vpi - call recording guide to pci-dss compliance by pelorus associates

8/4/2019 VPI - Call Recording Guide to PCI-DSS Compliance by Pelorus Associates

1/15


2/15

TABLE OF

CONTENTS

Table of Contents

Introduction Page3

Cyber Crime Page3

Contact Centers and Identity Theft Page3

Payment Card Industry Response Page4

PCI-DSS Requirements Impacting Call Recording Page5Other PCI-DSS Requirements that Impact Call Recording Page6

Alternative1-CeaseRecording Page7

Alternatives2and3-Agent-drivenCompliance Page7Alternative4-TransferstoThirdPartyDevices Page8

Alternative5-DoNothing Page8

Alternative6-InvestinIntelligentCallRecordingSystems Page8

VPI Solution Page8

Consequences of Non Compliance Page10

Advisable Best Practices Page11

Advisable Best Practices for Securing At-Home Agents Page12

Dilemma for Contact Centers Page12

TelemarketingSalesRule Page13

FSARules Page13BASELII Page13

Sarbanes-OxleyAct Page13

GrammLeachBlileyFinacialServicesModernizationAct Page13

TILAandFDCPAActs Page13

Barclaycard Guidance Page14

Executive Summary Page14

About the Author Page15

About VPI Page15


3/15

Introduction

Identity theft was the number one source of consumer complaints to the Federal Trade

Commission(FTC)in2007.Estimatesbyprivatemarketresearchfirmspegtheincidence

ofidentitytheftashighas15millionconsumers.Themostcommonformofidentitytheft,

accordingtotheFTC,isthemisuseofcreditanddebitcardaccounts.Approximately3.4

millionadultscanexpecttohavetheirpaymentcarddatacompromisedeveryyear.When

creditcardidentitiesarestolen,itsnotjustthecreditcardcompaniesthatareleftholding

thebagcardholdersoftenfaceeconomiclosses,lengthylegalbattlesandstrugglestore-

establishcleancreditrecords.Whileformostconsumerstheimpactismodest,accordingto

theFTConeoutoftwentyvictimssuffermedianoutofpocketlosesof$400andspend60

hourstryingtocleanupthemessthatresulted.

Cyber Crime

For todays high-techthieves,software isa much more productiveand arguably less

riskywaytotakeotherpeoplesmoneythandumpster-divingforcardreceiptsorpicking

pockets.Aclassofsoftwareknowngenerallyasmalwarecanunsuspectinglycreepinto

databasesandextracthundredsofthousandsofaccountidentifiers.Malwareisalsospreadbypropagatingawormorvirusorbymakingthemalwareavailableonaweb

sitethatexploitsasecurityvulnerability.Commontechniquesincludephishing,keyand

screen loggers, and SQL injection attacks. According to The Crimeware Landscape:

Malware,Phishing,IdentityTheftandBeyond,areportpublishedbytheU.S.Department

ofHomelandSecurityin2006,Credibleestimatesofthedirectfinanciallossesdueto

phishingaloneexceedabilliondollarsperyear.

The largest security breach to date wasdisclosed in January 2009. Thecase involved

Heart land Payment Systems Inc. Heart land processes more than 100 mil lion card

transactionspermonthfor250,000clients.OnAugust17,2009AlbertGonzalez,28,ofMiamiFloridawaschargedbytheDepartmentofJusticewithstealingdatafrom130million

debitandcreditcardholders.Accordingtotheindictment,Gonzalesandinternationalco-

conspiratorsusedanintricatehackingtechniquecalledanSQLinjectionattack,which

seekstoexploitacomputernetworkbyfindingawayaroundfirewallstostealcreditand

debit card information.It turns out that Gonzales andhis thugs were alsoresponsible

forthehighlypublicizedintrusionofTJMaxxcardholders.Heartlandexpensed$144.2

milliontoconsummatethesettlementofclaims.

Contact Centers and Identity Theft

Contactcenterscanbecomeunsuspectingtargetsofcybercriminals.Outboundtelemarketing

centers,inboundcentersthatengageinup-sellingand/orcross-selling,serviceproviders,

andcollectioncompaniesalwaystakepaymentintheformofcreditordebitcards.Thecard

informationisenteredintoaCRMorothersalesautomationsoftwareandrecordedbyvoice

andscreenrecorders.Andthereitresides-thousandsandevenmillionsofcardrecords

invitingremotecriminalsorevengreedyemployeestoextractforpersonalgainorsellinto

asophisticatedsecondarymarket.

