call recording guide to pci-dss compliance - pelorus associates
TRANSCRIPT
TABLE OF CONTENTS
Table of Contents
Introduction Page3
Cyber Crime Page3
Contact Centers and Identity Theft Page3
Payment Card Industry Response Page4
PCI-DSS Requirements Impacting Call Recording Page5
Other PCI-DSS Requirements that Impact Call Recording Page6
Alternative1-CeaseRecording Page7
Alternatives2and3-Agent-drivenCompliance Page7
Alternative4-TransferstoThirdPartyDevices Page8
Alternative5-DoNothing Page8
Alternative6-InvestinIntelligentCallRecordingSystems Page8
VPI Solution Page8
Consequences of Non Compliance Page10
Advisable Best Practices Page11
Advisable Best Practices for Securing At-Home Agents Page12
Dilemma for Contact Centers Page12
TelemarketingSalesRule Page13
FSARules Page13
BASELII Page13
Sarbanes-OxleyAct Page13
GrammLeachBlileyFinacialServicesModernizationAct Page13
TILAandFDCPAActs Page13
Barclaycard Guidance Page14
Executive Summary Page14
About the Author Page15
About VPI Page15
Introduction
Identity theft was the number one source of consumer complaints to the Federal Trade
Commission (FTC) in 2007. Estimates by private market research firms peg the incidence
of identity theft as highas15million consumers. Themost common formof identity theft,
according to the FTC, is the misuse of credit and debit card accounts. Approximately 3.4
million adults can expect to have their payment card data compromised every year. When
creditcard identitiesarestolen, it’snot just thecreditcardcompanies thatare leftholding
thebag–cardholdersoftenfaceeconomiclosses,lengthylegalbattlesandstrugglestore-
establishcleancreditrecords.Whileformostconsumerstheimpactismodest,accordingto
theFTConeoutof twentyvictimssuffermedianoutofpocket losesof$400andspend60
hourstryingtocleanupthemessthatresulted.
Cyber Crime
For today ’s high-tech thieves, software is a much more productive and arguably less
riskywaytotakeotherpeople’smoneythandumpster-divingforcardreceiptsorpicking
pockets.Aclassofsoftwareknowngenerallyasmalwarecanunsuspectinglycreepinto
data bases and extract hundreds of thousands of account identifiers. Malware is also
spreadbypropagatingawormor virusorbymaking themalwareavailableonaweb
sitethatexploitsasecurityvulnerability.Commontechniquesincludephishing,keyand
screen loggers, and SQL injection attacks. According to The Crimeware Landscape:
Malware,Phishing,IdentityTheftandBeyond,areportpublishedbytheU.S.Department
ofHomelandSecurityin2006,“Credibleestimatesofthedirectfinanciallossesdueto
“phishing”aloneexceedabilliondollarsperyear.”
The largest security breach to date was disclosed in January 2009. The case involved
Heartland Payment Systems Inc. Heartland processes more than 100 million card
transactionspermonthfor250,000clients.OnAugust17,2009AlbertGonzalez,28,of
MiamiFloridawaschargedbytheDepartmentofJusticewithstealingdatafrom130million
debitandcreditcardholders.Accordingtotheindictment,Gonzalesandinternationalco-
conspiratorsusedanintricatehackingtechniquecalledan“SQLinjectionattack,”which
seekstoexploitacomputernetworkbyfindingawayaroundfirewallstostealcreditand
debit card information. It turns out that Gonzales and his thugs were also responsible
for thehighlypublicized intrusionof TJMaxx cardholders.Heartlandexpensed$144.2
milliontoconsummatethesettlementofclaims.
Contact Centers and Identity Theft
Contactcenterscanbecomeunsuspectingtargetsofcybercriminals.Outboundtelemarketing
centers,inboundcentersthatengageinup-sellingand/orcross-selling,serviceproviders,
andcollectioncompaniesalwaystakepaymentintheformofcreditordebitcards.Thecard
informationisenteredintoaCRMorothersalesautomationsoftwareandrecordedbyvoice
and screen recorders. And there it resides - thousands and evenmillions of card records
invitingremotecriminalsorevengreedyemployeestoextractforpersonalgainorsellinto
asophisticatedsecondarymarket.
3
Approximately3.4million
adultscanexpecttohave
theirpaymentcarddata
compromisedeveryyear.
Oneoutoftwentyvictims
suffermedianoutofpocket
losesof$400andspend
60hourstryingtocleanup
themessthatresulted.
- FTC
Credibleestimatesofthe
directfinanciallossesdue
to“phishing”aloneexceed
abilliondollarsperyear.”
- U.S. Department of Homeland Security
4
Inthefirstexample,Symantecfollowedupwithathoroughinvestigationoftheundergroundeconomy.
Amongthefindingsfromtheir68-pagereportwasthattheBBCreportersgrosslyoverpaidforcustomer
carddata.Quotingfromthereport,“Creditcardsarealsotypicallysoldinbulk,withlotsizesfromas
fewas50creditcardstoasmanyas2,000.CommonbulkamountsandratesobservedbySymantec
duringthisreportingperiodwere50creditcards for$40($0.80each),200creditcards for$150
($0.75each),and2,000creditcardsfor$200($0.10each).”
Payment Card Industry Response
In order to reduce fraud, the Payment Card Industry (PCI), which consists of American
Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.
established thePCI Security StandardsCouncil in September2006.Theaimof the council
wastoestablishasetofrulesthatmerchantsandserviceprovidersmustcomplywithinorder
toacceptpaymentsthroughthecreditanddebitcardapparatussetupbythecardvendors.
WhiletheCouncilismanagedbythecardindustry,membershipisopentoanyorganization
that participates in the payment processing system, including merchants, processors, POS
vendors,andfinancialinstitutions.
Inordertoreducefraud,the
PaymentCardIndustry(PCI),
whichconsistsofAmerican
Express,DiscoverFinancial
Services,JCBInternational,
MasterCardWorldwide,and
VisaInc.establishedthePCI
SecurityStandardsCouncil
inSeptember2006.
AninvestigativereporterfromtheBBC(BritishBroadcastingCompany)posedasafraudsterseeking
tobuycreditcardrecordsfromafenceinDelhi.TheIndianconspiratorofferedtoselldetailson
hundredsofplasticcardsfor$10each.Thevideoshowsabuybeingmadeandmoneychanging
hands.Thereportersbought50cardsasa“sample”withthehintthatalargerbuywouldfollow
ifthecardscheckedout.ThenameswerelatertracedtoacallcentertakingservicecallsforU.S.-
basedSymantecCorporation.
