vpi - call recording guide to pci-dss compliance by pelorus associates
TRANSCRIPT
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
1/15
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
2/15
TABLE OF
CONTENTS
Table of Contents
Introduction Page3
Cyber Crime Page3
Contact Centers and Identity Theft Page3
Payment Card Industry Response Page4
PCI-DSS Requirements Impacting Call Recording Page5Other PCI-DSS Requirements that Impact Call Recording Page6
Alternative1-CeaseRecording Page7
Alternatives2and3-Agent-drivenCompliance Page7Alternative4-TransferstoThirdPartyDevices Page8
Alternative5-DoNothing Page8
Alternative6-InvestinIntelligentCallRecordingSystems Page8
VPI Solution Page8
Consequences of Non Compliance Page10
Advisable Best Practices Page11
Advisable Best Practices for Securing At-Home Agents Page12
Dilemma for Contact Centers Page12
TelemarketingSalesRule Page13
FSARules Page13BASELII Page13
Sarbanes-OxleyAct Page13
GrammLeachBlileyFinacialServicesModernizationAct Page13
TILAandFDCPAActs Page13
Barclaycard Guidance Page14
Executive Summary Page14
About the Author Page15
About VPI Page15
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
3/15
Introduction
Identity theft was the number one source of consumer complaints to the Federal Trade
Commission(FTC)in2007.Estimatesbyprivatemarketresearchfirmspegtheincidence
ofidentitytheftashighas15millionconsumers.Themostcommonformofidentitytheft,
accordingtotheFTC,isthemisuseofcreditanddebitcardaccounts.Approximately3.4
millionadultscanexpecttohavetheirpaymentcarddatacompromisedeveryyear.When
creditcardidentitiesarestolen,itsnotjustthecreditcardcompaniesthatareleftholding
thebagcardholdersoftenfaceeconomiclosses,lengthylegalbattlesandstrugglestore-
establishcleancreditrecords.Whileformostconsumerstheimpactismodest,accordingto
theFTConeoutoftwentyvictimssuffermedianoutofpocketlosesof$400andspend60
hourstryingtocleanupthemessthatresulted.
Cyber Crime
For todays high-techthieves,software isa much more productiveand arguably less
riskywaytotakeotherpeoplesmoneythandumpster-divingforcardreceiptsorpicking
pockets.Aclassofsoftwareknowngenerallyasmalwarecanunsuspectinglycreepinto
databasesandextracthundredsofthousandsofaccountidentifiers.Malwareisalsospreadbypropagatingawormorvirusorbymakingthemalwareavailableonaweb
sitethatexploitsasecurityvulnerability.Commontechniquesincludephishing,keyand
screen loggers, and SQL injection attacks. According to The Crimeware Landscape:
Malware,Phishing,IdentityTheftandBeyond,areportpublishedbytheU.S.Department
ofHomelandSecurityin2006,Credibleestimatesofthedirectfinanciallossesdueto
phishingaloneexceedabilliondollarsperyear.
The largest security breach to date wasdisclosed in January 2009. Thecase involved
Heart land Payment Systems Inc. Heart land processes more than 100 mil lion card
transactionspermonthfor250,000clients.OnAugust17,2009AlbertGonzalez,28,ofMiamiFloridawaschargedbytheDepartmentofJusticewithstealingdatafrom130million
debitandcreditcardholders.Accordingtotheindictment,Gonzalesandinternationalco-
conspiratorsusedanintricatehackingtechniquecalledanSQLinjectionattack,which
seekstoexploitacomputernetworkbyfindingawayaroundfirewallstostealcreditand
debit card information.It turns out that Gonzales andhis thugs were alsoresponsible
forthehighlypublicizedintrusionofTJMaxxcardholders.Heartlandexpensed$144.2
milliontoconsummatethesettlementofclaims.
Contact Centers and Identity Theft
Contactcenterscanbecomeunsuspectingtargetsofcybercriminals.Outboundtelemarketing
centers,inboundcentersthatengageinup-sellingand/orcross-selling,serviceproviders,
andcollectioncompaniesalwaystakepaymentintheformofcreditordebitcards.Thecard
informationisenteredintoaCRMorothersalesautomationsoftwareandrecordedbyvoice
andscreenrecorders.Andthereitresides-thousandsandevenmillionsofcardrecords
invitingremotecriminalsorevengreedyemployeestoextractforpersonalgainorsellinto
asophisticatedsecondarymarket.
3
Approximately3.4m
adultscanexpectto
theirpaymentcardd
compromisedeveryy
Oneoutoftwentyvic
suffermedianoutofp
losesof$400andsp
60hourstryingtoclea
themessthatresulte
Credibleestimatesofdirectfinanciallosses
tophishingaloneex
abilliondollarspery
- U.S. Department of HomS
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
4/15
4
Inthefirstexample,Symantecfollowedupwithathoroughinvestigationoftheundergroundeconomy.
Amongthefindingsfromtheir68-pagereportwasthattheBBCreportersgrosslyoverpaidforcustomer
carddata.Quotingfromthereport,Creditcardsarealsotypicallysoldinbulk,withlotsizesfromas
fewas50creditcardstoasmanyas2,000.CommonbulkamountsandratesobservedbySymantec
duringthisreportingperiodwere50creditcardsfor$40($0.80each),200creditcardsfor$150
($0.75each),and2,000creditcardsfor$200($0.10each).
Payment Card Industry Response
In order to reduce fraud, the Payment Card Industry (PCI), which consists of American
Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.
establishedthePCISecurityStandardsCouncilinSeptember2006.Theaimofthecouncil
wastoestablishasetofrulesthatmerchantsandserviceprovidersmustcomplywithinorder
toacceptpaymentsthroughthecreditanddebitcardapparatussetupbythecardvendors.
WhiletheCouncilismanagedbythecardindustry,membershipisopentoanyorganization
that participates in the payment processing system, including merchants, processors, POS
vendors,andfinancialinstitutions.
Inordertoreducefrau
PaymentCardIndustry
whichconsistsofAmeExpress,DiscoverFina
Services,JCBInternati
MasterCardWorldwide
VisaInc.establishedth
SecurityStandardsCo
inSeptember2006
AninvestigativereporterfromtheBBC(BritishBroadcastingCompany)posedasafraudsterseeking
tobuycreditcardrecordsfromafenceinDelhi.TheIndianconspiratorofferedtoselldetailson
hundredsofplasticcardsfor$10each.Thevideoshowsabuybeingmadeandmoneychanging
hands.Thereportersbought50cardsasasamplewiththehintthatalargerbuywouldfollow
ifthecardscheckedout.ThenameswerelatertracedtoacallcentertakingservicecallsforU.S.-
basedSymantecCorporation.
