pci redaction: compliance reimagined · tethr’s machine powered redaction takes the guesswork out...

WHITE PAPER

Introduction

1 of 9Learn more at: tethr.com or (512)-910-4440 | ©2018 CollabIP, Inc. All rights reserved.

In-depth review of call recording compliance management and Tethr Redaction capability supporting PCI DSS 3.2

PCI Redaction: Compliance Reimagined

PCI DSS 3.2 further expanded and clarified the provisions on call recording and their impact on PCI standards. Specifically, these sections focused on the storage and access of cardholder sensitive data as they pertain to the regular business rhythms of many call centers.

Requirement 3 of the PCI DSS 3.2 requirements specifically regulates the data storage of cardholder data and outlines the requirements for rendering any stored data unusable. Collectively, these current standards represent a significant challenge for companies performing call recording that contains cardholder data. Companies found negligent in compliance efforts face significant financial and regulatory risks.

Tethr has further expanded its enterprise-class security standards to strengthen clients’ position with the achievement of PCI V3.2 LI. The combination of HIPAA compliance, HiTrust certification and new PCI standards for the cloud-based platform reflect the company’s unwavering commitment to data security and compliance on behalf of its clients.

Tethr not only securely delivers content to and through its platform, but actually makes client data more secure with its unparalleled redaction capability. Where most service providers simply mask data or don’t have the capability to eliminate it from both audio and transcript, Tethr automatically redacts that content from both forms of media, completely eliminating the information.

Consider the in-depth issues outlined throughout this paper, making clear the stringent nature of today’s security requirements and how Tethr helps companies navigate and adhere to each and every standard.

Stay call recording compliant with new PCI standards

Authored by: William Thayne, Tom Shepherd, Aaron Mickelson, Armando Lemus & Allen Neff Published: April 2018

PCI Data Security Standard (DSS)

PCI DSS 3.2 further expanded and clarified the provisions on call recording and their impact on PCI standards. Specifically, these sections focused on the storage and access of cardholder sensitive data as they pertain to the regular business rhythms of many call centers. Below we will highlight the specific areas in section 3 of the new standards that impact how calls are recorded and stored for usage by the business.

Requirement 3 of PCI DSS 3.2 specifically regulates the data storage of cardholder data and outlines the requirements for rendering any stored data unusable. These regulations were put into effect to protect cardholders in the event of a breach. Call recording data, while perhaps not a customer’s first thought, traditionally contains all of the information needed by an imposter to obtain and commit fraudulent acts with an unsuspecting individual’s information. The sections of PCI DSS 3.2 relevant to call recording are as follows:

PCI DSS 3.2 & Call Recording

Tethr’s machine powered redaction takes the guesswork out of PCI compliance, rendering call recordings “out of scope” for all PCI compliance audits. Not only does Tethr’s redaction service meet all new requirements, customers benefit from the hosted PCI compliant platform with searchable call playback and analytics. Simply put, Tethr’s model lets you outsource the risk and cost of PCI DSS call recording compliance.

Tethr compliance lets you outsource risk and cost

Tethr designed an automated redaction method for purging sensitive information to ensure uniform compliance for current and evolving industry standards. The Tethr platform employs a highly sophisticated automated redaction system for processing call center audio and transcription data. The Tethr process for automatically purging sensitive information from call audio involves the following steps:

Tethr’s total redaction & purging capability

2 of 9

It’s important to note PCI compliance requires complete compliance with all aspects of the standard, otherwise companies found negligent in compliance efforts risk the following:1

1PCI DSS Quick Reference Guide–https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

1. Audio isolation & processing of recorded calls 2. Detection of potentially non-compliant elements 3. Classification of detected elements using customizable libraries 4. Purging PCI content 5. Archival and secure storage of purged calls 6. Presentation of hosted, searchable, playback & analytics

• Fines and penalties • Termination of ability to accept payment cards • Legal costs, settlements, and judgements

While many call recording platforms provide their own process for PCI compliance, most of these solutions fall short of full compliance due to limited functionality, a requirement of agent involvement for achieving success, or an inability to control or track where in a recorded call cardholder data may appear. Additionally, and unbeknown to you, vendor solutions may not be meeting all new PCI DSS 3.2 requirements of completely identifying and preventing storage of cardholder data.

Most vendor compliance methods fall short, without you knowing

Learn more at: tethr.com or (512)-910-4440 | ©2018 CollabIP, Inc. All rights reserved.

3.1 Limit cardholder data storage and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.

3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely.

3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

3.4 Render PAN unreadable anywhere it is stored–including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography.

3.5 Document and implement procedures to protect any keys used for encryption of cardholder data from disclosure and misuse.

