TABLE OF CONTENTS

Table of Contents

Introduction Page3

Cyber Crime Page3

Contact Centers and Identity Theft Page3

Payment Card Industry Response Page4

PCI-DSS Requirements Impacting Call Recording Page5

Other PCI-DSS Requirements that Impact Call Recording Page6

Alternative1-CeaseRecording Page7

Alternatives2and3-Agent-drivenCompliance Page7

Alternative4-TransferstoThirdPartyDevices Page8

Alternative5-DoNothing Page8

Alternative6-InvestinIntelligentCallRecordingSystems Page8

VPI Solution Page8

Consequences of Non Compliance Page10

Advisable Best Practices Page11

Advisable Best Practices for Securing At-Home Agents Page12

Dilemma for Contact Centers Page12

TelemarketingSalesRule Page13

FSARules Page13

BASELII Page13

Sarbanes-OxleyAct Page13

GrammLeachBlileyFinacialServicesModernizationAct Page13

TILAandFDCPAActs Page13

Barclaycard Guidance Page14

Executive Summary Page14

About the Author Page15

About VPI Page15

Introduction

Identity theft was the number one source of consumer complaints to the Federal Trade

Commission (FTC) in 2007. Estimates by private market research firms peg the incidence

of identity theft as highas15million consumers. Themost common formof identity theft,

according to the FTC, is the misuse of credit and debit card accounts. Approximately 3.4

million adults can expect to have their payment card data compromised every year. When

creditcard identitiesarestolen, it’snot just thecreditcardcompanies thatare leftholding

thebag–cardholdersoftenfaceeconomiclosses,lengthylegalbattlesandstrugglestore-

establishcleancreditrecords.Whileformostconsumerstheimpactismodest,accordingto

theFTConeoutof twentyvictimssuffermedianoutofpocket losesof$400andspend60

hourstryingtocleanupthemessthatresulted.

Cyber Crime

For today ’s high-tech thieves, software is a much more productive and arguably less

riskywaytotakeotherpeople’smoneythandumpster-divingforcardreceiptsorpicking

pockets.Aclassofsoftwareknowngenerallyasmalwarecanunsuspectinglycreepinto

data bases and extract hundreds of thousands of account identifiers. Malware is also

spreadbypropagatingawormor virusorbymaking themalwareavailableonaweb

sitethatexploitsasecurityvulnerability.Commontechniquesincludephishing,keyand

screen loggers, and SQL injection attacks. According to The Crimeware Landscape:

Malware,Phishing,IdentityTheftandBeyond,areportpublishedbytheU.S.Department

ofHomelandSecurityin2006,“Credibleestimatesofthedirectfinanciallossesdueto

“phishing”aloneexceedabilliondollarsperyear.”

The largest security breach to date was disclosed in January 2009. The case involved

Heartland Payment Systems Inc. Heartland processes more than 100 million card

transactionspermonthfor250,000clients.OnAugust17,2009AlbertGonzalez,28,of

MiamiFloridawaschargedbytheDepartmentofJusticewithstealingdatafrom130million

debitandcreditcardholders.Accordingtotheindictment,Gonzalesandinternationalco-

conspiratorsusedanintricatehackingtechniquecalledan“SQLinjectionattack,”which

seekstoexploitacomputernetworkbyfindingawayaroundfirewallstostealcreditand

debit card information. It turns out that Gonzales and his thugs were also responsible

for thehighlypublicized intrusionof TJMaxx cardholders.Heartlandexpensed$144.2

milliontoconsummatethesettlementofclaims.

Contact Centers and Identity Theft

Contactcenterscanbecomeunsuspectingtargetsofcybercriminals.Outboundtelemarketing

centers,inboundcentersthatengageinup-sellingand/orcross-selling,serviceproviders,

andcollectioncompaniesalwaystakepaymentintheformofcreditordebitcards.Thecard

informationisenteredintoaCRMorothersalesautomationsoftwareandrecordedbyvoice

and screen recorders. And there it resides - thousands and evenmillions of card records

invitingremotecriminalsorevengreedyemployeestoextractforpersonalgainorsellinto

asophisticatedsecondarymarket.

3

Approximately3.4million

adultscanexpecttohave

theirpaymentcarddata

compromisedeveryyear.

Oneoutoftwentyvictims

suffermedianoutofpocket

losesof$400andspend

60hourstryingtocleanup

themessthatresulted.

- FTC

Credibleestimatesofthe

directfinanciallossesdue

to“phishing”aloneexceed

abilliondollarsperyear.”

- U.S. Department of Homeland Security

4

Inthefirstexample,Symantecfollowedupwithathoroughinvestigationoftheundergroundeconomy.

Amongthefindingsfromtheir68-pagereportwasthattheBBCreportersgrosslyoverpaidforcustomer

carddata.Quotingfromthereport,“Creditcardsarealsotypicallysoldinbulk,withlotsizesfromas

fewas50creditcardstoasmanyas2,000.CommonbulkamountsandratesobservedbySymantec

duringthisreportingperiodwere50creditcards for$40($0.80each),200creditcards for$150

($0.75each),and2,000creditcardsfor$200($0.10each).”

Payment Card Industry Response

In order to reduce fraud, the Payment Card Industry (PCI), which consists of American

Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.

established thePCI Security StandardsCouncil in September2006.Theaimof the council

wastoestablishasetofrulesthatmerchantsandserviceprovidersmustcomplywithinorder

toacceptpaymentsthroughthecreditanddebitcardapparatussetupbythecardvendors.

WhiletheCouncilismanagedbythecardindustry,membershipisopentoanyorganization

that participates in the payment processing system, including merchants, processors, POS

vendors,andfinancialinstitutions.

Inordertoreducefraud,the

PaymentCardIndustry(PCI),

whichconsistsofAmerican

Express,DiscoverFinancial

Services,JCBInternational,

MasterCardWorldwide,and

VisaInc.establishedthePCI

SecurityStandardsCouncil

inSeptember2006.

AninvestigativereporterfromtheBBC(BritishBroadcastingCompany)posedasafraudsterseeking

tobuycreditcardrecordsfromafenceinDelhi.TheIndianconspiratorofferedtoselldetailson

hundredsofplasticcardsfor$10each.Thevideoshowsabuybeingmadeandmoneychanging

hands.Thereportersbought50cardsasa“sample”withthehintthatalargerbuywouldfollow

ifthecardscheckedout.ThenameswerelatertracedtoacallcentertakingservicecallsforU.S.-

basedSymantecCorporation.