AlsoinIndia,localpoliceinthecityofPunearrested12personsassociatedwithacallcenter
operatedbyoutsourcerMphasiSforallegedlysiphoningoff$350,000fromtheCitibankaccounts
offourUScitizens.SomeemployeesgainedtheconfidenceofcustomersandobtainedtheirPIN
numberstocommitfraud.Theydidthisundertheguiseofhelpingthecustomersoutofdifficult
situations.
In2006,anemployeeattheHSBCDataProcessingCenterinBangalore,Indiawasarrestedfor
allegedlypassingpersonalcustomerinformation.AsaresultUKbankcustomerslostapproximately
USD$425,000.TheincidentcastablackeyeonoutsourcingworktoIndiaandmayaffectfuture
projectsbeingconsideredtoIndiaandotherpartsofAsia.
AccordingtoITBusinessNews,theHSBCincidentwasbroughttonoticebysomeofitscustomersin
Englandwhocomplainedthatmoneywastransferredoutoftheiraccountswithouttheirknowledge.
ThelessonsfromtheseincidentsatHSBChavepromptedseveralsecurityandqualityassurance
policiesaimedtoprotectcustomerssensitivepersonalinformation.Adedicatedteamofcompliance
officershavebeenspeciallytrainedanddeployedtoensurethatbreachesinsecurityandaccessof
customerinformationwillbeminimized.
Accordingtopressreports,AlaskaAirlinesandHorizonAirhadtonotify1,500oftheircustomersthat
theircreditcardsmayhavebeenmisusedbyaformercallcenteremployee.Theformeremployee
isallegedtohavetakenthecardinformationprovidedfromsomeoftheairlinescustomerstopay
forreservationchanges.Ratherthanprocessthepaymentonbehalfoftheairlines,theindividualisallegedtohavedivertedthefundstoapersonalaccount.
In2006,anemploye
theHSBCDataProce
CenterinBangalor
Indiawasarrestedf
allegedlypassingpers
customerinformation.
resultUKbankcustom
lostapproximately
USD$425,000.
Think it cant happen?
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
5/15
5
Paymentprocessors,s
providersandmerch
thatprocessmoreth20,000e-commer
transactionsandove
millionregulartransa
arerequiredtoenga
PCI-approvedQual
SecurityAssessor(Q
toconductareview
theirinformationsec
proceduresandscan
Internetpointsofpres
TheCouncilsubsequentlyissuedaDataSecurityStandard(PCI-DSS)whichdetailssecurity
requirementsformembers,merchantsandserviceprovidersthatstore,processortransmit
cardholderdata. Theoriginal PCI regulations specifically forbade storing primaryaccount
numbers(PAN),PINnumbers,servicecodes,expirationdates,andotherspecifiedidentifiers
unless theymet PCI-DSS encryption standards. Payment processors, service providers and
merchants that processmore than20,000 e-commerce transactions and over onemillion
regulartransactionsarerequiredtoengageaPCI-approvedQualifiedSecurityAssessor(QSA)
toconduct a review oftheirinformation security procedures and scan theirInternetpointsofpresenceonaregularbasis.However,noorganizationthatacceptscardsissuedbythe
foundingmembersofthecouncilisexemptfromcompliance.
Whilethestandardisprimarilyaimedatcardholderinformationindatabases,contactcenters
caneasilybecomeunsuspectingviolators.Thisisbecauseofthepracticeofcollectingand
entering card data into order entry systemsand archivingprivatecustomer information in
callanddata recording systems. Initially, the PCI-DSSallowedthevoiceanddata recording
andstorageofsensitivecardinformationprovidedthatcertainsafeguardswereinplace,such
asencryption,firewalls,andneedto-knowauthorizations.Thepreciselevelsofencryptionare
spelledoutinthestandardasaredatacategoriesthatmaybestoredwhenproperlyencrypted.
PCI-DSS Requirements Impacting Call Recording -
Do Not Record Validation Codes
OnOctober28,2010 theStandardsSecurityCouncil issuedaclarificationthatstates that it isa
violationof thePCI-DSStostorecardvalidationcodesandthefullcontentsofand trackfromthe
magneticstripelocatedonthebackof the card.This includesthe cardholdersname, theprimary
accountnumber(PAN),andexpirationdate,andpersonalidentificationnumber(PIN)afterauthorization
evenifencrypted.Note:itispermissibleforissuersandcompaniesthatsupportissuingservicestostore
sensitiveauthenticationdataifthereisabusinessjustificationandthedataisstoredsecurely.
Thecardvalidationvaluecodeisthethreeorfourdigitnumberthatisusuallyimprintednext
tothesignaturelineonthebackofthepaymentcard.OnAmericanExpresscards,thesecurity
codeisonthefaceofthecard.
TheCardVerificationCode(referredtoasCAV2,CVC2,CVV2,orCID)mustnotberetainedpost
authorization,cannotbestoredinastandarddigitalaudioorvideoformat(e.g.wav,mp3,mpg,etc.),
andaproperdisposalproceduremustbeinplace.Iftherecordingsolutioncannotblocktheaudioor
videofrombeingstored,thecodemustbedeletedfromtherecordingifitisinitiallyrecorded.
OnOctober28,201
StandardsSecurityCo
issuedaclarification
statesthatitisaviolat
thePCI-DSStostore
validationcodesandt
contentsofandtrack
themagneticstripelo
onthebackofthec
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
6/15
6
Telephoneordertak
requirethevalidation
aswellasthePAN(Pr
AccountNumber)a
expirationdateinord
secureauthorizationthecardissuer.With
thatnumber,cyberth
cannotmakeeComm
purchasesorillega
transferfundsoutof
cardholdersaccou
Whenitisabsolutelynecessarythatyourorganizationretaincardverificationcodes,youwillneedto
demonstratetoyourQSA(QualifiedSecurityAssessor)andyouracquiringbankthat:
TelephoneordertakersrequirethevalidationcodeaswellasthePAN(PrimaryAccountNumber)andexpiration
dateinordertosecureauthorizationfromthecardissuer.Without thatnumber,cyberthievescannotmake
eCommercepurchasesorillegallytransferfundsoutofthecardholdersaccounts.Thestandardscommitteemade
thechangebecauseoftheavailabilityofsophisticatedmalwarethatcouldpenetrateencryptionalgorithms.