AlsoinIndia,localpoliceinthecityofPunearrested12personsassociatedwithacallcenter
operatedbyoutsourcerMphasiSforallegedlysiphoningoff$350,000fromtheCitibankaccounts
offourUScitizens.SomeemployeesgainedtheconfidenceofcustomersandobtainedtheirPIN
numberstocommitfraud.Theydidthisundertheguiseofhelpingthecustomersoutofdifficult
situations.
In2006,anemployeeattheHSBCDataProcessingCenterinBangalore,Indiawasarrestedfor
allegedlypassingpersonalcustomerinformation.AsaresultUKbankcustomerslostapproximately
USD$425,000.TheincidentcastablackeyeonoutsourcingworktoIndiaandmayaffectfuture
projectsbeingconsideredtoIndiaandotherpartsofAsia.
AccordingtoITBusinessNews,theHSBCincidentwasbroughttonoticebysomeofitscustomersin
Englandwhocomplainedthatmoneywastransferredoutoftheiraccountswithouttheirknowledge.
ThelessonsfromtheseincidentsatHSBChavepromptedseveralsecurityandqualityassurance
policiesaimedtoprotectcustomers’sensitivepersonalinformation.Adedicatedteamofcompliance
officershavebeenspeciallytrainedanddeployedtoensurethatbreachesinsecurityandaccessof
customerinformationwillbeminimized.
Accordingtopressreports,AlaskaAirlinesandHorizonAirhadtonotify1,500oftheircustomersthat
theircreditcardsmayhavebeenmisusedbyaformercallcenteremployee.Theformeremployee
isallegedtohavetakenthecardinformationprovidedfromsomeoftheairlines’customerstopay
forreservationchanges.Ratherthanprocessthepaymentonbehalfoftheairlines,theindividualis
allegedtohavedivertedthefundstoapersonalaccount.
In2006,anemployeeat
theHSBCDataProcessing
CenterinBangalore,
Indiawasarrestedfor
allegedlypassingpersonal
customerinformation.Asa
resultUKbankcustomers
lostapproximately
USD$425,000.
Think it can’t happen?
5
Paymentprocessors,service
providersandmerchants
thatprocessmorethan
20,000e-commerce
transactionsandoverone
millionregulartransactions
arerequiredtoengagea
PCI-approvedQualified
SecurityAssessor(QSA)
toconductareviewof
theirinformationsecurity
proceduresandscantheir
Internetpointsofpresence
The Council subsequently issued a Data Security Standard (PCI-DSS) which details security
requirements for members, merchants and service providers that store, process or transmit
cardholder data. The original PCI regulations specifically forbade storing primary account
numbers(PAN),PINnumbers,servicecodes,expirationdates,andotherspecifiedidentifiers
unless they met PCI-DSS encryption standards. Payment processors, service providers and
merchants that process more than 20,000 e-commerce transactions and over one million
regulartransactionsarerequiredtoengageaPCI-approvedQualifiedSecurityAssessor(QSA)
to conduct a review of their information security procedures and scan their Internet points
of presenceona regular basis.However, noorganization that accepts cards issuedby the
foundingmembersofthecouncilisexemptfromcompliance.
Whilethestandardisprimarilyaimedatcardholderinformationindatabases,contactcenters
caneasilybecomeunsuspecting violators. This isbecauseof thepracticeof collectingand
entering card data into order entry systems and archiving private customer information in
call anddata recording systems. Initially, the PCI-DSSallowed the voice anddata recording
andstorageofsensitivecardinformationprovidedthatcertainsafeguardswereinplace,such
asencryption,firewalls,andneedto-knowauthorizations.Thepreciselevelsofencryptionare
spelledoutinthestandardasaredatacategoriesthatmaybestoredwhenproperlyencrypted.
PCI-DSS Requirements Impacting Call Recording - Do Not Record Validation CodesOnOctober28,2010 the Standards SecurityCouncil issueda clarification that states that it is a
violationof thePCI-DSS tostorecardvalidationcodesand the fullcontentsofand track from the
magnetic stripe locatedon thebackof the card. This includes the cardholders name, theprimary
accountnumber(PAN),andexpirationdate,andpersonalidentificationnumber(PIN)afterauthorization
evenifencrypted.Note:itispermissibleforissuersandcompaniesthatsupportissuingservicestostore
sensitiveauthenticationdataifthereisabusinessjustificationandthedataisstoredsecurely.
Thecardvalidationvaluecodeis thethreeor fourdigitnumber that isusually imprintednext
tothesignaturelineonthebackofthepaymentcard.OnAmericanExpresscards,thesecurity
codeisonthefaceofthecard.
TheCardVerificationCode(referredtoasCAV2,CVC2,CVV2,orCID)mustnotberetainedpost
authorization,cannotbestoredinastandarddigitalaudioorvideoformat(e.g.wav,mp3,mpg,etc.),
andaproperdisposalproceduremustbeinplace.Iftherecordingsolutioncannotblocktheaudioor
videofrombeingstored,thecodemustbedeletedfromtherecordingifitisinitiallyrecorded.
OnOctober28,2010the
StandardsSecurityCouncil
issuedaclarificationthat
statesthatitisaviolationof
thePCI-DSStostorecard
validationcodesandthefull
contentsofandtrackfrom
themagneticstripelocated
onthebackofthecard.
6
Telephoneordertakers
requirethevalidationcode
aswellasthePAN(Primary
AccountNumber)and
expirationdateinorderto
secureauthorizationfrom
thecardissuer.Without
thatnumber,cyberthieves
cannotmakeeCommerce
purchasesorillegally
transferfundsoutofthe
cardholders’accounts.
When it isabsolutelynecessary thatyourorganizationretaincardverificationcodes,youwillneedto
demonstratetoyourQSA(QualifiedSecurityAssessor)andyouracquiringbankthat:
TelephoneordertakersrequirethevalidationcodeaswellasthePAN(PrimaryAccountNumber)andexpiration
date inorder tosecureauthorization fromthecard issuer.Without thatnumber,cyber thievescannotmake
eCommercepurchasesorillegallytransferfundsoutofthecardholders’accounts.Thestandardscommitteemade
thechangebecauseoftheavailabilityofsophisticatedmalwarethatcouldpenetrateencryptionalgorithms.