AlsoinIndia,localpoliceinthecityofPunearrested12personsassociatedwithacallcenter

operatedbyoutsourcerMphasiSforallegedlysiphoningoff$350,000fromtheCitibankaccounts

offourUScitizens.SomeemployeesgainedtheconfidenceofcustomersandobtainedtheirPIN

numberstocommitfraud.Theydidthisundertheguiseofhelpingthecustomersoutofdifficult

situations.

In2006,anemployeeattheHSBCDataProcessingCenterinBangalore,Indiawasarrestedfor

allegedlypassingpersonalcustomerinformation.AsaresultUKbankcustomerslostapproximately

USD$425,000.TheincidentcastablackeyeonoutsourcingworktoIndiaandmayaffectfuture

projectsbeingconsideredtoIndiaandotherpartsofAsia.

AccordingtoITBusinessNews,theHSBCincidentwasbroughttonoticebysomeofitscustomersin

Englandwhocomplainedthatmoneywastransferredoutoftheiraccountswithouttheirknowledge.

ThelessonsfromtheseincidentsatHSBChavepromptedseveralsecurityandqualityassurance

policiesaimedtoprotectcustomers’sensitivepersonalinformation.Adedicatedteamofcompliance

officershavebeenspeciallytrainedanddeployedtoensurethatbreachesinsecurityandaccessof

customerinformationwillbeminimized.

Accordingtopressreports,AlaskaAirlinesandHorizonAirhadtonotify1,500oftheircustomersthat

theircreditcardsmayhavebeenmisusedbyaformercallcenteremployee.Theformeremployee

isallegedtohavetakenthecardinformationprovidedfromsomeoftheairlines’customerstopay

forreservationchanges.Ratherthanprocessthepaymentonbehalfoftheairlines,theindividualis

allegedtohavedivertedthefundstoapersonalaccount.

In2006,anemployeeat

theHSBCDataProcessing

CenterinBangalore,

Indiawasarrestedfor

allegedlypassingpersonal

customerinformation.Asa

resultUKbankcustomers

lostapproximately

USD$425,000.

Think it can’t happen?

5

Paymentprocessors,service

providersandmerchants

thatprocessmorethan

20,000e-commerce

transactionsandoverone

millionregulartransactions

arerequiredtoengagea

PCI-approvedQualified

SecurityAssessor(QSA)

toconductareviewof

theirinformationsecurity

proceduresandscantheir

Internetpointsofpresence

The Council subsequently issued a Data Security Standard (PCI-DSS) which details security

requirements for members, merchants and service providers that store, process or transmit

cardholder data. The original PCI regulations specifically forbade storing primary account

numbers(PAN),PINnumbers,servicecodes,expirationdates,andotherspecifiedidentifiers

unless they met PCI-DSS encryption standards. Payment processors, service providers and

merchants that process more than 20,000 e-commerce transactions and over one million

regulartransactionsarerequiredtoengageaPCI-approvedQualifiedSecurityAssessor(QSA)

to conduct a review of their information security procedures and scan their Internet points

of presenceona regular basis.However, noorganization that accepts cards issuedby the

foundingmembersofthecouncilisexemptfromcompliance.

Whilethestandardisprimarilyaimedatcardholderinformationindatabases,contactcenters

caneasilybecomeunsuspecting violators. This isbecauseof thepracticeof collectingand

entering card data into order entry systems and archiving private customer information in

call anddata recording systems. Initially, the PCI-DSSallowed the voice anddata recording

andstorageofsensitivecardinformationprovidedthatcertainsafeguardswereinplace,such

asencryption,firewalls,andneedto-knowauthorizations.Thepreciselevelsofencryptionare

spelledoutinthestandardasaredatacategoriesthatmaybestoredwhenproperlyencrypted.

PCI-DSS Requirements Impacting Call Recording - Do Not Record Validation CodesOnOctober28,2010 the Standards SecurityCouncil issueda clarification that states that it is a

violationof thePCI-DSS tostorecardvalidationcodesand the fullcontentsofand track from the

magnetic stripe locatedon thebackof the card. This includes the cardholders name, theprimary

accountnumber(PAN),andexpirationdate,andpersonalidentificationnumber(PIN)afterauthorization

evenifencrypted.Note:itispermissibleforissuersandcompaniesthatsupportissuingservicestostore

sensitiveauthenticationdataifthereisabusinessjustificationandthedataisstoredsecurely.

Thecardvalidationvaluecodeis thethreeor fourdigitnumber that isusually imprintednext

tothesignaturelineonthebackofthepaymentcard.OnAmericanExpresscards,thesecurity

codeisonthefaceofthecard.

TheCardVerificationCode(referredtoasCAV2,CVC2,CVV2,orCID)mustnotberetainedpost

authorization,cannotbestoredinastandarddigitalaudioorvideoformat(e.g.wav,mp3,mpg,etc.),

andaproperdisposalproceduremustbeinplace.Iftherecordingsolutioncannotblocktheaudioor

videofrombeingstored,thecodemustbedeletedfromtherecordingifitisinitiallyrecorded.

OnOctober28,2010the

StandardsSecurityCouncil

issuedaclarificationthat

statesthatitisaviolationof

thePCI-DSStostorecard

validationcodesandthefull

contentsofandtrackfrom

themagneticstripelocated

onthebackofthecard.

6

Telephoneordertakers

requirethevalidationcode

aswellasthePAN(Primary

AccountNumber)and

expirationdateinorderto

secureauthorizationfrom

thecardissuer.Without

thatnumber,cyberthieves

cannotmakeeCommerce

purchasesorillegally

transferfundsoutofthe

cardholders’accounts.

When it isabsolutelynecessary thatyourorganizationretaincardverificationcodes,youwillneedto

demonstratetoyourQSA(QualifiedSecurityAssessor)andyouracquiringbankthat:

TelephoneordertakersrequirethevalidationcodeaswellasthePAN(PrimaryAccountNumber)andexpiration

date inorder tosecureauthorization fromthecard issuer.Without thatnumber,cyber thievescannotmake

eCommercepurchasesorillegallytransferfundsoutofthecardholders’accounts.Thestandardscommitteemade

thechangebecauseoftheavailabilityofsophisticatedmalwarethatcouldpenetrateencryptionalgorithms.