ThelatestPCI-DSSstandardsrequirethatPANmustberenderedunreadableanywhereitisstored(including
onportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have
access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the
same PAN are present in an entitys environment, additional controls should be in place to ensure that the
hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Other Important PCI-DSS Requirements that Impact Call Recording
Requirement 4 and Subsection 4.1requirethatstrongcryptographyandsecurityprotocolssuch
assecuresocketslayer(SSL)/transportlayersecurity(TLS)andInternetprotocolsecurity(PISEC).
Requirement 7 and Subsection 7.1requirethataccesstocomputingresourcesandcardholderinformation
onlytothoseindividualswhosejobrequiressuchaccess,e.g.forstrongbusinessreasons.Organizations
shouldcreateaclearpolicyfordataaccesscontroltodefinehow,andtowhom,accessisgranted.
Requirement 7 and Subsection 7.2 requireorganizationsthatacceptpaymentcardstoestablisha
mechanismforsystemswithmultipleusersthatrestrictsaccessbasedonausersneed-to-knowandisset
todenyallunlessspecificallyallowed.
Requirements 8 and Subsection 8.1requireorganizationsthatacceptpaymentcardstoAssignaunique
IDtoeachpersonwithcomputeraccessbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.
Subsection 8.3requiresatwo-factorauthenticationforremoteaccesstothenetworkbyemployees,
administratorsandthirdparties.
Subsection 8.5 requires proper user authentication and password management for users and
administratorsonallsystemcomponents.
Subsection 8.5.16requiresorganizationsthatacceptpaymentcardstoauthenticateallaccesstoanydatabase
containingcardholderdata.Thisincludesaccessbyapplications,administrators,andallotherusers.
Youperform,facilitateorsupportissuingservices-itisallowableforthesetypesoforganizations
tostoresensitiveauthenticationdataonlyiftheyhavealegitimatebusinessneedtostoresuch
data.ItshouldbenotedthatallPCI-DSSrequirementsapplytoissuers,andtheonlyexception
forissuersandissuerprocessorsisthatsensitiveauthenticationdatamayberetainedifthereisa
legitimatereasontodoso.Alegitimatereasonisonethatisnecessaryfortheperformanceofthe
functionbeingprovidedfortheissuerandnotoneofconvenience.Anysuchdatamustbestored
securelyandinaccordancewithPCI-DSSandspecificpaymentbrandrequirements.
One-wayhashesbasedonstrongcryptography(hashmustbeoftheentirePAN)
Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN
Indextokensandpads(padsmustbesecurelystored)
Strongcryptographywithassociatedkey-managementprocessesandprocedures
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
7/15
7
Youmustbeabletom
agecallqualityandt
arelawsandregulat
thatmanycenters,p
ticularlyoutbound,n
tocomplywith.Full-t
recordingistheonlyw
measurecomplianc
Atthefinalstageofta
creditcarddata,reco
agentcouldtransferth
toanunrecordedexte
whereasecondagent
aspectsofthecustom
creditcarddatasuch
theCVVnumberforb
verification.
Requirements 10 and Subsection 10.1requirecardacceptorstotrackandmonitorallaccess
tonetworkresourcesandcardholderdataandestablishaprocessforlinkingallaccesstosystem
componentstoeachindividualuser.
Requirement 10 and Subsection 10.2requirecardacceptorstoimplementautomatedaudit
trailsforallsystemcomponentstoreconstructeventssuchasuseraccesstocardholderdata,accessto
audittrails,useofauthenticationmechanisms,andthelike.
Ifanimportantpartoftheagentsjobistoacceptand/orsolicitsales,thenthequestionbecomes:howdowepreventrecordingandstoringofsensitiveauthenticationdataandthefullcontentsofany
magneticstripetrack?
Available Alternatives
Alternative 1 - Cease Recording
Thenotionofsimplyhaltingthepracticeofrecordingallcallsandrelateddatathatmayinvolvethe
captureofinteractionscontainingsensitiveinformationiscertainlyanapproachthatwillbecompliant.
Thievescannotstealinformationthatwasneverstored.However,thetrade-offistoosevere.Youmust
beabletomanagecallqualityand thereare lawsand regulations thatmanycenters,particularly
outbound,needtocomplywith.Full-timerecordingistheonlywaytomeasurecompliance.
Alternatives 2 and 3 - Agent-driven Compliance
Atthefinalstageoftakingcreditcarddata,recordedagentcouldtransferthecalltoanunrecorded
extensionwhereasecondagenttakesaspectsofthecustomercreditcarddatasuchastheCVVnum-
berforbankverification.Somerecordingsystemsallowtheagenttomanuallypauseandresumethe
recordingviabuttonsontheirscreenorhandset.
Theseapproachesmayworkbutitaddsaburdentoagentsandisobviouslyerror-prone.There
mayalsobeaquestionofwhetherrelyingonemployeeactionswouldpassmusterwiththepayment
cardcouncilwhichpreferssolid,technology-basedsolutions.
Alternative 4 - Transfers to Third Party DevicesTherearethirdpartydevicesthatcanbeboltedontoanexistingrecorder.Thismethodworksbyre-
quiringthecallertoentercarddetailsmanuallyviathetouchtonepad.Theideahasmerit,sincelittle
agentinterventionisrequiredandthesystemautomaticallymaskscardentriesontheagentscreen
andblockstheDTMFtonesfrombeingrecorded.AgentscouldalsotransfercallstoanIVRplatform
fortakingsuchdetailsasCVVforbankverification.Thedownsidesarethepaucityofchoices,riskof
usererror,theunnaturalinterruptionofcallflow,theneedtomanageanadjunctdevicethatsnot
partofanintegratedsolution,andanaddedcostpertransaction.
Alternative 1: Ceaserecordingallsalesandtransactioncalls.
Alternative 2: Trainagentstodisabletherecordingfunctionwhencarddataisrequiredthen
restartafterthetransactioniscompleted.
Alternative 3: Requireagentstodeletethesectionoftherecordingthatincludestheauthorizationcode.