3

Approximately3.4m

adultscanexpectto

theirpaymentcardd

compromisedeveryy

Oneoutoftwentyvic

suffermedianoutofp

losesof$400andsp

60hourstryingtoclea

themessthatresulte

Credibleestimatesofdirectfinanciallosses

tophishingaloneex

abilliondollarspery

- U.S. Department of HomS


4/15

4

Inthefirstexample,Symantecfollowedupwithathoroughinvestigationoftheundergroundeconomy.

Amongthefindingsfromtheir68-pagereportwasthattheBBCreportersgrosslyoverpaidforcustomer

carddata.Quotingfromthereport,Creditcardsarealsotypicallysoldinbulk,withlotsizesfromas

fewas50creditcardstoasmanyas2,000.CommonbulkamountsandratesobservedbySymantec

duringthisreportingperiodwere50creditcardsfor$40($0.80each),200creditcardsfor$150

($0.75each),and2,000creditcardsfor$200($0.10each).

Payment Card Industry Response

In order to reduce fraud, the Payment Card Industry (PCI), which consists of American

Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.

establishedthePCISecurityStandardsCouncilinSeptember2006.Theaimofthecouncil

wastoestablishasetofrulesthatmerchantsandserviceprovidersmustcomplywithinorder

toacceptpaymentsthroughthecreditanddebitcardapparatussetupbythecardvendors.

WhiletheCouncilismanagedbythecardindustry,membershipisopentoanyorganization

that participates in the payment processing system, including merchants, processors, POS

vendors,andfinancialinstitutions.

Inordertoreducefrau

PaymentCardIndustry

whichconsistsofAmeExpress,DiscoverFina

Services,JCBInternati

MasterCardWorldwide

VisaInc.establishedth

SecurityStandardsCo

inSeptember2006

AninvestigativereporterfromtheBBC(BritishBroadcastingCompany)posedasafraudsterseeking

tobuycreditcardrecordsfromafenceinDelhi.TheIndianconspiratorofferedtoselldetailson

hundredsofplasticcardsfor$10each.Thevideoshowsabuybeingmadeandmoneychanging

hands.Thereportersbought50cardsasasamplewiththehintthatalargerbuywouldfollow

ifthecardscheckedout.ThenameswerelatertracedtoacallcentertakingservicecallsforU.S.-

basedSymantecCorporation.

AlsoinIndia,localpoliceinthecityofPunearrested12personsassociatedwithacallcenter

operatedbyoutsourcerMphasiSforallegedlysiphoningoff$350,000fromtheCitibankaccounts

offourUScitizens.SomeemployeesgainedtheconfidenceofcustomersandobtainedtheirPIN

numberstocommitfraud.Theydidthisundertheguiseofhelpingthecustomersoutofdifficult

situations.

In2006,anemployeeattheHSBCDataProcessingCenterinBangalore,Indiawasarrestedfor

allegedlypassingpersonalcustomerinformation.AsaresultUKbankcustomerslostapproximately

USD$425,000.TheincidentcastablackeyeonoutsourcingworktoIndiaandmayaffectfuture

projectsbeingconsideredtoIndiaandotherpartsofAsia.

AccordingtoITBusinessNews,theHSBCincidentwasbroughttonoticebysomeofitscustomersin

Englandwhocomplainedthatmoneywastransferredoutoftheiraccountswithouttheirknowledge.

ThelessonsfromtheseincidentsatHSBChavepromptedseveralsecurityandqualityassurance

policiesaimedtoprotectcustomerssensitivepersonalinformation.Adedicatedteamofcompliance

officershavebeenspeciallytrainedanddeployedtoensurethatbreachesinsecurityandaccessof

customerinformationwillbeminimized.

Accordingtopressreports,AlaskaAirlinesandHorizonAirhadtonotify1,500oftheircustomersthat

theircreditcardsmayhavebeenmisusedbyaformercallcenteremployee.Theformeremployee

isallegedtohavetakenthecardinformationprovidedfromsomeoftheairlinescustomerstopay

forreservationchanges.Ratherthanprocessthepaymentonbehalfoftheairlines,theindividualisallegedtohavedivertedthefundstoapersonalaccount.