ThelatestPCI-DSSstandardsrequirethatPANmustberenderedunreadableanywhereitisstored(including

onportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:

Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have

access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the

same PAN are present in an entity’s environment, additional controls should be in place to ensure that the

hashed and truncated versions cannot be correlated to reconstruct the original PAN.

Other Important PCI-DSS Requirements that Impact Call Recording

Requirement 4 and Subsection 4.1requirethatstrongcryptographyandsecurityprotocolssuch

assecuresocketslayer(SSL)/transportlayersecurity(TLS)andInternetprotocolsecurity(PISEC).

Requirement 7 and Subsection 7.1requirethataccesstocomputingresourcesandcardholderinformation

only to those individualswhose jobrequiressuchaccess,e.g. forstrongbusinessreasons. Organizations

shouldcreateaclearpolicyfordataaccesscontroltodefinehow,andtowhom,accessisgranted.

Requirement 7 and Subsection 7.2 requireorganizationsthatacceptpaymentcardstoestablisha

mechanismforsystemswithmultipleusersthatrestrictsaccessbasedonauser’sneed-to-knowandisset

to“denyall”unlessspecificallyallowed.

Requirements 8 and Subsection 8.1requireorganizationsthatacceptpaymentcardstoAssignaunique

IDtoeachpersonwithcomputeraccessbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.

Subsection 8.3requiresatwo-factorauthenticationforremoteaccesstothenetworkbyemployees,

administratorsandthirdparties.

Subsection 8.5 requires proper user authentication and password management for users and

administratorsonallsystemcomponents.

Subsection 8.5.16requiresorganizationsthatacceptpaymentcardstoauthenticateallaccesstoanydatabase

containingcardholderdata.Thisincludesaccessbyapplications,administrators,andallotherusers.

Youperform,facilitateorsupportissuingservices-itisallowableforthesetypesoforganizations

tostoresensitiveauthenticationdataonlyiftheyhavealegitimatebusinessneedtostoresuch

data.ItshouldbenotedthatallPCI-DSSrequirementsapplytoissuers,andtheonlyexception

forissuersandissuerprocessorsisthatsensitiveauthenticationdatamayberetainedifthereisa

legitimatereasontodoso.Alegitimatereasonisonethatisnecessaryfortheperformanceofthe

functionbeingprovidedfortheissuerandnotoneofconvenience.Anysuchdatamustbestored

securelyandinaccordancewithPCI-DSSandspecificpaymentbrandrequirements.

One-wayhashesbasedonstrongcryptography(hashmustbeoftheentirePAN)

Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN

Indextokensandpads(padsmustbesecurelystored)

Strongcryptographywithassociatedkey-managementprocessesandprocedures

7

Youmustbeabletoman-

agecallqualityandthere

arelawsandregulations

thatmanycenters,par-

ticularlyoutbound,need

tocomplywith.Full-time

recordingistheonlywayto

measurecompliance.

Atthefinalstageoftaking

creditcarddata,recorded

agentcouldtransferthecall

toanunrecordedextension

whereasecondagenttakes

aspectsofthecustomer

creditcarddatasuchas

theCVVnumberforbank

verification.

Requirements 10 and Subsection 10.1requirecardacceptorstotrackandmonitorallaccess

tonetwork resourcesandcardholderdataandestablishaprocess for linkingallaccess tosystem

componentstoeachindividualuser.

Requirement 10 and Subsection 10.2 requirecardacceptors to implementautomatedaudit

trailsforallsystemcomponentstoreconstructeventssuchasuseraccesstocardholderdata,accessto

audittrails,useofauthenticationmechanisms,andthelike.

Ifanimportantpartoftheagent’sjobistoacceptand/orsolicitsales,thenthequestionbecomes:

howdowepreventrecordingandstoringofsensitiveauthenticationdataandthefullcontentsofany

magneticstripetrack?

Available Alternatives

Alternative 1 - Cease Recording Thenotionofsimplyhaltingthepracticeofrecordingallcallsandrelateddatathatmayinvolvethe

captureofinteractionscontainingsensitiveinformationiscertainlyanapproachthatwillbecompliant.

Thievescannotstealinformationthatwasneverstored.However,thetrade-offistoosevere.Youmust

beable tomanage call quality and thereare lawsand regulations thatmany centers, particularly

outbound,needtocomplywith.Full-timerecordingistheonlywaytomeasurecompliance.

Alternatives 2 and 3 - Agent-driven Compliance Atthefinalstageoftakingcreditcarddata,recordedagentcouldtransferthecalltoanunrecorded

extensionwhereasecondagenttakesaspectsofthecustomercreditcarddatasuchastheCVVnum-

berforbankverification.Somerecordingsystemsallowtheagenttomanuallypauseandresumethe

recordingviabuttonsontheirscreenorhandset.

Theseapproachesmayworkbutitaddsaburdentoagentsandisobviouslyerror-prone.There

mayalsobeaquestionofwhetherrelyingonemployeeactionswouldpassmusterwiththepayment

cardcouncilwhichpreferssolid,technology-basedsolutions.

Alternative 4 - Transfers to Third Party DevicesTherearethirdpartydevicesthatcanbeboltedontoanexistingrecorder.Thismethodworksbyre-

quiringthecallertoentercarddetailsmanuallyviathetouchtonepad.Theideahasmerit,sincelittle

agentinterventionisrequiredandthesystemautomaticallymaskscardentriesontheagentscreen

andblockstheDTMFtonesfrombeingrecorded.AgentscouldalsotransfercallstoanIVRplatform

fortakingsuchdetailsasCVVforbankverification.Thedownsidesarethepaucityofchoices,riskof

usererror,theunnaturalinterruptionofcallflow,theneedtomanageanadjunctdevicethat’snot

partofanintegratedsolution,andanaddedcostpertransaction.

Alternative 1: Ceaserecordingallsalesandtransactioncalls.

Alternative 2: Trainagentstodisabletherecordingfunctionwhencarddataisrequiredthen

restartafterthetransactioniscompleted.

Alternative 3: Requireagentstodeletethesectionoftherecordingthatincludestheauthorizationcode.

Alternative 4: Third-partydevicesthatrequirethecallertoentercarddetailsviatheirtouchtonepad.

Alternative 5:Donothing.