Alternative 4: Third-partydevicesthatrequirethecallertoentercarddetailsviatheirtouchtonepad.
Alternative 5:Donothing.
Alternative 6:Investincallrecordingsystemsthatautomaticallymaskandmutesensitivecarddetails.
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
8/15
8
Ahandfulofleading
recordingvendorsha
developedtrulyinteg
solutions.Withthesolution;forexamp
therecorderusesdes
analyticstomonito
applicationscreensin
bytheagentduring
interactiontoautoma
sensewhentheagen
enteringscreensorf
wheresensitiveinform
mustbeentered,witho
needforacostlyback
integrationtothosesy
Alternative 5 - Do Nothing
Thedonothingoptionappearstobethefavoredchoiceatthispoint.Inthe2009DataBreach
InvestigationsReportconductedbytheVerizonBusinessRISKTeamresearchersuncovered90confirmed
breacheswithintheir2008caseloadencompassinganastounding285millioncompromisedrecords
and81%ofbusinesseswerenotPaymentCardIndustry(PCI)compliant.Themostcommonformof
databreachwascompromisedpaymentcards,withretailandfinancialservicesaccountingforsixout
oftenofthesecuritybreaches.
A2009pollofUnitedKingdomcallcentermanagersfoundthatmorethan19in20callcentersdo
notdeleteormaskcreditcarddetailsintheircallrecordings,whichisaviolationofthePaymentCard
IndustryDataSecurityStandard.Of the133callcentermanagerscontacted forthesurvey,only3
percentindicatedcompliancewiththeguidelines.AmongthereasonsforfailingtoabidebyPCI-DSS,
61percentsaidtheywereunawareofthestandards,18percentwereawarebutsaidtheycouldnt
complyfortechnicalorbudgetaryreasons,11percentwereawarebutchosenottofollowthem,and
6percentwereawareandwereworkingtowardcompliance.
Alternative 6 - Invest in Call Recording Systems that Automatically
Mute and Mask Sensitive Card Details
Ahandfulofleadingcallrecordingvendorshavedevelopedtrulyintegratedsolutions.WiththeVPI
solution;forexample,therecorderusesdesktopanalyticstomonitorapplicationscreensinusebythe
agentduringtheinteraction(toincludeCRM,salesautomationorotherapplications)toautomatically
sensewhentheagentisenteringscreensorfieldswheresensitiveinformationmustbeentered,without
theneedforacostlyback-endintegrationtothosesystems.
The VPI Fact Finder desktop analytics application can detect when an agent enters a screen with sensitive
information, when sensitive information is inputted, and when they leave a screen containing sensitive information.
The VPI Solution
TheVPIrecordingsystemthenautomaticallyclassifiescallscontainingsensitivecardholderinformationandprovidesorganizationswithfouroptionstohelpeffectivelybalancetheirPCIrequirementswith
liability,qualitymanagementandotherregulatoryrequirements:
VPIs Four Options
Option 1 - Delete all call recordings with sensitive information but retain
valuable non-sensitive interaction data for reporting and analysis
Dataaboutwhathappenedduringtheinteractionoftenprovidesmorebusinessvaluethanthe
actualrecordingitself.Insteadofbeingdeletedalongwiththesensitiveaudioandscreenrecordings,
valuabledatasuchascalldate/time,calldirection,totalhandletime,holdtime,CustomerID,Agent
A2009pollofUni
Kingdomcallcent
managersfoundthat
than19in20callce
donotdeleteorm
creditcarddetailsin
callrecordings,whic
aviolationofthePay
CardIndustryDat
SecurityStandard
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
9/15
9
Fororganizationsrequ
torecordcallsforlia
andregulatoryrequire
andwhowouldalso
toplaybackforqualit
trainingpurposes,VPI
solutionthatallowsac
recordingswhilecontro
theaccesstosensiti
information.
ID,DNIS,salesorcollections$amount,numberoftransfers,orevenhandletimeofkeyprocesses
withinthecallthatleduptothesuccessfultransaction,ismadeavailableininteractivereportsand
analysisofkeybusinessissuesandopportunities.
Option 2 - Roles-based access to recorded files containing sensitive information
Fororganizationsthatarepermittedtorecordentirecalls(companiesthatperform,facilitate,or
supportissuingservices),theVPIsolutionhastheabilitytoonlyallowaccesstocallrecordings
containingsensitivepaymentcarddatabasedontheuserslog-inaccountandcorporate
role.Forexample,onlycomplianceofficersandseniorexecutiveswouldhaveaccesstothose
recordedfilesduringlegaldiscovery.Allothersystemuserswouldnotbeabletoaccessthe
recordedcalls(Requirement3.2and8.5).
Option 3 - Roles-based muting/masking upon playback
Fororganizationsrequiredtorecordcalls(e.g.thoseper3.2),andwhowouldalsoliketo
playbackforqualityandtrainingpurposes,VPIhasasolutionthatallowsaccesstorecordings
whilecontrollingtheaccesstosensitiveinformation.ThesolutionusesVPIsFactFinder
technologytotagthesensitiveeventsanduponplaybackmutestheaudioandmasksthescreen
videoduringsegmentsofthecallcontainingsensitivedata.Agents,supervisorsandQAanalysts
withoutfullaccessrightsareabletoplaybackthecallwhilehearingandseeingeverythingthat
leduptoandfollowingthesensitivetransactionincludingafter-callwraptime.Onlyauthorized
users,suchascomplianceofficersorseniormanagers,wouldhaveaccesstothoserecordedfiles
intheirentirety.(Requirements3.2,7.1and7.2)
VPI solution has the ability to mute out the audio and mask out the screen video during segments of the call
containing sensitive data upon playback
Option 4 - Permanent muting/masking during segments of the call
containing sensitive info
Fororganizations that donothavea justifiableneed torevieworkeepentirerecordingsforliability
andotherregulatoryreasons,VPIiscreatingasolutiontopermanentlymaskandmutesensitiveaudio
andscreen videothatwill complywith themost stringentof the PCIrequirements. Inthis case, the
audioand videoof segmentscontaining sensitive card holder informationwill be deleted, prior to
storageofrecordingsandunavailable toallsystemusers regardlessofuserauthorizationprivileges.