In2006,anemploye

theHSBCDataProce

CenterinBangalor

Indiawasarrestedf

allegedlypassingpers

customerinformation.

resultUKbankcustom

lostapproximately

USD$425,000.

Think it cant happen?


5/15

5

Paymentprocessors,s

providersandmerch

thatprocessmoreth20,000e-commer

transactionsandove

millionregulartransa

arerequiredtoenga

PCI-approvedQual

SecurityAssessor(Q

toconductareview

theirinformationsec

proceduresandscan

Internetpointsofpres

TheCouncilsubsequentlyissuedaDataSecurityStandard(PCI-DSS)whichdetailssecurity

requirementsformembers,merchantsandserviceprovidersthatstore,processortransmit

cardholderdata. Theoriginal PCI regulations specifically forbade storing primaryaccount

numbers(PAN),PINnumbers,servicecodes,expirationdates,andotherspecifiedidentifiers

unless theymet PCI-DSS encryption standards. Payment processors, service providers and

merchants that processmore than20,000 e-commerce transactions and over onemillion

regulartransactionsarerequiredtoengageaPCI-approvedQualifiedSecurityAssessor(QSA)

toconduct a review oftheirinformation security procedures and scan theirInternetpointsofpresenceonaregularbasis.However,noorganizationthatacceptscardsissuedbythe

foundingmembersofthecouncilisexemptfromcompliance.

Whilethestandardisprimarilyaimedatcardholderinformationindatabases,contactcenters

caneasilybecomeunsuspectingviolators.Thisisbecauseofthepracticeofcollectingand

entering card data into order entry systemsand archivingprivatecustomer information in

callanddata recording systems. Initially, the PCI-DSSallowedthevoiceanddata recording

andstorageofsensitivecardinformationprovidedthatcertainsafeguardswereinplace,such

asencryption,firewalls,andneedto-knowauthorizations.Thepreciselevelsofencryptionare

spelledoutinthestandardasaredatacategoriesthatmaybestoredwhenproperlyencrypted.

PCI-DSS Requirements Impacting Call Recording -

Do Not Record Validation Codes

OnOctober28,2010 theStandardsSecurityCouncil issuedaclarificationthatstates that it isa

violationof thePCI-DSStostorecardvalidationcodesandthefullcontentsofand trackfromthe

magneticstripelocatedonthebackof the card.This includesthe cardholdersname, theprimary

accountnumber(PAN),andexpirationdate,andpersonalidentificationnumber(PIN)afterauthorization

evenifencrypted.Note:itispermissibleforissuersandcompaniesthatsupportissuingservicestostore

sensitiveauthenticationdataifthereisabusinessjustificationandthedataisstoredsecurely.

Thecardvalidationvaluecodeisthethreeorfourdigitnumberthatisusuallyimprintednext

tothesignaturelineonthebackofthepaymentcard.OnAmericanExpresscards,thesecurity

codeisonthefaceofthecard.

TheCardVerificationCode(referredtoasCAV2,CVC2,CVV2,orCID)mustnotberetainedpost

authorization,cannotbestoredinastandarddigitalaudioorvideoformat(e.g.wav,mp3,mpg,etc.),

andaproperdisposalproceduremustbeinplace.Iftherecordingsolutioncannotblocktheaudioor

videofrombeingstored,thecodemustbedeletedfromtherecordingifitisinitiallyrecorded.

OnOctober28,201

StandardsSecurityCo

issuedaclarification

statesthatitisaviolat

thePCI-DSStostore

validationcodesandt

contentsofandtrack

themagneticstripelo

onthebackofthec


6/15

6

Telephoneordertak

requirethevalidation

aswellasthePAN(Pr

AccountNumber)a

expirationdateinord

secureauthorizationthecardissuer.With

thatnumber,cyberth

cannotmakeeComm

purchasesorillega

transferfundsoutof

cardholdersaccou

Whenitisabsolutelynecessarythatyourorganizationretaincardverificationcodes,youwillneedto

demonstratetoyourQSA(QualifiedSecurityAssessor)andyouracquiringbankthat:

TelephoneordertakersrequirethevalidationcodeaswellasthePAN(PrimaryAccountNumber)andexpiration

dateinordertosecureauthorizationfromthecardissuer.Without thatnumber,cyberthievescannotmake

eCommercepurchasesorillegallytransferfundsoutofthecardholdersaccounts.Thestandardscommitteemade

thechangebecauseoftheavailabilityofsophisticatedmalwarethatcouldpenetrateencryptionalgorithms.