ThelatestPCI-DSSstandardsrequirethatPANmustberenderedunreadableanywhereitisstored(including
onportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have
access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the
same PAN are present in an entity’s environment, additional controls should be in place to ensure that the
hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Other Important PCI-DSS Requirements that Impact Call Recording
Requirement 4 and Subsection 4.1requirethatstrongcryptographyandsecurityprotocolssuch
assecuresocketslayer(SSL)/transportlayersecurity(TLS)andInternetprotocolsecurity(PISEC).
Requirement 7 and Subsection 7.1requirethataccesstocomputingresourcesandcardholderinformation
only to those individualswhose jobrequiressuchaccess,e.g. forstrongbusinessreasons. Organizations
shouldcreateaclearpolicyfordataaccesscontroltodefinehow,andtowhom,accessisgranted.
Requirement 7 and Subsection 7.2 requireorganizationsthatacceptpaymentcardstoestablisha
mechanismforsystemswithmultipleusersthatrestrictsaccessbasedonauser’sneed-to-knowandisset
to“denyall”unlessspecificallyallowed.
Requirements 8 and Subsection 8.1requireorganizationsthatacceptpaymentcardstoAssignaunique
IDtoeachpersonwithcomputeraccessbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.
Subsection 8.3requiresatwo-factorauthenticationforremoteaccesstothenetworkbyemployees,
administratorsandthirdparties.
Subsection 8.5 requires proper user authentication and password management for users and
administratorsonallsystemcomponents.
Subsection 8.5.16requiresorganizationsthatacceptpaymentcardstoauthenticateallaccesstoanydatabase
containingcardholderdata.Thisincludesaccessbyapplications,administrators,andallotherusers.
Youperform,facilitateorsupportissuingservices-itisallowableforthesetypesoforganizations
tostoresensitiveauthenticationdataonlyiftheyhavealegitimatebusinessneedtostoresuch
data.ItshouldbenotedthatallPCI-DSSrequirementsapplytoissuers,andtheonlyexception
forissuersandissuerprocessorsisthatsensitiveauthenticationdatamayberetainedifthereisa
legitimatereasontodoso.Alegitimatereasonisonethatisnecessaryfortheperformanceofthe
functionbeingprovidedfortheissuerandnotoneofconvenience.Anysuchdatamustbestored
securelyandinaccordancewithPCI-DSSandspecificpaymentbrandrequirements.
One-wayhashesbasedonstrongcryptography(hashmustbeoftheentirePAN)
Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN
Indextokensandpads(padsmustbesecurelystored)
Strongcryptographywithassociatedkey-managementprocessesandprocedures
7
Youmustbeabletoman-
agecallqualityandthere
arelawsandregulations
thatmanycenters,par-
ticularlyoutbound,need
tocomplywith.Full-time
recordingistheonlywayto
measurecompliance.
Atthefinalstageoftaking
creditcarddata,recorded
agentcouldtransferthecall
toanunrecordedextension
whereasecondagenttakes
aspectsofthecustomer
creditcarddatasuchas
theCVVnumberforbank
verification.
Requirements 10 and Subsection 10.1requirecardacceptorstotrackandmonitorallaccess
tonetwork resourcesandcardholderdataandestablishaprocess for linkingallaccess tosystem
componentstoeachindividualuser.
Requirement 10 and Subsection 10.2 requirecardacceptors to implementautomatedaudit
trailsforallsystemcomponentstoreconstructeventssuchasuseraccesstocardholderdata,accessto
audittrails,useofauthenticationmechanisms,andthelike.
Ifanimportantpartoftheagent’sjobistoacceptand/orsolicitsales,thenthequestionbecomes:
howdowepreventrecordingandstoringofsensitiveauthenticationdataandthefullcontentsofany
magneticstripetrack?
Available Alternatives
Alternative 1 - Cease Recording Thenotionofsimplyhaltingthepracticeofrecordingallcallsandrelateddatathatmayinvolvethe
captureofinteractionscontainingsensitiveinformationiscertainlyanapproachthatwillbecompliant.
Thievescannotstealinformationthatwasneverstored.However,thetrade-offistoosevere.Youmust
beable tomanage call quality and thereare lawsand regulations thatmany centers, particularly
outbound,needtocomplywith.Full-timerecordingistheonlywaytomeasurecompliance.
Alternatives 2 and 3 - Agent-driven Compliance Atthefinalstageoftakingcreditcarddata,recordedagentcouldtransferthecalltoanunrecorded
extensionwhereasecondagenttakesaspectsofthecustomercreditcarddatasuchastheCVVnum-
berforbankverification.Somerecordingsystemsallowtheagenttomanuallypauseandresumethe
recordingviabuttonsontheirscreenorhandset.
Theseapproachesmayworkbutitaddsaburdentoagentsandisobviouslyerror-prone.There
mayalsobeaquestionofwhetherrelyingonemployeeactionswouldpassmusterwiththepayment
cardcouncilwhichpreferssolid,technology-basedsolutions.
Alternative 4 - Transfers to Third Party DevicesTherearethirdpartydevicesthatcanbeboltedontoanexistingrecorder.Thismethodworksbyre-
quiringthecallertoentercarddetailsmanuallyviathetouchtonepad.Theideahasmerit,sincelittle
agentinterventionisrequiredandthesystemautomaticallymaskscardentriesontheagentscreen
andblockstheDTMFtonesfrombeingrecorded.AgentscouldalsotransfercallstoanIVRplatform
fortakingsuchdetailsasCVVforbankverification.Thedownsidesarethepaucityofchoices,riskof
usererror,theunnaturalinterruptionofcallflow,theneedtomanageanadjunctdevicethat’snot
partofanintegratedsolution,andanaddedcostpertransaction.
Alternative 1: Ceaserecordingallsalesandtransactioncalls.
Alternative 2: Trainagentstodisabletherecordingfunctionwhencarddataisrequiredthen
restartafterthetransactioniscompleted.
Alternative 3: Requireagentstodeletethesectionoftherecordingthatincludestheauthorizationcode.
Alternative 4: Third-partydevicesthatrequirethecallertoentercarddetailsviatheirtouchtonepad.
Alternative 5:Donothing.