NOTE: VPI expects to make this feature generally available in 2011. Timeline for this feature is subject to change)
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
10/15
10
VPIsupportsAES256
andfileencryptionu
strongcryptography
wellassecureproto
includingSecureSo
Layer,TransportLay
Security(SSL/TLS)
InternetProtocolSec
(IPSEC)toprovid
securetransmission
recordedvoiceands
recordingsandassoc
VPI Response to Requirement 4 Encrypt transmission of cardholder
data across open networks
Theintentofstrongcryptographyisthattheencryptionbebasedonanindustry-testedandaccepted
algorithm(notaproprietaryorhome-grownalgorithm).VPIsupportsAES256dataandfileencryption
usingstrongcryptographyaswellassecureprotocolsincludingSecureSocketLayer,TransportLayer
Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofrecordedvoice
andscreenrecordingsandassociateddataoverthenetwork.(Requirement4.1)
VPI Response to Requirement 7 Restrict access to card holder
data by business need-to- know
TheVPIsystemiscapableofsupportingagranulardefinitionofaccessrightsforlargenumberof
usertypeswhichallowsforgreatercontroloversystemuserRolesandPrivileges,suchastheabilityto
searchforandplaybackmediafileswhichcontainsensitivedataasidentifiedbytheVPIFactFinder
desktopanalyticstool.
VPI Response to Requirement 8 Assign a unique ID to each person
with computer access
TheVPI systemhasuniqueusersystemlog-inwithanaudittrail showingwhohas loggedintothe
system,searchedforcalls,playedbackorexportedcallsandwhen.Thestatusofallactivitiescanbe
alsomonitoredinheatmapsthatpresentauditlogdatainavisual,easy-to-analyzemanner.
VPI Response to Requirement 10 Track and monitor all access to
network resources and card holder data
Thisisachievedbyprovidinganaudittrailofalluseractivitieslinkingspecificactionstospecificusers,
therebyprovidinghighdegreeofvisibilityandtransparency.(Requirement10.1)TheVPIsystemalsoprovides
aninterfaceforreconstructingeventsuseractionscanbesearched,categorized,sorted,reportedand
viewedbyuseroractivitytype.Theycanbevisualizedinheatmapsbycategory.(Requirement10.2)
Consequences of Non-Compliance
Non-compliancerisksrevocationofcardacceptanceprivilegesandviolationofstatelaws.Lossofcard
acceptanceprivilegescouldeasilyspellthedeathknellforretailers,serviceproviders,andcollection
agencies.Infact,itisdifficulttothinkofanytypeofbusiness,nonprofit,orgovernmentrevenuecollection
entitythatdoesnotrelyonpaymentcards.Thecardissuershavetheauthoritytorevokecardprivileges
throughtheircontracts.
Theotherpossibilityisviolationofstatelaws.Asofthistime,threestates;Minnesota,Nevada,andWashington,
have codified paymentcard industry data security standards.Quoting from theWashington state law,
Aprocessor,business,orvendorwillbeconsideredcompliant,if itspaymentcard industrydatasecurity
compliancewasvalidatedbyanannualsecurityassessment,andifthisassessmenttookplacenomorethan
oneyearpriortothetimeofthebreach.Thisrequirementisnotcontingentonthevolumeoftransactions.
TheNevadalawrequiresthatcompaniesdoingbusinessinthestateofNevadathatacceptpayment
cardsmustbecompliantwiththePaymentCardIndustryDataSecurityStandard(PCI-DSS).Thelaw
alsorequiresthatcompaniesretainingpersonaldata,includingSocialSecuritynumbers(SSNs),drivers
licensenumbersoraccountnumbers togetherwithpasswordsmustuseencryptionif theysendthe
information outside of thecompany. TheNevadalaw is reported tobethe only law that actually
mandatesPCI-DSScompliance.ThelanguagedoingbusinessinthestateofNevadaisverybroad
andpresumablycouldincludecompanies notdomiciled inthe state.Otherstatesareconsidering
legislationthatwouldcodifyPCI-DSS.
Non-complianceri
revocationofcar
acceptanceprivilege
violationofstatela
Lossofcardaccepta
privilegescouldeasily
thedeathknellforret
serviceproviders,a
collectionagencies.I
itisdifficulttothinko
typeofbusiness,non
orgovernmentreve
collectionentitythat
notrelyonpaymentc
contracts.
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
11/15
Advisable Best Practices
Obviously,ifyourbusinessororganizationacceptspaymentcards,itisinyourbestinteresttobecome
compliantwithPCI-DSS.Inadditiontothestandards,therearemanyotheractionsyoucantaketo
helppreventbreachesofsensitivecardandpersonalinformation.
11
Workwithyourinformationtechnologydepartmentbeforeimplementingcontactcenter-specificsolutions.Complianceisanorganization-widecommitment.ITmayhaveanoverallsecurityplanthatcontactcentersmustadopt.Forexample,individualsthatrequireaccesstoarchivedcallsthat
mayincludecarddatamustbespecificallyauthorizedtoaccessthisinformation.
Makesureyourorderentry,newcustomerapplications,andanyothercustomerdatabasesthatyouragentsfrequentlyaccessmaskoutcredit,debit,andothersensitiveinformation.
Limittheamountoftimethatcardinformationiskeptinthecallrecordingserverdatabase(bothvoiceandscreenrecordings).Itmaybenecessaryforcorporategovernance,legalandQAdepartmentstoworkoutacompromisebetweenwhatisneededtoadheretothePCI-DSSandregulatorycompliancerequirements(requirement3.1).
Ensurethatproperuserauthenticationisimplementedforstaff,agentsandadministrators(requirement3.2).
Segmentcontactcenteroperationssothatalimitednumberofemployeeshaveaccesstopaymentcarddata.Forexample,paymentcardinformationcanbeenteredbyasalesagent,butacustomerservicerepresentativemayhaveaccessonlytothemaskedPAN(requirements8.1and8.5).
Beverycarefulaboutwhoyouhire.Iftheagentwillbeacceptingcardpaymentsorotherwise
beprivytosensitivepersonalinformation,conductathoroughbackgroundcheckbeforeextendingapaymentoffer.
Makeclearthatunauthorizeddisclosureofsensitivepersonalinformationisgroundsfortermination.
Ifanemployeeisterminatedorresigns,immediatelychangethepasswordtothatindividuals
workstation.Dontwaituntiltheendoftheworkday.
Ifyouareworkingwithoutsourcers,rememberthatPCI-DSSisaninternationalrequirement.Theoutsourcermustalsobecompliant.