ThelatestPCI-DSSstandardsrequirethatPANmustberenderedunreadableanywhereitisstored(including

onportabledigitalmedia,backupmedia,andinlogs)byusinganyofthefollowingapproaches:

Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have

access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the

same PAN are present in an entitys environment, additional controls should be in place to ensure that the

hashed and truncated versions cannot be correlated to reconstruct the original PAN.

Other Important PCI-DSS Requirements that Impact Call Recording

Requirement 4 and Subsection 4.1requirethatstrongcryptographyandsecurityprotocolssuch

assecuresocketslayer(SSL)/transportlayersecurity(TLS)andInternetprotocolsecurity(PISEC).

Requirement 7 and Subsection 7.1requirethataccesstocomputingresourcesandcardholderinformation

onlytothoseindividualswhosejobrequiressuchaccess,e.g.forstrongbusinessreasons.Organizations

shouldcreateaclearpolicyfordataaccesscontroltodefinehow,andtowhom,accessisgranted.

Requirement 7 and Subsection 7.2 requireorganizationsthatacceptpaymentcardstoestablisha

mechanismforsystemswithmultipleusersthatrestrictsaccessbasedonausersneed-to-knowandisset

todenyallunlessspecificallyallowed.

Requirements 8 and Subsection 8.1requireorganizationsthatacceptpaymentcardstoAssignaunique

IDtoeachpersonwithcomputeraccessbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.

Subsection 8.3requiresatwo-factorauthenticationforremoteaccesstothenetworkbyemployees,

administratorsandthirdparties.

Subsection 8.5 requires proper user authentication and password management for users and

administratorsonallsystemcomponents.

Subsection 8.5.16requiresorganizationsthatacceptpaymentcardstoauthenticateallaccesstoanydatabase

containingcardholderdata.Thisincludesaccessbyapplications,administrators,andallotherusers.

Youperform,facilitateorsupportissuingservices-itisallowableforthesetypesoforganizations

tostoresensitiveauthenticationdataonlyiftheyhavealegitimatebusinessneedtostoresuch

data.ItshouldbenotedthatallPCI-DSSrequirementsapplytoissuers,andtheonlyexception

forissuersandissuerprocessorsisthatsensitiveauthenticationdatamayberetainedifthereisa

legitimatereasontodoso.Alegitimatereasonisonethatisnecessaryfortheperformanceofthe

functionbeingprovidedfortheissuerandnotoneofconvenience.Anysuchdatamustbestored

securelyandinaccordancewithPCI-DSSandspecificpaymentbrandrequirements.

One-wayhashesbasedonstrongcryptography(hashmustbeoftheentirePAN)

Truncation(hashingcannotbeusedtoreplacethetruncatedsegmentofPAN

Indextokensandpads(padsmustbesecurelystored)

Strongcryptographywithassociatedkey-managementprocessesandprocedures


7/15

7

Youmustbeabletom

agecallqualityandt

arelawsandregulat

thatmanycenters,p

ticularlyoutbound,n

tocomplywith.Full-t

recordingistheonlyw

measurecomplianc

Atthefinalstageofta

creditcarddata,reco

agentcouldtransferth

toanunrecordedexte

whereasecondagent

aspectsofthecustom

creditcarddatasuch

theCVVnumberforb

verification.

Requirements 10 and Subsection 10.1requirecardacceptorstotrackandmonitorallaccess

tonetworkresourcesandcardholderdataandestablishaprocessforlinkingallaccesstosystem

componentstoeachindividualuser.

Requirement 10 and Subsection 10.2requirecardacceptorstoimplementautomatedaudit

trailsforallsystemcomponentstoreconstructeventssuchasuseraccesstocardholderdata,accessto

audittrails,useofauthenticationmechanisms,andthelike.

Ifanimportantpartoftheagentsjobistoacceptand/orsolicitsales,thenthequestionbecomes:howdowepreventrecordingandstoringofsensitiveauthenticationdataandthefullcontentsofany

magneticstripetrack?