Alternative 6:Investincallrecordingsystemsthatautomaticallymaskandmutesensitivecarddetails.

8

Ahandfulofleadingcall

recordingvendorshave

developedtrulyintegrated

solutions.WiththeVPI

solution;forexample,

therecorderusesdesktop

analyticstomonitor

applicationscreensinuse

bytheagentduringthe

interactiontoautomatically

sensewhentheagentis

enteringscreensorfields

wheresensitiveinformation

mustbeentered,withoutthe

needforacostlyback-end

integrationtothosesystems.

Alternative 5 - Do Nothing The ‘donothing”optionappears tobe the favoredchoiceat thispoint. In the2009DataBreach

InvestigationsReportconductedbytheVerizonBusinessRISKTeamresearchersuncovered90confirmed

breacheswithintheir2008caseloadencompassinganastounding285millioncompromisedrecords

and81%ofbusinesseswerenotPaymentCardIndustry(PCI)compliant.Themostcommonformof

databreachwascompromisedpaymentcards,withretailandfinancialservicesaccountingforsixout

oftenofthesecuritybreaches.

A2009pollofUnitedKingdomcallcentermanagersfoundthatmorethan19in20callcentersdo

notdeleteormaskcreditcarddetailsintheircallrecordings,whichisaviolationofthePaymentCard

IndustryDataSecurityStandard.Of the133call centermanagerscontacted for the survey,only3

percentindicatedcompliancewiththeguidelines.AmongthereasonsforfailingtoabidebyPCI-DSS,

61percentsaidtheywereunawareofthestandards,18percentwereawarebutsaidtheycouldn’t

complyfortechnicalorbudgetaryreasons,11percentwereawarebutchosenottofollowthem,and

6percentwereawareandwereworkingtowardcompliance.

Alternative 6 - Invest in Call Recording Systems that Automatically Mute and Mask Sensitive Card Details

Ahandfulof leadingcall recordingvendorshavedevelopedtruly integratedsolutions.With theVPI

solution;forexample,therecorderusesdesktopanalyticstomonitorapplicationscreensinusebythe

agentduringtheinteraction(toincludeCRM,salesautomationorotherapplications)toautomatically

sensewhentheagentisenteringscreensorfieldswheresensitiveinformationmustbeentered,without

theneedforacostlyback-endintegrationtothosesystems.

The VPI Fact Finder desktop analytics application can detect when an agent enters a screen with sensitive information, when sensitive information is inputted, and when they leave a screen containing sensitive information.

The VPI Solution

TheVPIrecordingsystemthenautomaticallyclassifiescallscontainingsensitivecardholderinformation

andprovidesorganizationswith fouroptions tohelpeffectivelybalance theirPCI requirementswith

liability,qualitymanagementandotherregulatoryrequirements:

VPI’s Four Options

Option 1 - Delete all call recordings with sensitive information but retain

valuable non-sensitive interaction data for reporting and analysis

Dataaboutwhathappenedduringtheinteractionoftenprovidesmorebusinessvaluethanthe

actualrecordingitself.Insteadofbeingdeletedalongwiththesensitiveaudioandscreenrecordings,

valuabledatasuchascalldate/time,calldirection,totalhandletime,holdtime,CustomerID,Agent

A2009pollofUnited

Kingdomcallcenter

managersfoundthatmore

than19in20callcenters

donotdeleteormask

creditcarddetailsintheir

callrecordings,whichis

aviolationofthePayment

CardIndustryData

SecurityStandard.

9

Fororganizationsrequired

torecordcallsforliability

andregulatoryrequirements,

andwhowouldalsolike

toplaybackforqualityand

trainingpurposes,VPIhasa

solutionthatallowsaccessto

recordingswhilecontrolling

theaccesstosensitive

information.

ID,DNIS,salesorcollections$amount,numberoftransfers,orevenhandletimeofkeyprocesses

withinthecallthatleduptothesuccessfultransaction,ismadeavailableininteractivereportsand

analysisofkeybusinessissuesandopportunities.

Option 2 - Roles-based access to recorded files containing sensitive information

Fororganizationsthatarepermittedtorecordentirecalls(companiesthatperform,facilitate,or

supportissuingservices),theVPIsolutionhastheabilitytoonlyallowaccesstocallrecordings

containingsensitivepaymentcarddatabasedontheuser’slog-inaccountandcorporate

role.Forexample,onlycomplianceofficersandseniorexecutiveswouldhaveaccesstothose

recordedfilesduringlegaldiscovery.Allothersystemuserswouldnotbeabletoaccessthe

recordedcalls(Requirement3.2and8.5).

Option 3 - Roles-based muting/masking upon playback

Fororganizationsrequiredtorecordcalls(e.g.thoseper3.2),andwhowouldalsoliketo

playbackforqualityandtrainingpurposes,VPIhasasolutionthatallowsaccesstorecordings

whilecontrollingtheaccesstosensitiveinformation.ThesolutionusesVPI’sFactFinder

technologytotagthesensitiveeventsanduponplaybackmutestheaudioandmasksthescreen

videoduringsegmentsofthecallcontainingsensitivedata.Agents,supervisorsandQAanalysts

withoutfullaccessrightsareabletoplaybackthecallwhilehearingandseeingeverythingthat

leduptoandfollowingthesensitivetransactionincludingafter-callwraptime.Onlyauthorized

users,suchascomplianceofficersorseniormanagers,wouldhaveaccesstothoserecordedfiles

intheirentirety.(Requirements3.2,7.1and7.2)

VPI solution has the ability to mute out the audio and mask out the screen video during segments of the call containing sensitive data upon playback

Option 4 - Permanent muting/masking during segments of the call

containing sensitive info

Fororganizations that donot havea justifiable need to reviewor keep entire recordings for liability

andotherregulatoryreasons,VPIiscreatingasolutiontopermanentlymaskandmutesensitiveaudio

and screen video thatwill complywith themost stringentof thePCI requirements. In this case, the

audio and video of segments containing sensitive card holder information will be deleted, prior to

storageof recordingsandunavailable toall systemusers regardlessof user authorizationprivileges.