Understandthedatasecurityprecautionstakenbyoutsourcers.
Donotallowthumbdrivesoranyotherportablestoragedevicesintoyourcontactcenter.
Agentsorotheremployeesshouldneveropenemailsfromunknownsources.Thisisafavoredmethodbycybercriminalsforinstallingkeyloggersandothermalware.
Makesureyoumaintainstrictprocessesthatpreventagentsfromjottingdowncardnumbersforlaterentryintothecustomerdatabase.
Contactcenteragentsshouldbediscouragedfromrevealingtheiroccupationonsocialnetworkingsites.Youdontwantthemtobecomeunsuspectingtargets.
EnsurethatagentsandsupervisorsdonotshareuserIDsandpasswords.Eachusermustbeuniquelyidentifiedbytheirownlogincredentials.Thisinformationshouldbeencryptedwhenstoredinanycomputersystems.
ReviewyourCRM,salesautomation,collectionsandorderentrysystemstoassurethatcompletecardnumbersandthesecuritycodearenotdisplayed.Thesecuritycodeshouldneverbestored.
FindouthowyourcurrentrecordingsoftwarehandlesPCI-DSScompliance.Somevendorsdonothaveasolution.Othersmayrequiredeletingentireinteractionsthatinvolvecardtransactions,makingitimpossibletoconductqualityevaluationsonthesecallsorretrievethemforcomplianceorverificationpurposes.
RestrictaccesstoQArecordingandCRMdatacontainingpaymentcarddatabasedontheuserslog-inaccountandcorporaterole.
Ensurethatstoredrecordingsarenotplayedbackoveraspeakerphoneifpaymentcardinformationisincluded.
Ifyouareconsideringanewinteractionrecordingsystem,lookintotheapproachadoptedbyVPI.VPIprovidesencryptionatnoextracost.Forcompaniesthatpreferamoreflexibleapproach,VPIsVPICAPTUREcallrecordingsoftwarecanautomaticallydetectwhenanagententersascreenwhereacreditcardfieldistobefilledoutandthenmaskboththevoiceandscreenentriesforthedurationoftheagentsactivitieswhileworkinginthosescreens.Thesecuritycodecanbepermanentlydeletedfromboth,voiceandscreenrecording.Thesystemmasksthesensitiveinformationinvoiceanddatarecordings,whichcanonlybeaccessedbyauthorizedpersonnel.
Ifyouareworkingw
outsourcers,remem
thatPCI-DSSisa
internationalrequirem
Theoutsourcermust
becompliant.
VPIsupportsAES2
dataandfileencryp
usingstrongcryptogr
aswellassecureprot
includingSecureSoc
Layer,TransportLay
Security(SSL/TLS)o
InternetProtocolSec
(IPSEC)toprovide
securetransmission
recordedvoiceandsc
recordingsandassoc
dataoverthenetwo
Ensurethatemployee
notshareuserIDspasswords.Eachuser
beuniquelyidentifie
theirownlogincrede
Thisinformationshou
encryptedwhenstore
anycomputersyste
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
12/15
12
Monitorat-homeag
moreoftenthanin-h
Best Practices for Securing At-Home Agents
Contactcenterat-homeagentprogramsarerapidlygrowinginnumberandsizeduetotheirattractive
benefitsofreducingoperationalcosts,increasingperformanceandimprovingthecustomerexperience.
However,usingat-homeorremoteworkerscarrieswithitamuchgreatersecurityrisk.Whenutilizingand
recordingat-homeorremoteworkers,thefollowingareadditionaladvisablepractices:
Besurethatthesameleveloffirewall,corporateanti-virusprotection,securitypatches,and
definitionfilesareextendedtoremoteagentsandsupervisorsPCs.(Requirements1.4,5.1and6.1)
Remoteworkersshouldbeforbiddenfromcopying,moving,andstoringcardholderdataonto
harddrivesormoveableelectronicmediawhenaccessingcardholderdata.(Requirement12.3.10)
Ensuringremoteagentsandsupervisorsuseatwo-factorauthenticationprocess.(Requirement8.3)
UsestrongnetworkencryptionprotocolssuchasSecureSocketLayerandTransportLayer
Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofthe
VoIPvoicestreamanddataoverthepublicnetwork.(Requirement4.1)
EnsureeachathomeagentandsupervisorisusingaVPNconnectionintothecorporate
networkwithstrongencryptionprotocolssuchasSSL/TLS.(Requirement4.1)
Requireremoteagentsandsupervisorstoencrypttheirwirelessnetworksusingstrong
cryptography(Requirement2.1.1and4.1.1).AsofJune30,2010,theWiredEquivalentPrivacy(WEP)protocolisnolongerpermissibleforanynewwirelessimplementations
(Requirement4.1).TheuseofWPA2isrecommended.
IfnotusinganenterpriseVoIP-basedtelephonesolution,requireagentstouseanalogue
telephonelineswhentalkingwithcustomers.
At-homeagentsshouldnotuseconsumerVoIPtelephonesystems(suchasVonage)because
theircommunicationsmaynotbeencrypted.(Requirement4.2)
Ensurethatpaymentcardinformationisneversentoveranunencryptedmediumsuchaschat,
SMS/textoremailorothernon-encryptedcommunicationchannels.
Ensuringthatat-homeagentandsupervisorPCshavepersonalfirewallsinstalledand
operational.(Requirement1.4)
Ensurethatat-homeagentandsupervisorPCshavethelatestapprovedsecuritypatchesinstalled.
Requireagentsandsupervisorstouseonlycompany-suppliedsystems.(Requirement12.3)
Monitorat-homeagentsmoreoftenthanin-houseagents.(Requirement12.3)
Annuallyreviewallsecuritypoliciesandprocedureswithallagentsandrequireat-homeagents.to
acknowledgethesecurityrequirementsaspartoftheirdailysign-inprocess.(Requirement12.6)
Dilemma for Contact Centers
PCI-DSScomplianceisonlyoneofa growing listoflaws,regulations,and industrystandardsthat
contactcentersneedtoconsider.Thereareseveralregulationsthatrequireorstronglyrecommendthat
callsberecordedintheirentirety.