Available Alternatives

Alternative 1 - Cease Recording

Thenotionofsimplyhaltingthepracticeofrecordingallcallsandrelateddatathatmayinvolvethe

captureofinteractionscontainingsensitiveinformationiscertainlyanapproachthatwillbecompliant.

Thievescannotstealinformationthatwasneverstored.However,thetrade-offistoosevere.Youmust

beabletomanagecallqualityand thereare lawsand regulations thatmanycenters,particularly

outbound,needtocomplywith.Full-timerecordingistheonlywaytomeasurecompliance.

Alternatives 2 and 3 - Agent-driven Compliance

Atthefinalstageoftakingcreditcarddata,recordedagentcouldtransferthecalltoanunrecorded

extensionwhereasecondagenttakesaspectsofthecustomercreditcarddatasuchastheCVVnum-

berforbankverification.Somerecordingsystemsallowtheagenttomanuallypauseandresumethe

recordingviabuttonsontheirscreenorhandset.

Theseapproachesmayworkbutitaddsaburdentoagentsandisobviouslyerror-prone.There

mayalsobeaquestionofwhetherrelyingonemployeeactionswouldpassmusterwiththepayment

cardcouncilwhichpreferssolid,technology-basedsolutions.

Alternative 4 - Transfers to Third Party DevicesTherearethirdpartydevicesthatcanbeboltedontoanexistingrecorder.Thismethodworksbyre-

quiringthecallertoentercarddetailsmanuallyviathetouchtonepad.Theideahasmerit,sincelittle

agentinterventionisrequiredandthesystemautomaticallymaskscardentriesontheagentscreen

andblockstheDTMFtonesfrombeingrecorded.AgentscouldalsotransfercallstoanIVRplatform

fortakingsuchdetailsasCVVforbankverification.Thedownsidesarethepaucityofchoices,riskof

usererror,theunnaturalinterruptionofcallflow,theneedtomanageanadjunctdevicethatsnot

partofanintegratedsolution,andanaddedcostpertransaction.

Alternative 1: Ceaserecordingallsalesandtransactioncalls.

Alternative 2: Trainagentstodisabletherecordingfunctionwhencarddataisrequiredthen

restartafterthetransactioniscompleted.

Alternative 3: Requireagentstodeletethesectionoftherecordingthatincludestheauthorizationcode.

Alternative 4: Third-partydevicesthatrequirethecallertoentercarddetailsviatheirtouchtonepad.

Alternative 5:Donothing.

Alternative 6:Investincallrecordingsystemsthatautomaticallymaskandmutesensitivecarddetails.


8/15

8

Ahandfulofleading

recordingvendorsha

developedtrulyinteg

solutions.Withthesolution;forexamp

therecorderusesdes

analyticstomonito

applicationscreensin

bytheagentduring

interactiontoautoma

sensewhentheagen

enteringscreensorf

wheresensitiveinform

mustbeentered,witho

needforacostlyback

integrationtothosesy

Alternative 5 - Do Nothing

Thedonothingoptionappearstobethefavoredchoiceatthispoint.Inthe2009DataBreach

InvestigationsReportconductedbytheVerizonBusinessRISKTeamresearchersuncovered90confirmed

breacheswithintheir2008caseloadencompassinganastounding285millioncompromisedrecords

and81%ofbusinesseswerenotPaymentCardIndustry(PCI)compliant.Themostcommonformof

databreachwascompromisedpaymentcards,withretailandfinancialservicesaccountingforsixout

oftenofthesecuritybreaches.

A2009pollofUnitedKingdomcallcentermanagersfoundthatmorethan19in20callcentersdo

notdeleteormaskcreditcarddetailsintheircallrecordings,whichisaviolationofthePaymentCard

IndustryDataSecurityStandard.Of the133callcentermanagerscontacted forthesurvey,only3

percentindicatedcompliancewiththeguidelines.AmongthereasonsforfailingtoabidebyPCI-DSS,

61percentsaidtheywereunawareofthestandards,18percentwereawarebutsaidtheycouldnt

complyfortechnicalorbudgetaryreasons,11percentwereawarebutchosenottofollowthem,and

6percentwereawareandwereworkingtowardcompliance.