NOTE: VPI expects to make this feature generally available in 2011. Timeline for this feature is subject to change)

10

VPIsupportsAES256data

andfileencryptionusing

strongcryptographyas

wellassecureprotocols

includingSecureSocket

Layer,TransportLayer

Security(SSL/TLS)or

InternetProtocolSecurity

(IPSEC)toprovide

securetransmissionof

recordedvoiceandscreen

recordingsandassociated

VPI Response to Requirement 4 – Encrypt transmission of cardholder data across open networks

Theintentofstrongcryptographyisthattheencryptionbebasedonanindustry-testedandaccepted

algorithm(notaproprietaryor“home-grown”algorithm).VPIsupportsAES256dataandfileencryption

usingstrongcryptographyaswellassecureprotocolsincludingSecureSocketLayer,TransportLayer

Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofrecordedvoice

andscreenrecordingsandassociateddataoverthenetwork.(Requirement4.1)

VPI Response to Requirement 7 – Restrict access to card holder

data by business need-to- know

TheVPIsystemiscapableofsupportingagranulardefinitionofaccessrightsforlargenumberof

usertypeswhichallowsforgreatercontroloversystemuserRolesandPrivileges,suchastheabilityto

searchforandplaybackmediafileswhichcontainsensitivedataasidentifiedbytheVPIFactFinder

desktopanalyticstool.

VPI Response to Requirement 8 – Assign a unique ID to each person with computer access

TheVPI systemhasuniqueuser system log-inwithanaudit trail showingwhohas logged into the

system,searchedforcalls,playedbackorexportedcallsandwhen.Thestatusofallactivitiescanbe

alsomonitoredinheatmapsthatpresentauditlogdatainavisual,easy-to-analyzemanner.

VPI Response to Requirement 10 – Track and monitor all access to

network resources and card holder data

Thisisachievedbyprovidinganaudittrailofalluseractivities–linkingspecificactionstospecificusers,

therebyprovidinghighdegreeofvisibilityandtransparency.(Requirement10.1)TheVPIsystemalsoprovides

aninterfaceforreconstructingevents–useractionscanbesearched,categorized,sorted,reportedand

viewedbyuseroractivitytype.Theycanbevisualizedinheatmapsbycategory.(Requirement10.2)

Consequences of Non-Compliance Non-compliancerisksrevocationofcardacceptanceprivilegesandviolationofstatelaws.Lossofcard

acceptanceprivilegescouldeasilyspellthedeathknellforretailers,serviceproviders,andcollection

agencies.Infact,itisdifficulttothinkofanytypeofbusiness,nonprofit,orgovernmentrevenuecollection

entitythatdoesnotrelyonpaymentcards.Thecardissuershavetheauthoritytorevokecardprivileges

throughtheircontracts.

Theotherpossibilityisviolationofstatelaws.Asofthistime,threestates;Minnesota,Nevada,andWashington,

have codified payment card industry data security standards. Quoting from the Washington state law,

“Aprocessor,business,orvendorwillbeconsideredcompliant, if itspaymentcard industrydatasecurity

compliancewasvalidatedbyanannualsecurityassessment,andifthisassessmenttookplacenomorethan

oneyearpriortothetimeofthebreach.”Thisrequirementisnotcontingentonthevolumeoftransactions.

TheNevadalawrequiresthatcompaniesdoingbusinessinthestateofNevadathatacceptpayment

cardsmustbecompliantwiththePaymentCardIndustryDataSecurityStandard(PCI-DSS).Thelaw

alsorequiresthatcompaniesretainingpersonaldata,includingSocialSecuritynumbers(SSNs),driver’s

licensenumbersoraccountnumbers togetherwithpasswordsmustuseencryption if they send the

information outside of the company. The Nevada law is reported to be the only law that actually

mandatesPCI-DSScompliance.Thelanguage“doingbusinessinthestateofNevada”isverybroad

andpresumably could include companies not domiciled in the state.Other states are considering

legislationthatwouldcodifyPCI-DSS.

Non-compliancerisks

revocationofcard

acceptanceprivilegesand

violationofstatelaws.

Lossofcardacceptance

privilegescouldeasilyspell

thedeathknellforretailers,

serviceproviders,and

collectionagencies.Infact,

itisdifficulttothinkofany

typeofbusiness,nonprofit,

orgovernmentrevenue

collectionentitythatdoes

notrelyonpaymentcards.

contracts.

Advisable Best Practices Obviously,ifyourbusinessororganizationacceptspaymentcards,itisinyourbestinteresttobecome

compliantwithPCI-DSS.Inadditiontothestandards,therearemanyotheractionsyoucantaketo

helppreventbreachesofsensitivecardandpersonalinformation.

11

Workwithyourinformationtechnologydepartmentbeforeimplementingcontactcenter-specificsolutions.Complianceisanorganization-widecommitment.ITmayhaveanoverallsecurityplanthatcontactcentersmustadopt.Forexample,individualsthatrequireaccesstoarchivedcallsthatmayincludecarddatamustbespecificallyauthorizedtoaccessthisinformation.

Makesureyourorderentry,newcustomerapplications,andanyothercustomerdatabasesthatyouragentsfrequentlyaccessmaskoutcredit,debit,andothersensitiveinformation.

Limittheamountoftimethatcardinformationiskeptinthecallrecordingserverdatabase(bothvoiceandscreenrecordings).Itmaybenecessaryforcorporategovernance,legalandQAdepartmentstoworkoutacompromisebetweenwhatisneededtoadheretothePCI-DSSandregulatorycompliancerequirements(requirement3.1).

Ensurethatproperuserauthenticationisimplementedforstaff,agentsandadministrators(requirement3.2).

Segmentcontactcenteroperationssothatalimitednumberofemployeeshaveaccesstopaymentcarddata.Forexample,paymentcardinformationcanbeenteredbyasalesagent,butacustomerservicerepresentativemayhaveaccessonlytothemaskedPAN(requirements8.1and8.5).

Beverycarefulaboutwhoyouhire.Iftheagentwillbeacceptingcardpaymentsorotherwisebeprivytosensitivepersonalinformation,conductathoroughbackgroundcheckbeforeextendingapaymentoffer.

Makeclearthatunauthorizeddisclosureofsensitivepersonalinformationisgroundsfortermination.

Ifanemployeeisterminatedorresigns,immediatelychangethepasswordtothatindividual’sworkstation.Don’twaituntiltheendoftheworkday.

Ifyouareworkingwithoutsourcers,rememberthatPCI-DSSisaninternationalrequirement.Theoutsourcermustalsobecompliant.

Understandthedatasecurityprecautionstakenbyoutsourcers.