TelemarketingSalesRule
FSA(FinancialServicesAuthorityRules
BASELI
Sarbanes-OxleyAct
Gramm-LeachBlileyFinancialServicesModernizationAct
TruthinLendingAct(TILA)andFairDebtCollectionsPracticesAct(FDCPA)Acts
Ensurethatpayment
informationisneversen
anunencryptedmed
suchaschat,SMS/te
emailorothernon-enc
communicationchan
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
PCI-DSScompliance
oneofagrowinglisto
regulations,andind
standardsthatcont
centersneedtoconsi
Thereareseveralregu
thatrequireorstron
recommendthatcal
recordedintheirent
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
13/15
13
TheUnitedKingdomF
cialServicesAuthority
publishedrulesinMa
of2009requiringfirm
recordtelephoneconv
tionsandotherelectr
communicationsinclu
emailandinstantmes
relatingtotradingor
andtheconclusionoft
actionsintheequity,b
andderivativesmark
Telemarketing Sales Rule
The Telemarketing SalesRule requires a consumers expressverifiableauthorization foruseofbank
accountinformationtoobtainpaymentthroughphonechecksordemanddrafts.Thiscanbedonevia
confirmationbyacallrecordingoftheconsumergivingauthorizationoradvancewrittenauthorization.
Therecordedauthorizationandwrittenconfirmationmustincludethedateandamountofthedraft(s),
thenameontheaccountfromwhichthefundswillbepaid,thenumberofdraftpaymentsauthorized,
ifmorethanone,atelephonenumberansweredduringnormalbusinesshourstattheconsumer
cancallwithquestions,andthedateoftheconsumersauthorization.Manystatesrequireadvance
consentoftherecordedparty;therecordedconfirmationmustshowthattheconsumerunderstands
andacknowledgeseachtermofthetransactionandauthorizesit.
FSA (Financial Services Authority) Rules
TheUnitedKingdomFinancialServicesAuthority(FSA)publishedrulesinMarchof2009requiring
firms to recordtelephone conversationsandotherelectronic communications includingemailand
instantmessages relating totradingordersand theconclusionof transactions intheequity,bond,
and derivativesmarkets. The ruleswere established aspart of the FSAsefforts tocombatmarket
abuse,particularlyinsiderdealingandtohelpdeteranddetectmarketmanipulationandabusein
theUnitedKingdom.TheFSArulesareinaccordancewithMarketsinFinancialInstrumentsDirective
(MiFID)general recordkeeping standards.The rules requireorganizationsto retaintheirrecorded
callsandcommunications6months.Thisis expectedto belonger infuture regulations (the initial
recommendationwasthreeyears).TheFSAmustbeabletoaccessrecordedcallsreadily.
Otherregulatedorganizationsinvolvedinretailactivitiessuchasbanking,insurance,loansormortgages
willstillhavetheoptiontorecordcallsorkeepalternativerecordshoweverrecordingislikelytobecome
mandatory in the near future.Insurance companiescomplyingwith directives suchas the Insurers
ConductofBusiness(ICOB)arealreadyadvisedtointroducecallrecording.Companieswillalsofind
in99%ofcasestheFinancialOmbudsmanServicewillfavortheclientswordiftheorganizationcannot
providearecordedtranscriptofrelevanttelephonecalls.
BASEL II
BASELIIrecommendationsandpolicies,developedbytheBASELcommitteeconsistingofrepresentatives
fromallG-20majoreconomiesaswellasothermajorbankinglocalessuchasHongKongandSingapore,
prescribesthatbanksand theiroutsourcedcontact centers implementOperational RiskManagement
practices.TheBASELcommitteedefinesoperationalriskastheriskoflossresultingfrominadequateorfailed
internalprocesses,peopleandsystemsorfromexternalevents.Inordertoprotectfromtheofficialevent
typesdefinedbyBASELII,includingInternalFraud(misappropriationofassets,taxevasion,intentionalmis-
markingofpositions,bribery),ExternalFraud(theftofinformation),EmploymentPracticesandWorkplace
Safety(discrimination,workerscompensation,employeehealthandsafety),Clients,Products,&Business
Practice-marketmanipulation,antitrust,impropertrade,productdefects, fiduciarybreaches, account
churning),andExecution,Delivery,&ProcessManagement(dataentryerrors,accountingerrors),many
banksrequirefull-timecallrecordingandlong-termstorageoftheirrecordedinteractions.
Sarbanes-Oxley Act
The Sarbanes-Oxley Act extensive guidelines for the documentation of business processes and
transactions,mandatingthatbusinessescreateandmaintainelectronicrecordsaspartoftheirregular
businessprocesses. To helpensure compliancewithSarbanes-Oxley,manyorganizationscurrently
recordandstorealltheircallsintheirentirety.Maintaininganelectronicrecordoftelephonecallsinthe
TheTelemarketingS
Rulerequiresaconsu
expressverifiableauthorizationforuse
bankaccountinform
toobtainpaymentthr
phonechecksordem
drafts.Thiscanbed
viaconfirmationbya
recordingofthecons
givingauthorizatio
oradvancewritte
authorization.
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
14/15
14
Full-timecallrecordin
frequentlymandatedto
contactcenteremploy
areaccuratelydisclos
informationrequiredb
TruthinLendingActa
complyingwithcollec
practicesrequiredbyth
DebtCollectionsPractic
samemannerasemailshelpstoensurecompliancewithSarbanes-Oxleyandsimplifiesthediscovery
andauditingprocesses,reducingthepotentialforabuseormistakes.
Gramm-Leach-Bliley Financial Services Modernization Act
TheGramm-Leach-BlileyAct(GLBA),alsoknownastheFinancialModernizationActof1999,isa
federallawenactedintheUnitedStatestocontrolthewaysthatfinancialinstitutionsdealwiththe
privateinformationofindividuals.UndertheSafeguardsRule,financialinstitutionsmustcreateand
followawritteninformationsecurityplanthatdetailshowtheywillprotectthenon-publicinformation,
suchasaccountandidentificationnumbers,oftheircurrentandformercustomers.
Callrecordingsolutionsmakeiteasytoincorporatevoice-basedcommunicationsaspartofan
organizationsGLBAcomplianceplan.Inaddition,companiesthatfactorcallrecordingintotheir
electronicrecordsplanhaveanaddedlayerofsecurity,knowingthateveryaspectoftheirbusiness
iscompliant,ratherthanjusttheirwrittendocumentsandtransactions.