Alternative 6 - Invest in Call Recording Systems that Automatically

Mute and Mask Sensitive Card Details

Ahandfulofleadingcallrecordingvendorshavedevelopedtrulyintegratedsolutions.WiththeVPI

solution;forexample,therecorderusesdesktopanalyticstomonitorapplicationscreensinusebythe

agentduringtheinteraction(toincludeCRM,salesautomationorotherapplications)toautomatically

sensewhentheagentisenteringscreensorfieldswheresensitiveinformationmustbeentered,without

theneedforacostlyback-endintegrationtothosesystems.

The VPI Fact Finder desktop analytics application can detect when an agent enters a screen with sensitive

information, when sensitive information is inputted, and when they leave a screen containing sensitive information.

The VPI Solution

TheVPIrecordingsystemthenautomaticallyclassifiescallscontainingsensitivecardholderinformationandprovidesorganizationswithfouroptionstohelpeffectivelybalancetheirPCIrequirementswith

liability,qualitymanagementandotherregulatoryrequirements:

VPIs Four Options

Option 1 - Delete all call recordings with sensitive information but retain

valuable non-sensitive interaction data for reporting and analysis

Dataaboutwhathappenedduringtheinteractionoftenprovidesmorebusinessvaluethanthe

actualrecordingitself.Insteadofbeingdeletedalongwiththesensitiveaudioandscreenrecordings,

valuabledatasuchascalldate/time,calldirection,totalhandletime,holdtime,CustomerID,Agent

A2009pollofUni

Kingdomcallcent

managersfoundthat

than19in20callce

donotdeleteorm

creditcarddetailsin

callrecordings,whic

aviolationofthePay

CardIndustryDat

SecurityStandard


9/15

9

Fororganizationsrequ

torecordcallsforlia

andregulatoryrequire

andwhowouldalso

toplaybackforqualit

trainingpurposes,VPI

solutionthatallowsac

recordingswhilecontro

theaccesstosensiti

information.

ID,DNIS,salesorcollections$amount,numberoftransfers,orevenhandletimeofkeyprocesses

withinthecallthatleduptothesuccessfultransaction,ismadeavailableininteractivereportsand

analysisofkeybusinessissuesandopportunities.

Option 2 - Roles-based access to recorded files containing sensitive information

Fororganizationsthatarepermittedtorecordentirecalls(companiesthatperform,facilitate,or

supportissuingservices),theVPIsolutionhastheabilitytoonlyallowaccesstocallrecordings

containingsensitivepaymentcarddatabasedontheuserslog-inaccountandcorporate

role.Forexample,onlycomplianceofficersandseniorexecutiveswouldhaveaccesstothose

recordedfilesduringlegaldiscovery.Allothersystemuserswouldnotbeabletoaccessthe

recordedcalls(Requirement3.2and8.5).

Option 3 - Roles-based muting/masking upon playback

Fororganizationsrequiredtorecordcalls(e.g.thoseper3.2),andwhowouldalsoliketo

playbackforqualityandtrainingpurposes,VPIhasasolutionthatallowsaccesstorecordings

whilecontrollingtheaccesstosensitiveinformation.ThesolutionusesVPIsFactFinder

technologytotagthesensitiveeventsanduponplaybackmutestheaudioandmasksthescreen

videoduringsegmentsofthecallcontainingsensitivedata.Agents,supervisorsandQAanalysts

withoutfullaccessrightsareabletoplaybackthecallwhilehearingandseeingeverythingthat

leduptoandfollowingthesensitivetransactionincludingafter-callwraptime.Onlyauthorized

users,suchascomplianceofficersorseniormanagers,wouldhaveaccesstothoserecordedfiles

intheirentirety.(Requirements3.2,7.1and7.2)

VPI solution has the ability to mute out the audio and mask out the screen video during segments of the call

containing sensitive data upon playback

Option 4 - Permanent muting/masking during segments of the call

containing sensitive info

Fororganizations that donothavea justifiableneed torevieworkeepentirerecordingsforliability

andotherregulatoryreasons,VPIiscreatingasolutiontopermanentlymaskandmutesensitiveaudio

andscreen videothatwill complywith themost stringentof the PCIrequirements. Inthis case, the

audioand videoof segmentscontaining sensitive card holder informationwill be deleted, prior to

storageofrecordingsandunavailable toallsystemusers regardlessofuserauthorizationprivileges.