Donotallowthumbdrivesoranyotherportablestoragedevicesintoyourcontactcenter.

Agentsorotheremployeesshouldneveropenemailsfromunknownsources.Thisisafavoredmethodbycybercriminalsforinstallingkeyloggersandothermalware.

Makesureyoumaintainstrictprocessesthatpreventagentsfromjottingdowncardnumbersforlaterentryintothecustomerdatabase.

Contactcenteragentsshouldbediscouragedfromrevealingtheiroccupationonsocialnetworkingsites.Youdon’twantthemtobecomeunsuspectingtargets.

EnsurethatagentsandsupervisorsdonotshareuserID’sandpasswords.Eachusermustbeuniquelyidentifiedbytheirownlogincredentials.Thisinformationshouldbeencryptedwhenstoredinanycomputersystems.

ReviewyourCRM,salesautomation,collectionsandorderentrysystemstoassurethatcompletecardnumbersandthesecuritycodearenotdisplayed.Thesecuritycodeshouldneverbestored.

FindouthowyourcurrentrecordingsoftwarehandlesPCI-DSScompliance.Somevendorsdonothaveasolution.Othersmayrequiredeletingentireinteractionsthatinvolvecardtransactions,makingitimpossibletoconductqualityevaluationsonthesecallsorretrievethemforcomplianceorverificationpurposes.

RestrictaccesstoQArecordingandCRMdatacontainingpaymentcarddatabasedontheuser’slog-inaccountandcorporaterole.

Ensurethatstoredrecordingsarenotplayedbackoveraspeakerphoneifpaymentcardinformationisincluded.

Ifyouareconsideringanewinteractionrecordingsystem,lookintotheapproachadoptedbyVPI.VPIprovidesencryptionatnoextracost.Forcompaniesthatpreferamoreflexibleapproach,VPI’sVPICAPTUREcallrecordingsoftwarecanautomaticallydetectwhenanagententersascreenwhereacreditcardfieldistobefilledoutandthenmaskboththevoiceandscreenentriesforthedurationoftheagent’sactivitieswhileworkinginthosescreens.Thesecuritycodecanbepermanentlydeletedfromboth,voiceandscreenrecording.Thesystemmasksthesensitiveinformationinvoiceanddatarecordings,whichcanonlybeaccessedbyauthorizedpersonnel.

Ifyouareworkingwith

outsourcers,remember

thatPCI-DSSisan

internationalrequirement.

Theoutsourcermustalso

becompliant.

VPIsupportsAES256

dataandfileencryption

usingstrongcryptography

aswellassecureprotocols

includingSecureSocket

Layer,TransportLayer

Security(SSL/TLS)or

InternetProtocolSecurity

(IPSEC)toprovide

securetransmissionof

recordedvoiceandscreen

recordingsandassociated

dataoverthenetwork.

Ensurethatemployeesdo

notshareuserID’sand

passwords.Eachusermust

beuniquelyidentifiedby

theirownlogincredentials.

Thisinformationshouldbe

encryptedwhenstoredin

anycomputersystems.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

12

Monitorat-homeagents

moreoftenthanin-house

Best Practices for Securing At-Home Agents Contactcenterat-homeagentprogramsarerapidlygrowinginnumberandsizeduetotheirattractive

benefitsofreducingoperationalcosts,increasingperformanceandimprovingthecustomerexperience.

However,usingat-homeorremoteworkerscarrieswithitamuchgreatersecurityrisk.Whenutilizingand

recordingat-homeorremoteworkers,thefollowingareadditionaladvisablepractices:

Besurethatthesameleveloffirewall,corporateanti-virusprotection,securitypatches,anddefinitionfilesareextendedtoremoteagentsandsupervisors’PCs.(Requirements1.4,5.1and6.1)

Remoteworkersshouldbeforbiddenfromcopying,moving,andstoringcardholderdataontoharddrivesormoveableelectronicmediawhenaccessingcardholderdata.(Requirement12.3.10)

Ensuringremoteagentsandsupervisorsuseatwo-factorauthenticationprocess.(Requirement8.3)

UsestrongnetworkencryptionprotocolssuchasSecureSocketLayerandTransportLayerSecurity(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionoftheVoIPvoicestreamanddataoverthepublicnetwork.(Requirement4.1)

EnsureeachathomeagentandsupervisorisusingaVPNconnectionintothecorporatenetworkwithstrongencryptionprotocolssuchasSSL/TLS.(Requirement4.1)

Requireremoteagentsandsupervisorstoencrypttheirwirelessnetworksusingstrongcryptography(Requirement2.1.1and4.1.1).AsofJune30,2010,theWiredEquivalentPrivacy(WEP)protocolisnolongerpermissibleforanynewwirelessimplementations(Requirement4.1).TheuseofWPA2isrecommended.

IfnotusinganenterpriseVoIP-basedtelephonesolution,requireagentstouseanaloguetelephonelineswhentalkingwithcustomers.

At-homeagentsshouldnotuseconsumerVoIPtelephonesystems(suchasVonage)becausetheircommunicationsmaynotbeencrypted.(Requirement4.2)

Ensurethatpaymentcardinformationisneversentoveranunencryptedmediumsuchaschat,SMS/textoremailorothernon-encryptedcommunicationchannels.

Ensuringthatat-homeagentandsupervisorPCshavepersonalfirewallsinstalledandoperational.(Requirement1.4)

Ensurethatat-homeagentandsupervisorPCshavethelatestapprovedsecuritypatchesinstalled.

Requireagentsandsupervisorstouseonlycompany-suppliedsystems.(Requirement12.3)

Monitorat-homeagentsmoreoftenthanin-houseagents.(Requirement12.3)

Annuallyreviewallsecuritypoliciesandprocedureswithallagentsandrequireat-homeagents.toacknowledgethesecurityrequirementsaspartoftheirdailysign-inprocess.(Requirement12.6)

Dilemma for Contact CentersPCI-DSScompliance isonlyoneofagrowing listof laws, regulations,and industry standards that

contactcentersneedtoconsider.Thereareseveralregulationsthatrequireorstronglyrecommendthat

callsberecordedintheirentirety.