Alternative 6:Investincallrecordingsystemsthatautomaticallymaskandmutesensitivecarddetails.
8
Ahandfulofleadingcall
recordingvendorshave
developedtrulyintegrated
solutions.WiththeVPI
solution;forexample,
therecorderusesdesktop
analyticstomonitor
applicationscreensinuse
bytheagentduringthe
interactiontoautomatically
sensewhentheagentis
enteringscreensorfields
wheresensitiveinformation
mustbeentered,withoutthe
needforacostlyback-end
integrationtothosesystems.
Alternative 5 - Do Nothing The ‘donothing”optionappears tobe the favoredchoiceat thispoint. In the2009DataBreach
InvestigationsReportconductedbytheVerizonBusinessRISKTeamresearchersuncovered90confirmed
breacheswithintheir2008caseloadencompassinganastounding285millioncompromisedrecords
and81%ofbusinesseswerenotPaymentCardIndustry(PCI)compliant.Themostcommonformof
databreachwascompromisedpaymentcards,withretailandfinancialservicesaccountingforsixout
oftenofthesecuritybreaches.
A2009pollofUnitedKingdomcallcentermanagersfoundthatmorethan19in20callcentersdo
notdeleteormaskcreditcarddetailsintheircallrecordings,whichisaviolationofthePaymentCard
IndustryDataSecurityStandard.Of the133call centermanagerscontacted for the survey,only3
percentindicatedcompliancewiththeguidelines.AmongthereasonsforfailingtoabidebyPCI-DSS,
61percentsaidtheywereunawareofthestandards,18percentwereawarebutsaidtheycouldn’t
complyfortechnicalorbudgetaryreasons,11percentwereawarebutchosenottofollowthem,and
6percentwereawareandwereworkingtowardcompliance.
Alternative 6 - Invest in Call Recording Systems that Automatically Mute and Mask Sensitive Card Details
Ahandfulof leadingcall recordingvendorshavedevelopedtruly integratedsolutions.With theVPI
solution;forexample,therecorderusesdesktopanalyticstomonitorapplicationscreensinusebythe
agentduringtheinteraction(toincludeCRM,salesautomationorotherapplications)toautomatically
sensewhentheagentisenteringscreensorfieldswheresensitiveinformationmustbeentered,without
theneedforacostlyback-endintegrationtothosesystems.
The VPI Fact Finder desktop analytics application can detect when an agent enters a screen with sensitive information, when sensitive information is inputted, and when they leave a screen containing sensitive information.
The VPI Solution
TheVPIrecordingsystemthenautomaticallyclassifiescallscontainingsensitivecardholderinformation
andprovidesorganizationswith fouroptions tohelpeffectivelybalance theirPCI requirementswith
liability,qualitymanagementandotherregulatoryrequirements:
VPI’s Four Options
Option 1 - Delete all call recordings with sensitive information but retain
valuable non-sensitive interaction data for reporting and analysis
Dataaboutwhathappenedduringtheinteractionoftenprovidesmorebusinessvaluethanthe
actualrecordingitself.Insteadofbeingdeletedalongwiththesensitiveaudioandscreenrecordings,
valuabledatasuchascalldate/time,calldirection,totalhandletime,holdtime,CustomerID,Agent
A2009pollofUnited
Kingdomcallcenter
managersfoundthatmore
than19in20callcenters
donotdeleteormask
creditcarddetailsintheir
callrecordings,whichis
aviolationofthePayment
CardIndustryData
SecurityStandard.
9
Fororganizationsrequired
torecordcallsforliability
andregulatoryrequirements,
andwhowouldalsolike
toplaybackforqualityand
trainingpurposes,VPIhasa
solutionthatallowsaccessto
recordingswhilecontrolling
theaccesstosensitive
information.
ID,DNIS,salesorcollections$amount,numberoftransfers,orevenhandletimeofkeyprocesses
withinthecallthatleduptothesuccessfultransaction,ismadeavailableininteractivereportsand
analysisofkeybusinessissuesandopportunities.
Option 2 - Roles-based access to recorded files containing sensitive information
Fororganizationsthatarepermittedtorecordentirecalls(companiesthatperform,facilitate,or
supportissuingservices),theVPIsolutionhastheabilitytoonlyallowaccesstocallrecordings
containingsensitivepaymentcarddatabasedontheuser’slog-inaccountandcorporate
role.Forexample,onlycomplianceofficersandseniorexecutiveswouldhaveaccesstothose
recordedfilesduringlegaldiscovery.Allothersystemuserswouldnotbeabletoaccessthe
recordedcalls(Requirement3.2and8.5).
Option 3 - Roles-based muting/masking upon playback
Fororganizationsrequiredtorecordcalls(e.g.thoseper3.2),andwhowouldalsoliketo
playbackforqualityandtrainingpurposes,VPIhasasolutionthatallowsaccesstorecordings
whilecontrollingtheaccesstosensitiveinformation.ThesolutionusesVPI’sFactFinder
technologytotagthesensitiveeventsanduponplaybackmutestheaudioandmasksthescreen
videoduringsegmentsofthecallcontainingsensitivedata.Agents,supervisorsandQAanalysts
withoutfullaccessrightsareabletoplaybackthecallwhilehearingandseeingeverythingthat
leduptoandfollowingthesensitivetransactionincludingafter-callwraptime.Onlyauthorized
users,suchascomplianceofficersorseniormanagers,wouldhaveaccesstothoserecordedfiles
intheirentirety.(Requirements3.2,7.1and7.2)
VPI solution has the ability to mute out the audio and mask out the screen video during segments of the call containing sensitive data upon playback
Option 4 - Permanent muting/masking during segments of the call
containing sensitive info
Fororganizations that donot havea justifiable need to reviewor keep entire recordings for liability
andotherregulatoryreasons,VPIiscreatingasolutiontopermanentlymaskandmutesensitiveaudio
and screen video thatwill complywith themost stringentof thePCI requirements. In this case, the
audio and video of segments containing sensitive card holder information will be deleted, prior to
storageof recordingsandunavailable toall systemusers regardlessof user authorizationprivileges.
