PCI Compliance and Call Recording

Maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance WhitepaperThe PCI DSS requires that all companies that process, store or transmit credit card information must maintain a secure environment. CallCopy helps your organization ensure compliance via our optional Security module.

CallCopy’s proven solution offers several unique features/components customized to the PCI DSS, including:

  • Cardholder Data Protection – provides access to audio and/or screen recordings based on company-defined user rights.
  • Disk Encryption – provides on-the-fly encrypted storage for video and audio files, meaning that no data stored on an encrypted volume can be read (decrypted) without the required password/keyfile(s) or encryption keys.
  • Network Encryption – provides SSL encryption for all client-server communications – both in recording and playback mode. We can also provide encryption for all recordings stored in our system.
  • Blackouts – the PCI DSS require that card security codes (CID, CAV2, CVC2, CVV2) are not stored. This feature offers start and stop triggers to define the beginning and end of a period within a call that contains this information, effectively pausing the recording of both voice and screen.
  • User Security and Audits – provides an extensive activity tracking system, supported by a database of all system activity. Managers can conduct full trace audits to determine who has accessed any recording in the system for playback, export or any other critical functions. User permissions include the ability to deny an individual user the right to reset their own password, preventing general users from creating overly-simple passwords.

More about the PCI DSS

The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 by leading financial services firms including American Express, Discover Financial Services, JBC, MasterCard Worldwide, and Visa International. While the PCI Security Council established and maintains the Data Security Standards (DSS), each card brand still manages its own compliance programs. If you have questions or concerns regarding your company’s compliance status or the risks and penalties for falling out of compliance, we recommend you contact the payment brands you are contracted with.

The PCI DSS is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures and is intended to help organizations proactively protect customer account data.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

To learn more, visit: www.pcisecuritystandards.org.