3.6 Fully document and implement key management processes and procedures for cryptographic keys used for encryption of cardholder data.

3.7 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

The audio for each channel is separately broken into smaller segments based on brief intervals of relative silence. These segments, known as utterances, are then submitted to transcription providers via secure connections.

3.1 Tethr uploads sensitive cardholder data securely using a TLS encrypted channel to our PCI compliant platform where redaction is performed. After upload is confirmed, call audio can be purged from temporary storage locations.

3.2 The Tethr platform purges sensitive cardholder PCI-related data from calls prior to final resting place storage and user accessibility.

3.3 Traditional call recording platforms offer a screen recording or capture feature. This provides business value but at great cost to the integrity of PCI compliance. Screen capture features risk both storing and displaying PAN information to individuals with access to the system. Solutions from some vendors that simply mask playback of PAN related recorded to disk are uncompliant. Due to these challenges with screen recording, Tethr does not natively support screen recording and does not store screen captured PAN related content.

3.4 Tethr uses strong encryption for any location where calls are temporarily held during machine-based processing. Tethr's redaction engine removes and purges every utterance of sensitive cardholder data from the call audio and transcript prior to final storage and user access.

3.5–3.7 Tethr's hosted platform is PCI Level 1 certified. All security practices and policies are fully documented and available to customers. Documentation is regularly updated and all employees must comply with annual training and sign-off of these policies.

The audio for each channel is separately broken into smaller segments based on brief intervals of relative silence. These segments, known as utterances, are transcribed by machine-based engines.

3 of 9

2Why Security Matters - https://www.pcisecuritystandards.org/pci_security/why_security_matters


PCI DSS 3.2 REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA2

TETHR MEETS PCI DSS 3.2 CALL RECORDING REQUIREMENTS

Managing PCI Compliance

While many call recording platforms provide their own process for PCI compliance, for the most part these solutions fall short of full compliance due to limited functionality. Two of the most popular methods are highlighted below, to include how they fall short of providing full compliance.

AGENT INITIATED RECORDING PAUSE

In this method, agents are provided with a pause button that they will manually press during situations where PCI data is being communicated. This falls short of full compliance for a number of reasons.

Agents can sometimes miss pausing the recording in time and card details can slip through into a recording. Callers are not inherently aware of the needs for pausing a recording and will occasionally speak their card number before an agent is prepared to pause the recording. Agents can utilize this pause button outside of scope for PCI to shield their quality assurance agents from other aspects of a call. PCI DSS does not approve of manual intervention by staff for compliance.3

Callers may speak sensitive information before an agent has the ability to move their cursor/navigate to a protected portion of their CRM/other system. Due to the nature of this intervention these details will be included in the recording. PCI DSS does not approve of manual intervention by staff for compliance.3

1.

2.

3.

Zero manual intervention required to process redaction. Agents are not encumbered with the responsibility of manually pausing recordings or ensuring that their cursors are in the correct fields prior to asking for cardholder data. This allows for a more natural agent experience and does not add to handle time, affording a more effortless experience. PCI sensitive data is never stored. PCI standards dictate that cardholder data cannot be stored even if encrypted. Our automatic machine-based redaction engine removes all sensitive data prior to it being committed to disk. Tethr takes the guesswork out of PCI compliance. Due to the fact that a machine is listening to 100% of the calls and removing any sensitive data, there is no need to worry about something slipping through the cracks and showing up as an audit finding. With automatic redaction on 100% of the calls, call recordings are now out of scope of a PCI audit. Tethr (through redaction and secure storage process) renders cardholder information unusable to the top layer UI and does not store this information to disk.

1.

2.

3.

4.

1.

2.

DESKTOP ANALYTICS In this method, desktop analytics packages are deployed to all user workstations that monitor cursor fields and automatically pause recordings when a cursor falls into a PCI regulated field or a specific screen/web page is displayed. This falls short of full compliance for similar reasons as seen with agent initiated pausing.

Why vendor compliance methods fall short

To meet full compliance with modern PCI DSS standards, a solution must never store or make available sensitive cardholder data. Furthermore, the removal of this information must be complete, must be rendered “non-queryable” and cannot rely on manual intervention for its removal. Tethr AI-powered redaction takes all of the guesswork out of PCI compliance and renders call recordings as “out of scope” for all PCI compliance audits due to the following features.

Tethr’s AI-powered redaction engine for PCI compliance


3Information Supplement: Protecting Telephone-based Payment Card Data–https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

5 of 9

Tethr’s Unrivaled Redaction System

Tethr redaction was designed from the ground up to ensure uniform compliance with current and evolving industry standards. Tethr’s automated machine redaction is a core feature for purging PCI information contained in call recordings.