NOTE: VPI expects to make this feature generally available in 2011. Timeline for this feature is subject to change)
10
VPIsupportsAES256data
andfileencryptionusing
strongcryptographyas
wellassecureprotocols
includingSecureSocket
Layer,TransportLayer
Security(SSL/TLS)or
InternetProtocolSecurity
(IPSEC)toprovide
securetransmissionof
recordedvoiceandscreen
recordingsandassociated
VPI Response to Requirement 4 – Encrypt transmission of cardholder data across open networks
Theintentofstrongcryptographyisthattheencryptionbebasedonanindustry-testedandaccepted
algorithm(notaproprietaryor“home-grown”algorithm).VPIsupportsAES256dataandfileencryption
usingstrongcryptographyaswellassecureprotocolsincludingSecureSocketLayer,TransportLayer
Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofrecordedvoice
andscreenrecordingsandassociateddataoverthenetwork.(Requirement4.1)
VPI Response to Requirement 7 – Restrict access to card holder
data by business need-to- know
TheVPIsystemiscapableofsupportingagranulardefinitionofaccessrightsforlargenumberof
usertypeswhichallowsforgreatercontroloversystemuserRolesandPrivileges,suchastheabilityto
searchforandplaybackmediafileswhichcontainsensitivedataasidentifiedbytheVPIFactFinder
desktopanalyticstool.
VPI Response to Requirement 8 – Assign a unique ID to each person with computer access
TheVPI systemhasuniqueuser system log-inwithanaudit trail showingwhohas logged into the
system,searchedforcalls,playedbackorexportedcallsandwhen.Thestatusofallactivitiescanbe
alsomonitoredinheatmapsthatpresentauditlogdatainavisual,easy-to-analyzemanner.
VPI Response to Requirement 10 – Track and monitor all access to
network resources and card holder data
Thisisachievedbyprovidinganaudittrailofalluseractivities–linkingspecificactionstospecificusers,
therebyprovidinghighdegreeofvisibilityandtransparency.(Requirement10.1)TheVPIsystemalsoprovides
aninterfaceforreconstructingevents–useractionscanbesearched,categorized,sorted,reportedand
viewedbyuseroractivitytype.Theycanbevisualizedinheatmapsbycategory.(Requirement10.2)
Consequences of Non-Compliance Non-compliancerisksrevocationofcardacceptanceprivilegesandviolationofstatelaws.Lossofcard
acceptanceprivilegescouldeasilyspellthedeathknellforretailers,serviceproviders,andcollection
agencies.Infact,itisdifficulttothinkofanytypeofbusiness,nonprofit,orgovernmentrevenuecollection
entitythatdoesnotrelyonpaymentcards.Thecardissuershavetheauthoritytorevokecardprivileges
throughtheircontracts.
Theotherpossibilityisviolationofstatelaws.Asofthistime,threestates;Minnesota,Nevada,andWashington,
have codified payment card industry data security standards. Quoting from the Washington state law,
“Aprocessor,business,orvendorwillbeconsideredcompliant, if itspaymentcard industrydatasecurity
compliancewasvalidatedbyanannualsecurityassessment,andifthisassessmenttookplacenomorethan
oneyearpriortothetimeofthebreach.”Thisrequirementisnotcontingentonthevolumeoftransactions.
TheNevadalawrequiresthatcompaniesdoingbusinessinthestateofNevadathatacceptpayment
cardsmustbecompliantwiththePaymentCardIndustryDataSecurityStandard(PCI-DSS).Thelaw
alsorequiresthatcompaniesretainingpersonaldata,includingSocialSecuritynumbers(SSNs),driver’s
licensenumbersoraccountnumbers togetherwithpasswordsmustuseencryption if they send the
information outside of the company. The Nevada law is reported to be the only law that actually
mandatesPCI-DSScompliance.Thelanguage“doingbusinessinthestateofNevada”isverybroad
andpresumably could include companies not domiciled in the state.Other states are considering
legislationthatwouldcodifyPCI-DSS.
Non-compliancerisks
revocationofcard
acceptanceprivilegesand
violationofstatelaws.
Lossofcardacceptance
privilegescouldeasilyspell
thedeathknellforretailers,
serviceproviders,and
collectionagencies.Infact,
itisdifficulttothinkofany
typeofbusiness,nonprofit,
orgovernmentrevenue
collectionentitythatdoes
notrelyonpaymentcards.
contracts.
Advisable Best Practices Obviously,ifyourbusinessororganizationacceptspaymentcards,itisinyourbestinteresttobecome
compliantwithPCI-DSS.Inadditiontothestandards,therearemanyotheractionsyoucantaketo
helppreventbreachesofsensitivecardandpersonalinformation.
11
Workwithyourinformationtechnologydepartmentbeforeimplementingcontactcenter-specificsolutions.Complianceisanorganization-widecommitment.ITmayhaveanoverallsecurityplanthatcontactcentersmustadopt.Forexample,individualsthatrequireaccesstoarchivedcallsthatmayincludecarddatamustbespecificallyauthorizedtoaccessthisinformation.
Makesureyourorderentry,newcustomerapplications,andanyothercustomerdatabasesthatyouragentsfrequentlyaccessmaskoutcredit,debit,andothersensitiveinformation.
Limittheamountoftimethatcardinformationiskeptinthecallrecordingserverdatabase(bothvoiceandscreenrecordings).Itmaybenecessaryforcorporategovernance,legalandQAdepartmentstoworkoutacompromisebetweenwhatisneededtoadheretothePCI-DSSandregulatorycompliancerequirements(requirement3.1).
Ensurethatproperuserauthenticationisimplementedforstaff,agentsandadministrators(requirement3.2).
Segmentcontactcenteroperationssothatalimitednumberofemployeeshaveaccesstopaymentcarddata.Forexample,paymentcardinformationcanbeenteredbyasalesagent,butacustomerservicerepresentativemayhaveaccessonlytothemaskedPAN(requirements8.1and8.5).
Beverycarefulaboutwhoyouhire.Iftheagentwillbeacceptingcardpaymentsorotherwisebeprivytosensitivepersonalinformation,conductathoroughbackgroundcheckbeforeextendingapaymentoffer.
Makeclearthatunauthorizeddisclosureofsensitivepersonalinformationisgroundsfortermination.
Ifanemployeeisterminatedorresigns,immediatelychangethepasswordtothatindividual’sworkstation.Don’twaituntiltheendoftheworkday.
Ifyouareworkingwithoutsourcers,rememberthatPCI-DSSisaninternationalrequirement.Theoutsourcermustalsobecompliant.
Understandthedatasecurityprecautionstakenbyoutsourcers.