Truth in Lending Act (TILA) & Fair Debt Collections Practices Act (FDCPA) Acts
Full-time call recording is also frequently mandated to ensure contact center employees are
accuratelydisclosinginformationrequiredbytheTruthinLendingActandcomplyingwithcollection
practicesrequiredbytheFairDebtCollectionsPracticesAct.
Barclaycard Guidance
BalancingtheneedforPCIcompliancewithotherregulations,lawsandriskmanagementrequirements
withthequalitymanagementrequirementscanposeadilemma.Barclaycardpreparedaveryinformative
whitepaperthat,amongotherthings,advisesthat:
CallcentremanagerswillneedtoensurethatthePANismaskedwhendisplayed(i.e.first6andlast4
digits).Thisispartofrequirement3.3andmayinclude:
Readersareencouragedtoreadtheentirepaperformoresuggestions.
Executive Summary
IdentitytheftisamassiveproblemintheUnitedSatesandglobally.Inresponse,thepaymentcardindustryhasestablishedclearrulestohelpassurethatcriticalfinancialandidentificationdatais
protectedfrommenacesbothoutsideandwithintheenterprise.ThePCI-DSSrequirementsmust
beadheredtobyeveryorganization-regardlessofsize-thatacceptspaymentcards.Thereare
directimpactsoncontactenters,whichinthepasthaveprovedtobefertilegroundsforextracting
paymentcarddetailsfromunsuspectingcustomers.
Inthispaperwehighlightedsomesoundpracticestohelpassuredatasecurity.Wealsonotedthatthe
widespreadpracticeofrecordingviceanddatainteractionsmayresultinabreachofthedatasecurity
standardsandevenaviolationofcertainstatestatuesunlessimportantprecautionsaretaken.Choosingto
RestraintaccesstoQA/recordingandCRMdatacontainingpaymentcarddatabasedontheusers
log-inaccountandcorporaterole;forexample,providingscreenrecordingplaybackinterfaceswherethepaymentcardinformationisdisplayedonlytothemanagersandcomplianceofficersduringlegal
discovery,andhaveitblackedout(masked)forallothersupervisorsandQAspecialists.
Segmentingcontactcentreoperationssothatalimitednumberofagentshaveaccesstopayment
carddata; forexample,payment card informationmay beenteredbya salesagentbut a
customerservicerepresentativewillonlyhaveaccesstothemaskedPAN.
-
8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates
15/15
15
Itisimportantthatany
recordingsystempurchnowcancopewithb
currentandfuturechan
lawsandindustrystand
andthattherecordings
facilitatebestpractices.S
ersmustbeabletoprov
theirproductswillhelp
assurecompliancetoda
havetheflexibilitytoad
futurechanges.
abandoninteractionrecordingaltogetherorlimitittonon-transactionalcallsisnotanoption.Besidesthe
obviousneedtoassureconsistentcallqualitytherearemanyotherlawsAndregulationswhererecording
isalegalrequirementortheonlypracticalmeansofestablishingcompliance.
Itisimportantthatanycallrecordingsystempurchasednowcancopewithbothcurrentandfuture
changesinlawsandindustrystandardsand thattherecordingsolutionfacilitatebestpractices.
Suppliersmustbeabletoprovethattheirproductswillhelpyouassurecompliancetodayandhave
theflexibilitytoadapttofuturechanges.Thebestsolutionistoavoidrecordingofthevalidation
codealtogether,afterapproval.TheVPIsolutionprovidesthisoption.
About the Author
DickBucciisPrincipalofPelorusAssociateswherehespecializesincontactcentertechnologies.Hehas
authoredtenin-depthreportsonworkforceoptimizationapplicationsandover30whitepapers.Asoneof
theindustrysforemostthoughtleaders,hisarticlesandobservationshaveappearedintradeandbusiness
publicationsaroundtheworld.Dickhasover30yearsofexperienceinthetelecommunicationsindustry.
About VPI
VPI is the worlds premier provider of call recording, analytics and
workforceoptimizationsolutionsforenterprises,contactcenters,tradingfloors, government agencies, and first responders. For more than a
decade,VPIhasbeenprovidingproventechnologyandsuperiorservice
tomorethan1,500customersin50countries.VPIsaward-winningVPI
EMPOWERsoftwareisanessentialcomponentforanyorganizationthat
strivesto enhancethecustomerexperience,increaseworkforceperformance,improvebusinessefficiency
andmanagecompliance.VPIEMPOWERleveragesVPIFactFinder,aground-breakingdesktopscreen
analytics technology that automatically detects eventsand data directly from application screens being
usedbyemployeesandtagsthemtoappropriatepointswithinrecordedinteractions.WithVPIEMPOWER,
organizationsofallsizesnowhavetheabilitytorapidlyidentifytherootcauseofimportanttrendsandissues
viatargetedanalysisandevaluationfromanywhereallfromanintuitive,personalizedWeb-basedportalinterface.Inaddition,thesecuresolutionleveragesadvancedfileanddataencryption,isbuiltaroundthe
principlesofopen,service-orientedarchitecture,andisplatformindependenttointegrateseamlesslyintoany
existingandevolvinginfrastructureinjustweeks,resultingincompoundreductionofcostsandasignificantand
rapidReturnonInvestment.Formoreinformation,call1-800-200-5430visitwww.VPI-corp.com/PCI
References
Theinformationprovidedinthiswhitepaperisbelievedtobeaccurate,butispresentedwithoutexpress
orimpliedwarrantyandissubjecttochangewithoutnotice.
TheFTCin2009,annualreportoftheFederalTradeCommission(March,2009)
TheCrimewareLandscape:Malware,Phishing,IdentityTheftandBeyond:AJointReportofthe
USDepartmentofHomelandSecurity,SRIInternationalIdentityTheftTechnologyCouncil,the
Anti-PhishingWorkingGroup,andIronKey,Inc.(September,2006)
SymantecReportontheUndergroundEconomyJuly07-June08,SymantecCorp.,(November2008)
NavigatingPCI-DSS-UnderstandingtheIntentoftheRequirements,Version2.0PaymentCard
Industry(PCI)DataSecurityStandards,PaymentCardIndustry(PCI)(October,2010)
2009DataBreachInvestigationReport,VerizonBusinessRISKTeam
SafeandSound,ProcessingTelephonePaymentsSecurely,BarclayCard(April,2010) Contact VPI Info@VPI-corp.
1.800.200.543
www.VPI-corp.c