The Tethr platform employs a sophisticated automated redaction system for processing call center audio and transcription data. The Tethr process for purging sensitive information from call audio involves the following logical stages:

Audio Isolation & Processing Detection Classification Purge Archival Presentation

1.2.3.4.5.6.

Building blocks of compliance

AUDIO ISOLATION & PROCESSING

A critical step in the Tethr process is to transfer call audio from potentially insecure or noncompliant sources to the Tethr Hosted PCI Compliant platform. Incoming audio is prepared for transcription in several stages. The audio may be passed through a stage of speaker detection and separation known as Diarization. This is done for calls recorded with more than one participant in a single audio channel. The Diarization process detects each participant by identifying unique audio characteristics of each voice in the call. Each participant’s audio is then separated into a separate channel for processing. To perform this process, the audio is transferred to a diarization server via a secure connection. The diarization server detects the number of speakers in the call and identifies the time regions during which each speaker was talking. The regions are then used to split the audio, into multiple channels, placing each speaker in their own unique channel.

Tethr call redaction process


6 of 9

DETECTION

The first step in PCI redaction is to tokenize incoming words and word sequences into several general classes, including Common Words, Key Words, Number Words, Digits, Numbers and Number Modifiers. In this context, common words are those words which do not represent any of the other classifications.

Key Words refer to individual words or word sequences that are specific to the type of information being redacted. In the case of credit card information, words such as "credit", "debit", "card", "number", "Visa", "security", "code", "expiration", "date", occurring alone or in specific sequences serve to indicate the possible presence of credit card data. Number Words, include words representing numbers or individual digits, such as "one", "two", "ten", "twenty" and so on. In addition to identifying specific number words, homophones – words which sound the same or similar to number words – are also identified. For example, the words "won", "too" and "for" may actually be errors in transcribing the words, "one", "two" and "four" respectively. Such words are treated as potential number words during the detection process when they occur in the context of key words and number sequences. Digits and Numbers are literal values in text form, such as 1, 10, 25, 150, etc. The transcription of numbers is highly dependent on the formatting of the transcription results. For this reason, both literal numbers and number words are taken into account during the detection process. Number Modifiers are words such as "hundred", "thousand", etc. which alter the relative value of preceding digits and numbers within an utterance.

Once words in the transcript have been tokenized into the aforementioned classes, the number words are parsed and converted into literal digit sequences. For example, "one zero zero", "one hundred", "100", and "1 hundred" all convert to the digit sequence 1, 0, 0. In this manner, all numerical values in word or literal form are converted into uniform digit sequences for use in the detection process.

When a credit card number is given during a call, often the agent will ask for a "credit card number" or "card number", or the customer may say something along the lines of "here is my card number" or "my card number is". These constitute a variable sequence of keywords which are closely followed by a series of digits or numbers.

The agent may then ask for the "expiration" or "expiration date" or the customer may say "the expiration date is" followed by the name of a month or a pair of numbers such as "ten", "two thousand twenty-one" or "October of twenty-one". In addition to these elements, the agent may ask for, or the customer may offer, the "security code" or "code" followed by a 3-digit number. Additionally, the agent may repeat the numbers spoken by the customer during or after the customer utterances for confirmation.

The specific sequence of keywords and numbers which make up the exchange of a credit card number often varies from one call to another, so the system must be highly robust with respect to how the information is presented in any given call.

The audio for each channel is separately broken into smaller segments based on brief intervals of relative silence. These segments, known as utterances, are then submitted to transcription providers via secure connections.

The diarization, channel separation, utterance segmentation, and transmission to the transcription providers are performed entirely within the server’s volatile memory.

Results from the transcription providers are collected and assembled into a complete call transcript. Each word in the transcript includes starting and ending timestamps, which allow it to be matched with the audio from which it was created. Associating individual word timings from the transcript with the audio stream is important for the redaction process.


Additional heuristics are used during sequence evaluation to account for sequence variations and intervening words or utterances within the sequence. When the logical value for a sequence of elements evaluates to “true”, based on the rule set, all the associated words and elements are classified as sensitive information. All elements in the sequence are then selected for redaction. The final output of this stage is a list of time frames to be redacted, along with a reason for the redaction based on the sequence classification. Categories that are redacted, (by default), are credit card numbers and their associated security codes (CAV2/CVC2/CVV2/CID3). Optionally, bank and check numbers, as well as social security numbers, can be redacted, depending on the rules used and how the system is configured. The redaction occurs in two passes. During the first, the aforementioned rules are applied. A second pass checks for remaining numbers that fully or partially match numbers redacted during the first pass and removes them. This allows the system to handle cases where the number is repeated outside of its expected context.