Donotallowthumbdrivesoranyotherportablestoragedevicesintoyourcontactcenter.
Agentsorotheremployeesshouldneveropenemailsfromunknownsources.Thisisafavoredmethodbycybercriminalsforinstallingkeyloggersandothermalware.
Makesureyoumaintainstrictprocessesthatpreventagentsfromjottingdowncardnumbersforlaterentryintothecustomerdatabase.
Contactcenteragentsshouldbediscouragedfromrevealingtheiroccupationonsocialnetworkingsites.Youdon’twantthemtobecomeunsuspectingtargets.
EnsurethatagentsandsupervisorsdonotshareuserID’sandpasswords.Eachusermustbeuniquelyidentifiedbytheirownlogincredentials.Thisinformationshouldbeencryptedwhenstoredinanycomputersystems.
ReviewyourCRM,salesautomation,collectionsandorderentrysystemstoassurethatcompletecardnumbersandthesecuritycodearenotdisplayed.Thesecuritycodeshouldneverbestored.
FindouthowyourcurrentrecordingsoftwarehandlesPCI-DSScompliance.Somevendorsdonothaveasolution.Othersmayrequiredeletingentireinteractionsthatinvolvecardtransactions,makingitimpossibletoconductqualityevaluationsonthesecallsorretrievethemforcomplianceorverificationpurposes.
RestrictaccesstoQArecordingandCRMdatacontainingpaymentcarddatabasedontheuser’slog-inaccountandcorporaterole.
Ensurethatstoredrecordingsarenotplayedbackoveraspeakerphoneifpaymentcardinformationisincluded.
Ifyouareconsideringanewinteractionrecordingsystem,lookintotheapproachadoptedbyVPI.VPIprovidesencryptionatnoextracost.Forcompaniesthatpreferamoreflexibleapproach,VPI’sVPICAPTUREcallrecordingsoftwarecanautomaticallydetectwhenanagententersascreenwhereacreditcardfieldistobefilledoutandthenmaskboththevoiceandscreenentriesforthedurationoftheagent’sactivitieswhileworkinginthosescreens.Thesecuritycodecanbepermanentlydeletedfromboth,voiceandscreenrecording.Thesystemmasksthesensitiveinformationinvoiceanddatarecordings,whichcanonlybeaccessedbyauthorizedpersonnel.
Ifyouareworkingwith
outsourcers,remember
thatPCI-DSSisan
internationalrequirement.
Theoutsourcermustalso
becompliant.
VPIsupportsAES256
dataandfileencryption
usingstrongcryptography
aswellassecureprotocols
includingSecureSocket
Layer,TransportLayer
Security(SSL/TLS)or
InternetProtocolSecurity
(IPSEC)toprovide
securetransmissionof
recordedvoiceandscreen
recordingsandassociated
dataoverthenetwork.
Ensurethatemployeesdo
notshareuserID’sand
passwords.Eachusermust
beuniquelyidentifiedby
theirownlogincredentials.
Thisinformationshouldbe
encryptedwhenstoredin
anycomputersystems.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
12
Monitorat-homeagents
moreoftenthanin-house
Best Practices for Securing At-Home Agents Contactcenterat-homeagentprogramsarerapidlygrowinginnumberandsizeduetotheirattractive
benefitsofreducingoperationalcosts,increasingperformanceandimprovingthecustomerexperience.
However,usingat-homeorremoteworkerscarrieswithitamuchgreatersecurityrisk.Whenutilizingand
recordingat-homeorremoteworkers,thefollowingareadditionaladvisablepractices:
Besurethatthesameleveloffirewall,corporateanti-virusprotection,securitypatches,anddefinitionfilesareextendedtoremoteagentsandsupervisors’PCs.(Requirements1.4,5.1and6.1)
Remoteworkersshouldbeforbiddenfromcopying,moving,andstoringcardholderdataontoharddrivesormoveableelectronicmediawhenaccessingcardholderdata.(Requirement12.3.10)
Ensuringremoteagentsandsupervisorsuseatwo-factorauthenticationprocess.(Requirement8.3)
UsestrongnetworkencryptionprotocolssuchasSecureSocketLayerandTransportLayerSecurity(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionoftheVoIPvoicestreamanddataoverthepublicnetwork.(Requirement4.1)
EnsureeachathomeagentandsupervisorisusingaVPNconnectionintothecorporatenetworkwithstrongencryptionprotocolssuchasSSL/TLS.(Requirement4.1)
Requireremoteagentsandsupervisorstoencrypttheirwirelessnetworksusingstrongcryptography(Requirement2.1.1and4.1.1).AsofJune30,2010,theWiredEquivalentPrivacy(WEP)protocolisnolongerpermissibleforanynewwirelessimplementations(Requirement4.1).TheuseofWPA2isrecommended.
IfnotusinganenterpriseVoIP-basedtelephonesolution,requireagentstouseanaloguetelephonelineswhentalkingwithcustomers.
At-homeagentsshouldnotuseconsumerVoIPtelephonesystems(suchasVonage)becausetheircommunicationsmaynotbeencrypted.(Requirement4.2)
Ensurethatpaymentcardinformationisneversentoveranunencryptedmediumsuchaschat,SMS/textoremailorothernon-encryptedcommunicationchannels.
Ensuringthatat-homeagentandsupervisorPCshavepersonalfirewallsinstalledandoperational.(Requirement1.4)
Ensurethatat-homeagentandsupervisorPCshavethelatestapprovedsecuritypatchesinstalled.
Requireagentsandsupervisorstouseonlycompany-suppliedsystems.(Requirement12.3)
Monitorat-homeagentsmoreoftenthanin-houseagents.(Requirement12.3)
Annuallyreviewallsecuritypoliciesandprocedureswithallagentsandrequireat-homeagents.toacknowledgethesecurityrequirementsaspartoftheirdailysign-inprocess.(Requirement12.6)
Dilemma for Contact CentersPCI-DSScompliance isonlyoneofagrowing listof laws, regulations,and industry standards that
contactcentersneedtoconsider.Thereareseveralregulationsthatrequireorstronglyrecommendthat
callsberecordedintheirentirety.