TelemarketingSalesRule

FSA(FinancialServicesAuthorityRules

BASELI

Sarbanes-OxleyAct

Gramm-LeachBlileyFinancialServicesModernizationAct

TruthinLendingAct(TILA)andFairDebtCollectionsPracticesAct(FDCPA)Acts

Ensurethatpaymentcard

informationisneversentover

anunencryptedmedium

suchaschat,SMS/textor

emailorothernon-encrypted

communicationchannels.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

PCI-DSScomplianceisonly

oneofagrowinglistoflaws,

regulations,andindustry

standardsthatcontact

centersneedtoconsider.

Thereareseveralregulations

thatrequireorstrongly

recommendthatcallsbe

recordedintheirentirety.

13

TheUnitedKingdomFinan-

cialServicesAuthority(FSA)

publishedrulesinMarch

of2009requiringfirmsto

recordtelephoneconversa-

tionsandotherelectronic

communicationsincluding

emailandinstantmessages

relatingtotradingorders

andtheconclusionoftrans-

actionsintheequity,bond,

andderivativesmarkets.

Telemarketing Sales Rule

The Telemarketing Sales Rule requires a consumer’s express verifiable authorization for use of bank

accountinformationtoobtainpaymentthroughphonechecksordemanddrafts.Thiscanbedonevia

confirmationbyacallrecordingoftheconsumergivingauthorizationoradvancewrittenauthorization.

Therecordedauthorizationandwrittenconfirmationmustincludethedateandamountofthedraft(s),

thenameontheaccountfromwhichthefundswillbepaid,thenumberofdraftpaymentsauthorized,

ifmore thanone,a telephonenumberansweredduringnormalbusinesshours tat theconsumer

cancallwithquestions,andthedateoftheconsumer’sauthorization.Manystatesrequireadvance

consentoftherecordedparty;therecordedconfirmationmustshowthattheconsumerunderstands

andacknowledgeseachtermofthetransactionandauthorizesit.

FSA (Financial Services Authority) Rules

TheUnitedKingdomFinancialServicesAuthority (FSA)published rules inMarchof2009requiring

firms to record telephone conversations and other electronic communications including email and

instantmessages relating to tradingordersand the conclusionof transactions in the equity, bond,

and derivatives markets. The rules were established as part of the FSA’s efforts to combat market

abuse,particularly insiderdealingand tohelpdeteranddetectmarketmanipulationandabuse in

theUnitedKingdom.TheFSArulesareinaccordancewithMarketsinFinancialInstrumentsDirective

(MiFID) general record keeping standards. The rules require organizations to retain their recorded

callsandcommunications6months. This is expected tobe longer in future regulations (the initial

recommendationwasthreeyears).TheFSAmustbeabletoaccessrecordedcallsreadily.

Otherregulatedorganizationsinvolvedinretailactivitiessuchasbanking,insurance,loansormortgages

willstillhavetheoptiontorecordcallsorkeepalternativerecordshoweverrecordingislikelytobecome

mandatory in the near future. Insurance companies complying with directives such as the Insurers

ConductofBusiness(ICOB)arealreadyadvisedtointroducecallrecording.Companieswillalsofind

in99%ofcasestheFinancialOmbudsmanServicewillfavortheclient‘swordiftheorganizationcannot

providearecordedtranscriptofrelevanttelephonecalls.

BASEL II

BASELIIrecommendationsandpolicies,developedbytheBASELcommitteeconsistingofrepresentatives

fromallG-20majoreconomiesaswellasothermajorbankinglocalessuchasHongKongandSingapore,

prescribes thatbanksand theiroutsourcedcontact centers implementOperationalRiskManagement

practices.TheBASELcommitteedefinesoperationalriskastheriskoflossresultingfrominadequateorfailed

internalprocesses,peopleandsystemsorfromexternalevents.Inordertoprotectfromtheofficialevent

typesdefinedbyBASELII,includingInternalFraud(misappropriationofassets,taxevasion,intentionalmis-

markingofpositions,bribery),ExternalFraud(theftofinformation),EmploymentPracticesandWorkplace

Safety(discrimination,workerscompensation,employeehealthandsafety),Clients,Products,&Business

Practice-marketmanipulation, antitrust, improper trade, product defects, fiduciary breaches, account

churning),andExecution,Delivery,&ProcessManagement(dataentryerrors,accountingerrors),many

banksrequirefull-timecallrecordingandlong-termstorageoftheirrecordedinteractions.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act extensive guidelines for the documentation of business processes and

transactions,mandatingthatbusinessescreateandmaintainelectronicrecordsaspartoftheirregular

business processes. To help ensure compliance with Sarbanes-Oxley, many organizations currently

recordandstorealltheircallsintheirentirety.Maintaininganelectronicrecordoftelephonecallsinthe

TheTelemarketingSales

Rulerequiresaconsumer’s

expressverifiable

authorizationforuseof

bankaccountinformation

toobtainpaymentthrough

phonechecksordemand

drafts.Thiscanbedone

viaconfirmationbyacall

recordingoftheconsumer

givingauthorization

oradvancewritten

authorization.

14

Full-timecallrecordingis

frequentlymandatedtoensure

contactcenteremployees

areaccuratelydisclosing

informationrequiredbythe

TruthinLendingActand

complyingwithcollection

practicesrequiredbytheFair

DebtCollectionsPracticesAct.

samemannerasemailshelpstoensurecompliancewithSarbanes-Oxleyandsimplifiesthediscovery

andauditingprocesses,reducingthepotentialforabuseormistakes.

Gramm-Leach-Bliley Financial Services Modernization Act

TheGramm-Leach-BlileyAct(GLBA),alsoknownastheFinancialModernizationActof1999,isa

federallawenactedintheUnitedStatestocontrolthewaysthatfinancialinstitutionsdealwiththe

privateinformationofindividuals.UndertheSafeguardsRule,financialinstitutionsmustcreateand

followawritteninformationsecurityplanthatdetailshowtheywillprotectthenon-publicinformation,

suchasaccountandidentificationnumbers,oftheircurrentandformercustomers.

Callrecordingsolutionsmakeiteasytoincorporatevoice-basedcommunicationsaspartofan

organization’sGLBAcomplianceplan.Inaddition,companiesthatfactorcallrecordingintotheir

electronicrecordsplanhaveanaddedlayerofsecurity,knowingthateveryaspectoftheirbusiness

iscompliant,ratherthanjusttheirwrittendocumentsandtransactions.

