corp.com/PCI
"It can be very challenging for many organizations to comply with increasingly strict PCI DSS regulations," said Mercadante. "Most organizations are very aware of the value of their recorded interactions – particularly for QA and liability management. The VPI CAPTURE PRO recording solution gives them the best of both worlds – the peace of mind that comes from ensuring PCI compliance, along with a wealth of business intelligence and crucial verbal receipts essential for the ongoing success of any organization."
VPI (Voice Print International, Inc.) is the premier provider of integrated interaction recording, analytics and workforce optimization solutions for enterprises, contact centers, trading floors, government agencies, and first responders. For more than a decade, VPI has been providing proven technology and superior service to more than 1,200 customers in 50 countries. VPI’s award-winning VPI EMPOWER software is an essential component for any organization that strives to enhance the customer experience, increase workforce performance, improve business efficiency and manage compliance. VPI EMPOWER leverages VPI Fact Finder™, a ground-breaking desktop screen analytics technology that automatically detects events and data directly from application screens being used by employees and tags them to appropriate points within recorded interactions. With VPI EMPOWER, organizations of all sizes now have the ability to rapidly identify the root cause of important trends and issues via targeted analysis and evaluation from anywhere – all from an intuitive, personalized Web-based portal interface. In addition, the secure solution leverages advanced file and data encryption, is built around the principles of open architecture, and is platform independent to integrate seamlessly into any existing and evolving infrastructure in just weeks, resulting in compound reduction of costs and a significant and rapid Return on Investment. For more information, visit http://www.VPI-corp.com. To follow VPI via Twitter, visit http://Twitter.com/VPINews
The information provided here is believed to be accurate, but is presented
without express or implied warranty and is subject to change without
notice. Please do not rely on this information as legal advice. We recommend
seeking confirmation from your legal counsel.