TelemarketingSalesRule
FSA(FinancialServicesAuthorityRules
BASELI
Sarbanes-OxleyAct
Gramm-LeachBlileyFinancialServicesModernizationAct
TruthinLendingAct(TILA)andFairDebtCollectionsPracticesAct(FDCPA)Acts
Ensurethatpaymentcard
informationisneversentover
anunencryptedmedium
suchaschat,SMS/textor
emailorothernon-encrypted
communicationchannels.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
PCI-DSScomplianceisonly
oneofagrowinglistoflaws,
regulations,andindustry
standardsthatcontact
centersneedtoconsider.
Thereareseveralregulations
thatrequireorstrongly
recommendthatcallsbe
recordedintheirentirety.
13
TheUnitedKingdomFinan-
cialServicesAuthority(FSA)
publishedrulesinMarch
of2009requiringfirmsto
recordtelephoneconversa-
tionsandotherelectronic
communicationsincluding
emailandinstantmessages
relatingtotradingorders
andtheconclusionoftrans-
actionsintheequity,bond,
andderivativesmarkets.
Telemarketing Sales Rule
The Telemarketing Sales Rule requires a consumer’s express verifiable authorization for use of bank
accountinformationtoobtainpaymentthroughphonechecksordemanddrafts.Thiscanbedonevia
confirmationbyacallrecordingoftheconsumergivingauthorizationoradvancewrittenauthorization.
Therecordedauthorizationandwrittenconfirmationmustincludethedateandamountofthedraft(s),
thenameontheaccountfromwhichthefundswillbepaid,thenumberofdraftpaymentsauthorized,
ifmore thanone,a telephonenumberansweredduringnormalbusinesshours tat theconsumer
cancallwithquestions,andthedateoftheconsumer’sauthorization.Manystatesrequireadvance
consentoftherecordedparty;therecordedconfirmationmustshowthattheconsumerunderstands
andacknowledgeseachtermofthetransactionandauthorizesit.
FSA (Financial Services Authority) Rules
TheUnitedKingdomFinancialServicesAuthority (FSA)published rules inMarchof2009requiring
firms to record telephone conversations and other electronic communications including email and
instantmessages relating to tradingordersand the conclusionof transactions in the equity, bond,
and derivatives markets. The rules were established as part of the FSA’s efforts to combat market
abuse,particularly insiderdealingand tohelpdeteranddetectmarketmanipulationandabuse in
theUnitedKingdom.TheFSArulesareinaccordancewithMarketsinFinancialInstrumentsDirective
(MiFID) general record keeping standards. The rules require organizations to retain their recorded
callsandcommunications6months. This is expected tobe longer in future regulations (the initial
recommendationwasthreeyears).TheFSAmustbeabletoaccessrecordedcallsreadily.
Otherregulatedorganizationsinvolvedinretailactivitiessuchasbanking,insurance,loansormortgages
willstillhavetheoptiontorecordcallsorkeepalternativerecordshoweverrecordingislikelytobecome
mandatory in the near future. Insurance companies complying with directives such as the Insurers
ConductofBusiness(ICOB)arealreadyadvisedtointroducecallrecording.Companieswillalsofind
in99%ofcasestheFinancialOmbudsmanServicewillfavortheclient‘swordiftheorganizationcannot
providearecordedtranscriptofrelevanttelephonecalls.
BASEL II
BASELIIrecommendationsandpolicies,developedbytheBASELcommitteeconsistingofrepresentatives
fromallG-20majoreconomiesaswellasothermajorbankinglocalessuchasHongKongandSingapore,
prescribes thatbanksand theiroutsourcedcontact centers implementOperationalRiskManagement
practices.TheBASELcommitteedefinesoperationalriskastheriskoflossresultingfrominadequateorfailed
internalprocesses,peopleandsystemsorfromexternalevents.Inordertoprotectfromtheofficialevent
typesdefinedbyBASELII,includingInternalFraud(misappropriationofassets,taxevasion,intentionalmis-
markingofpositions,bribery),ExternalFraud(theftofinformation),EmploymentPracticesandWorkplace
Safety(discrimination,workerscompensation,employeehealthandsafety),Clients,Products,&Business
Practice-marketmanipulation, antitrust, improper trade, product defects, fiduciary breaches, account
churning),andExecution,Delivery,&ProcessManagement(dataentryerrors,accountingerrors),many
banksrequirefull-timecallrecordingandlong-termstorageoftheirrecordedinteractions.
Sarbanes-Oxley Act
The Sarbanes-Oxley Act extensive guidelines for the documentation of business processes and
transactions,mandatingthatbusinessescreateandmaintainelectronicrecordsaspartoftheirregular
business processes. To help ensure compliance with Sarbanes-Oxley, many organizations currently
recordandstorealltheircallsintheirentirety.Maintaininganelectronicrecordoftelephonecallsinthe
TheTelemarketingSales
Rulerequiresaconsumer’s
expressverifiable
authorizationforuseof
bankaccountinformation
toobtainpaymentthrough
phonechecksordemand
drafts.Thiscanbedone
viaconfirmationbyacall
recordingoftheconsumer
givingauthorization
oradvancewritten
authorization.
14
Full-timecallrecordingis
frequentlymandatedtoensure
contactcenteremployees
areaccuratelydisclosing
informationrequiredbythe
TruthinLendingActand
complyingwithcollection
practicesrequiredbytheFair
DebtCollectionsPracticesAct.
samemannerasemailshelpstoensurecompliancewithSarbanes-Oxleyandsimplifiesthediscovery
andauditingprocesses,reducingthepotentialforabuseormistakes.
Gramm-Leach-Bliley Financial Services Modernization Act
TheGramm-Leach-BlileyAct(GLBA),alsoknownastheFinancialModernizationActof1999,isa
federallawenactedintheUnitedStatestocontrolthewaysthatfinancialinstitutionsdealwiththe
privateinformationofindividuals.UndertheSafeguardsRule,financialinstitutionsmustcreateand
followawritteninformationsecurityplanthatdetailshowtheywillprotectthenon-publicinformation,
suchasaccountandidentificationnumbers,oftheircurrentandformercustomers.
Callrecordingsolutionsmakeiteasytoincorporatevoice-basedcommunicationsaspartofan
organization’sGLBAcomplianceplan.Inaddition,companiesthatfactorcallrecordingintotheir
electronicrecordsplanhaveanaddedlayerofsecurity,knowingthateveryaspectoftheirbusiness
iscompliant,ratherthanjusttheirwrittendocumentsandtransactions.