Truth in Lending Act (TILA) & Fair Debt Collections Practices Act (FDCPA) Acts

Full-time call recording is also frequently mandated to ensure contact center employees are

accuratelydisclosinginformationrequiredbytheTruthinLendingActandcomplyingwithcollection

practicesrequiredbytheFairDebtCollectionsPracticesAct.

Barclaycard Guidance

BalancingtheneedforPCIcompliancewithotherregulations,lawsandriskmanagementrequirements

withthequalitymanagementrequirementscanposeadilemma.Barclaycardpreparedaveryinformative

whitepaperthat,amongotherthings,advisesthat:

CallcentremanagerswillneedtoensurethatthePANismaskedwhendisplayed(i.e.first6andlast4

digits).Thisispartofrequirement3.3andmayinclude:

Readersareencouragedtoreadtheentirepaperformoresuggestions.

Executive Summary IdentitytheftisamassiveproblemintheUnitedSatesandglobally.Inresponse,thepaymentcard

industryhasestablishedclearrulestohelpassurethatcriticalfinancialandidentificationdatais

protectedfrommenacesbothoutsideandwithintheenterprise.ThePCI-DSSrequirementsmust

beadheredtobyeveryorganization-regardlessofsize-thatacceptspaymentcards.Thereare

directimpactsoncontactenters,whichinthepasthaveprovedtobefertilegroundsforextracting

paymentcarddetailsfromunsuspectingcustomers.

Inthispaperwehighlightedsomesoundpracticestohelpassuredatasecurity.Wealsonotedthatthe

widespreadpracticeofrecordingviceanddatainteractionsmayresultinabreachofthedatasecurity

standardsandevenaviolationofcertainstatestatuesunlessimportantprecautionsaretaken.Choosingto

RestraintaccesstoQA/recordingandCRMdatacontainingpaymentcarddatabasedontheuser’s

log-inaccountandcorporaterole;forexample,providingscreenrecordingplaybackinterfaceswhere

thepaymentcardinformationisdisplayedonlytothemanagersandcomplianceofficersduringlegal

discovery,andhaveitblackedout(masked)forallothersupervisorsandQAspecialists.

Segmentingcontactcentreoperationssothatalimitednumberofagentshaveaccesstopayment

card data; for example, payment card information may be entered by a sales agent but a

customerservicerepresentativewillonlyhaveaccesstothemaskedPAN.

15

Itisimportantthatanycall

recordingsystempurchased

nowcancopewithboth

currentandfuturechangesin

lawsandindustrystandards

andthattherecordingsolution

facilitatebestpractices.Suppli-

ersmustbeabletoprovethat

theirproductswillhelpyou

assurecompliancetodayand

havetheflexibilitytoadaptto

futurechanges.

abandoninteractionrecordingaltogetherorlimitittonon-transactionalcallsisnotanoption.Besidesthe

obviousneedtoassureconsistentcallqualitytherearemanyotherlawsAndregulationswhererecording

isalegalrequirementortheonlypracticalmeansofestablishingcompliance.

Itisimportantthatanycallrecordingsystempurchasednowcancopewithbothcurrentandfuture

changes in lawsand industrystandardsand that therecordingsolution facilitatebestpractices.

Suppliersmustbeabletoprovethattheirproductswillhelpyouassurecompliancetodayandhave

theflexibilitytoadapttofuturechanges.Thebestsolutionistoavoidrecordingofthevalidation

codealtogether,afterapproval.TheVPIsolutionprovidesthisoption.

About the AuthorDickBucciisPrincipalofPelorusAssociateswherehespecializesincontactcentertechnologies.Hehas

authoredtenin-depthreportsonworkforceoptimizationapplicationsandover30whitepapers.Asoneof

theindustry’sforemostthoughtleaders,hisarticlesandobservationshaveappearedintradeandbusiness

publicationsaroundtheworld.Dickhasover30yearsofexperienceinthetelecommunicationsindustry.

About VPI VPI is the world’s premier provider of call recording, analytics and

workforceoptimizationsolutionsforenterprises,contactcenters, trading

floors, government agencies, and first responders. For more than a

decade,VPIhasbeenprovidingproventechnologyandsuperiorservice

tomorethan1,500customersin50countries.VPI’saward-winningVPI

EMPOWERsoftwareisanessentialcomponentforanyorganizationthat

strives toenhance thecustomerexperience, increaseworkforceperformance, improvebusinessefficiency

andmanagecompliance.VPIEMPOWERleveragesVPIFactFinder™,aground-breakingdesktopscreen

analytics technology that automatically detects events and data directly from application screens being

usedbyemployeesandtagsthemtoappropriatepointswithinrecordedinteractions.WithVPIEMPOWER,

organizationsofallsizesnowhavetheabilitytorapidlyidentifytherootcauseofimportanttrendsandissues

viatargetedanalysisandevaluationfromanywhere–allfromanintuitive,personalizedWeb-basedportal

interface.Inaddition,thesecuresolutionleveragesadvancedfileanddataencryption,isbuiltaroundthe

principlesofopen,service-orientedarchitecture,andisplatformindependenttointegrateseamlesslyintoany

existingandevolvinginfrastructureinjustweeks,resultingincompoundreductionofcostsandasignificantand

rapidReturnonInvestment.Formoreinformation,call1-800-200-5430visitwww.VPI-corp.com/PCI

References

Theinformationprovidedinthiswhitepaperisbelievedtobeaccurate,butispresentedwithoutexpress

orimpliedwarrantyandissubjecttochangewithoutnotice.

TheFTCin2009,annualreportoftheFederalTradeCommission(March,2009)

TheCrimewareLandscape:Malware,Phishing,IdentityTheftandBeyond:AJointReportoftheUSDepartmentofHomelandSecurity,SRI International IdentityTheftTechnologyCouncil, theAnti-PhishingWorkingGroup,andIronKey,Inc.(September,2006)

SymantecReportontheUndergroundEconomyJuly07-June08,SymantecCorp.,(November2008)

NavigatingPCI-DSS-UnderstandingtheIntentoftheRequirements,Version2.0PaymentCardIndustry(PCI)DataSecurityStandards,PaymentCardIndustry(PCI)(October,2010)

2009DataBreachInvestigationReport,VerizonBusinessRISKTeam

SafeandSound,ProcessingTelephonePaymentsSecurely,BarclayCard(April,2010) Contact VPI atInfo@VPI-corp.com

1.800.200.5430www.VPI-corp.com