PCI-DSS Standards. Are You Compliant?
Our call recording software; VPI, meets PCI standards and is compliant with FSA regulations.
Payment Card Industry and Data Security Standard Requirements
In order to reduce fraud, the Payment Card Industry (PCI), which consists of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, established the PCI Security Standards Council in September 2006. The aim of the council was to establish a set of rules that merchants and service providers must comply with in order to accept payments through the credit and debit card apparatus set up by the card vendors.
While the council is managed by the card industry, membership is open to any organisation that participates in the payment processing system, including: merchants, processors, POS vendors, and financial institutions. The council subsequently issued a Data Security Standard (PCI-DSS) which details security requirements for members, merchants and service providers that store, process or transmit cardholder data.
The PCI regulations specifically forbid storing unencrypted credit card numbers, PIN numbers, and other specified identifiers. Payment processors, service providers and merchants that process more than 20,000 e-commerce transactions and over 1 million regular transactions are required to engage a PCI-approved Qualified Security Assessor (QSA) to conduct a review of their information security procedures and scan their Internet points-of-presence on a regular basis. However, no organisation that accepts cards issued by the founding members of the council is exempt from compliance.
Reasons for Compliance
PCI-DSS is not a governmental regulatory requirement. Merchants and service providers that do not comply are subject to a breach of their contracts, which can result in termination of card acceptance privileges and subsequent business losses. Many states in the USA and also some countries have enacted PCI-DSS data security laws of some type or another. Others are in the process of formulating legislation. While the standard is primarily aimed at cardholder information in databases, contact centres can easily become unsuspecting violators. This is because of the practice of collecting and entering card data into order-entry systems and recording private customer information in call- and data-recording systems. Unless agents are specifically authorised to see this information, their unrestricted access is a violation of PCI-DSS and an unnecessary risk exposure. You can avoid potential violations by assuring that your systems mask and mute card information, and by investing in recording technology that blocks or encrypts recordings that contain card numbers. Your recording software should be able to encrypt, mask, or mute card data from voice recordings and archived computer screen recordings.
For the most up to date guideline and a copy of the standards, visit the PCI Security Standards website.