Truth in Lending Act (TILA) & Fair Debt Collections Practices Act (FDCPA) Acts
Full-time call recording is also frequently mandated to ensure contact center employees are
accuratelydisclosinginformationrequiredbytheTruthinLendingActandcomplyingwithcollection
practicesrequiredbytheFairDebtCollectionsPracticesAct.
Barclaycard Guidance
BalancingtheneedforPCIcompliancewithotherregulations,lawsandriskmanagementrequirements
withthequalitymanagementrequirementscanposeadilemma.Barclaycardpreparedaveryinformative
whitepaperthat,amongotherthings,advisesthat:
CallcentremanagerswillneedtoensurethatthePANismaskedwhendisplayed(i.e.first6andlast4
digits).Thisispartofrequirement3.3andmayinclude:
Readersareencouragedtoreadtheentirepaperformoresuggestions.
Executive Summary IdentitytheftisamassiveproblemintheUnitedSatesandglobally.Inresponse,thepaymentcard
industryhasestablishedclearrulestohelpassurethatcriticalfinancialandidentificationdatais
protectedfrommenacesbothoutsideandwithintheenterprise.ThePCI-DSSrequirementsmust
beadheredtobyeveryorganization-regardlessofsize-thatacceptspaymentcards.Thereare
directimpactsoncontactenters,whichinthepasthaveprovedtobefertilegroundsforextracting
paymentcarddetailsfromunsuspectingcustomers.
Inthispaperwehighlightedsomesoundpracticestohelpassuredatasecurity.Wealsonotedthatthe
widespreadpracticeofrecordingviceanddatainteractionsmayresultinabreachofthedatasecurity
standardsandevenaviolationofcertainstatestatuesunlessimportantprecautionsaretaken.Choosingto
RestraintaccesstoQA/recordingandCRMdatacontainingpaymentcarddatabasedontheuser’s
log-inaccountandcorporaterole;forexample,providingscreenrecordingplaybackinterfaceswhere
thepaymentcardinformationisdisplayedonlytothemanagersandcomplianceofficersduringlegal
discovery,andhaveitblackedout(masked)forallothersupervisorsandQAspecialists.
Segmentingcontactcentreoperationssothatalimitednumberofagentshaveaccesstopayment
card data; for example, payment card information may be entered by a sales agent but a
customerservicerepresentativewillonlyhaveaccesstothemaskedPAN.
15
Itisimportantthatanycall
recordingsystempurchased
nowcancopewithboth
currentandfuturechangesin
lawsandindustrystandards
andthattherecordingsolution
facilitatebestpractices.Suppli-
ersmustbeabletoprovethat
theirproductswillhelpyou
assurecompliancetodayand
havetheflexibilitytoadaptto
futurechanges.
abandoninteractionrecordingaltogetherorlimitittonon-transactionalcallsisnotanoption.Besidesthe
obviousneedtoassureconsistentcallqualitytherearemanyotherlawsAndregulationswhererecording
isalegalrequirementortheonlypracticalmeansofestablishingcompliance.
Itisimportantthatanycallrecordingsystempurchasednowcancopewithbothcurrentandfuture
changes in lawsand industrystandardsand that therecordingsolution facilitatebestpractices.
Suppliersmustbeabletoprovethattheirproductswillhelpyouassurecompliancetodayandhave
theflexibilitytoadapttofuturechanges.Thebestsolutionistoavoidrecordingofthevalidation
codealtogether,afterapproval.TheVPIsolutionprovidesthisoption.
About the AuthorDickBucciisPrincipalofPelorusAssociateswherehespecializesincontactcentertechnologies.Hehas
authoredtenin-depthreportsonworkforceoptimizationapplicationsandover30whitepapers.Asoneof
theindustry’sforemostthoughtleaders,hisarticlesandobservationshaveappearedintradeandbusiness
publicationsaroundtheworld.Dickhasover30yearsofexperienceinthetelecommunicationsindustry.
About VPI VPI is the world’s premier provider of call recording, analytics and
workforceoptimizationsolutionsforenterprises,contactcenters, trading
floors, government agencies, and first responders. For more than a
decade,VPIhasbeenprovidingproventechnologyandsuperiorservice
tomorethan1,500customersin50countries.VPI’saward-winningVPI
EMPOWERsoftwareisanessentialcomponentforanyorganizationthat
strives toenhance thecustomerexperience, increaseworkforceperformance, improvebusinessefficiency
andmanagecompliance.VPIEMPOWERleveragesVPIFactFinder™,aground-breakingdesktopscreen
analytics technology that automatically detects events and data directly from application screens being
usedbyemployeesandtagsthemtoappropriatepointswithinrecordedinteractions.WithVPIEMPOWER,
organizationsofallsizesnowhavetheabilitytorapidlyidentifytherootcauseofimportanttrendsandissues
viatargetedanalysisandevaluationfromanywhere–allfromanintuitive,personalizedWeb-basedportal
interface.Inaddition,thesecuresolutionleveragesadvancedfileanddataencryption,isbuiltaroundthe
principlesofopen,service-orientedarchitecture,andisplatformindependenttointegrateseamlesslyintoany
existingandevolvinginfrastructureinjustweeks,resultingincompoundreductionofcostsandasignificantand
rapidReturnonInvestment.Formoreinformation,call1-800-200-5430visitwww.VPI-corp.com/PCI
References
Theinformationprovidedinthiswhitepaperisbelievedtobeaccurate,butispresentedwithoutexpress
orimpliedwarrantyandissubjecttochangewithoutnotice.
TheFTCin2009,annualreportoftheFederalTradeCommission(March,2009)
TheCrimewareLandscape:Malware,Phishing,IdentityTheftandBeyond:AJointReportoftheUSDepartmentofHomelandSecurity,SRI International IdentityTheftTechnologyCouncil, theAnti-PhishingWorkingGroup,andIronKey,Inc.(September,2006)
SymantecReportontheUndergroundEconomyJuly07-June08,SymantecCorp.,(November2008)
NavigatingPCI-DSS-UnderstandingtheIntentoftheRequirements,Version2.0PaymentCardIndustry(PCI)DataSecurityStandards,PaymentCardIndustry(PCI)(October,2010)
2009DataBreachInvestigationReport,VerizonBusinessRISKTeam
SafeandSound,ProcessingTelephonePaymentsSecurely,BarclayCard(April,2010) Contact VPI [email protected]
1.800.200.5430www.VPI-corp.com