CLASSIFICATION

Classification is based on the presence or absence of keywords and numbers in various sequences. Distances between these components, measured in words, are also taken into account during the classification process. This is because non-relevant words and vocalizations may be interjected into a sequence as part of normal speech without significantly altering its meaning. Keyword and number sequences occurring in a context that is consistent with the presence of sensitive information, results in redaction. The number sequence itself is treated as a general sequence of digits rather than a specific numerical value. In this context, the digit count of a sequence is by far the most important factor for identifying information to be redacted. As the length of a digit sequence may vary due to transcription errors and other factors, an exact match for the number of digits expected is not required. In a long number sequence like a social security number, for example, it is quite likely that some of the numbers will be mistranscribed as non-numbers. For this reason, the context of the number sequence is very important for classification.

Some contexts may be considered stronger than others, based on number and strength of keywords encountered. The stronger the context of a number sequence, the less strict matching requirement needs to be, and vice versa. For example, in a strong credit card context a number 9 digits long will be redacted, while in a neutral context the number must have at least 13 digits before it will be redacted. Such parameters are configurable to accommodate the specific information to be redacted and the level of security required.

Classification is based on a set of branching logical rules defining sequences of numbers and key words, and the relative distances between them. These rules can be general, or they can be customized to meet different requirements. Word lists and their relative importance, distances between words and numbers, and digit sequence length requirements are all configurable to achieve optimal results. Different combinations of branches in the rule set allow the system to handle various ways that sensitive information may be spoken.


PURGE

In the purge phase of the process, words and elements classified as a credit card numbers or other sensitive information are removed from the transcript. In addition to redacting information from the transcript, all words and elements classified as sensitive information are removed from the audio stream and replaced with silence. Each word and element in a transcript has associated time-stamps marking the start and end of the word in the audio stream. To remove the words from this audio stream, the section of audio between the start and end time of each redacted word is replaced with silence. Everything within the time-frame, including non-numerical expressions, is redacted.

This redaction process is applied to call data, including audio and transcripts, prior to the data being stored or indexed for search. Applying the redaction process prior to storage and indexing ensures that no sensitive information is ever accessible once it is removed. Thus, sensitive information is removed before it can be accessed, while non-sensitive information is unaffected and can be accessed as needed for quality assurance and other purposes.

8 of 9

ARCHIVAL After a call is fully redacted, it is placed into the customer’s encrypted private storage instance for permanent archive. Customers can optionally access the redacted call transcript, audio, and related analysis by way of the Tethr Webhooks API. For engineering purposes, (development, quality assurance, etc.), whenever a customer transcript is pulled from storage, all numbers in the transcript are replaced with random numbers having the same digit count. This masks and eliminates any potentially sensitive information while still providing working examples of such information. These working examples can then be used for rule creation, test, and evaluation without compromising security.

PRESENTATION When the call is presented in the user interface, any words marked for redacted are no longer present. The UI displays a notice that sensitive information has been removed. The original audio for those time periods is deleted and replaced with silence.


Rules used for redaction can be created and tuned based on anonymized examples of sensitive information. These rules may be manually customized to meet specific needs or generated automatically using Tethr machine learning technologies. As rule libraries grow they become more accurate, more powerful, and are able to accommodate more diverse types of sensitive information. This flexibility in rule creation allows the system to quickly adapt to evolving security standards and needs.

9 of 9

Summary: The New Security Frontier & Cloud-Based Compliance

As discussed, the identification, sequestration and redaction of sensitive information in business communications is an important part of modern security standards for the handling and storage of confidential data. Information security compliance standards such as PCI, HIPAA, HITRUST and others mandate that sensitive information in different types of business communications and records be safeguarded during both storage and transmission.

An important part of meeting such compliance standards is the ability to redact specific types of sensitive information from all records, both written and electronic. Manual redaction of such information during entry or early processing is a standard industry practice but may not always be fully followed. This is due to a variety of factors, including uncertainty around who is responsible, human error in processing vast amounts of digital, audio, and written information, and the failure of vendor solutions to meet current standards requirements.

For this reason, Tethr designed automated redaction as a core feature for purging PCI information to ensure uniform compliance for current and evolving industry standards. Tethr redaction capability introduces a new model that helps customers achieve PCI compliance while outsourcing the risks and costs of doing so.

In addition to meeting PCI DSS standards requirements, Tethr’s redaction service further benefits customers by offering a hosted, PCI compliant platform, for archive and playback of calls.

CONTACT US TO LEARN MORE:

TETHR.COM(512) [email protected]

Disclaimer: This document(s) is proprietary and confidential. Information contained is solely intended for the recipient and may not be used, published, or redistributed without Tethr’s prior written consent as covered in the existing NDA between the parties.


pci redaction: compliance reimagined · tethr’s machine powered redaction takes the guesswork out...

Documents