NOTE: VPI expects to make this feature generally available in 2011. Timeline for this feature is subject to change)


10/15

10

VPIsupportsAES256

andfileencryptionu

strongcryptography

wellassecureproto

includingSecureSo

Layer,TransportLay

Security(SSL/TLS)

InternetProtocolSec

(IPSEC)toprovid

securetransmission

recordedvoiceands

recordingsandassoc

VPI Response to Requirement 4 Encrypt transmission of cardholder

data across open networks

Theintentofstrongcryptographyisthattheencryptionbebasedonanindustry-testedandaccepted

algorithm(notaproprietaryorhome-grownalgorithm).VPIsupportsAES256dataandfileencryption

usingstrongcryptographyaswellassecureprotocolsincludingSecureSocketLayer,TransportLayer

Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofrecordedvoice

andscreenrecordingsandassociateddataoverthenetwork.(Requirement4.1)

VPI Response to Requirement 7 Restrict access to card holder

data by business need-to- know

TheVPIsystemiscapableofsupportingagranulardefinitionofaccessrightsforlargenumberof

usertypeswhichallowsforgreatercontroloversystemuserRolesandPrivileges,suchastheabilityto

searchforandplaybackmediafileswhichcontainsensitivedataasidentifiedbytheVPIFactFinder

desktopanalyticstool.

VPI Response to Requirement 8 Assign a unique ID to each person

with computer access

TheVPI systemhasuniqueusersystemlog-inwithanaudittrail showingwhohas loggedintothe

system,searchedforcalls,playedbackorexportedcallsandwhen.Thestatusofallactivitiescanbe

alsomonitoredinheatmapsthatpresentauditlogdatainavisual,easy-to-analyzemanner.

VPI Response to Requirement 10 Track and monitor all access to

network resources and card holder data

Thisisachievedbyprovidinganaudittrailofalluseractivitieslinkingspecificactionstospecificusers,

therebyprovidinghighdegreeofvisibilityandtransparency.(Requirement10.1)TheVPIsystemalsoprovides

aninterfaceforreconstructingeventsuseractionscanbesearched,categorized,sorted,reportedand

viewedbyuseroractivitytype.Theycanbevisualizedinheatmapsbycategory.(Requirement10.2)

Consequences of Non-Compliance

Non-compliancerisksrevocationofcardacceptanceprivilegesandviolationofstatelaws.Lossofcard

acceptanceprivilegescouldeasilyspellthedeathknellforretailers,serviceproviders,andcollection

agencies.Infact,itisdifficulttothinkofanytypeofbusiness,nonprofit,orgovernmentrevenuecollection

entitythatdoesnotrelyonpaymentcards.Thecardissuershavetheauthoritytorevokecardprivileges

throughtheircontracts.

Theotherpossibilityisviolationofstatelaws.Asofthistime,threestates;Minnesota,Nevada,andWashington,

have codified paymentcard industry data security standards.Quoting from theWashington state law,

Aprocessor,business,orvendorwillbeconsideredcompliant,if itspaymentcard industrydatasecurity

compliancewasvalidatedbyanannualsecurityassessment,andifthisassessmenttookplacenomorethan

oneyearpriortothetimeofthebreach.Thisrequirementisnotcontingentonthevolumeoftransactions.

TheNevadalawrequiresthatcompaniesdoingbusinessinthestateofNevadathatacceptpayment

cardsmustbecompliantwiththePaymentCardIndustryDataSecurityStandard(PCI-DSS).Thelaw

alsorequiresthatcompaniesretainingpersonaldata,includingSocialSecuritynumbers(SSNs),drivers

licensenumbersoraccountnumbers togetherwithpasswordsmustuseencryptionif theysendthe

information outside of thecompany. TheNevadalaw is reported tobethe only law that actually

mandatesPCI-DSScompliance.ThelanguagedoingbusinessinthestateofNevadaisverybroad

andpresumablycouldincludecompanies notdomiciled inthe state.Otherstatesareconsidering

legislationthatwouldcodifyPCI-DSS.

Non-complianceri

revocationofcar

acceptanceprivilege

violationofstatela

Lossofcardaccepta

privilegescouldeasily

thedeathknellforret

serviceproviders,a

collectionagencies.I

itisdifficulttothinko

typeofbusiness,non

orgovernmentreve

collectionentitythat

notrelyonpaymentc

contracts.


11/15

Advisable Best Practices

Obviously,ifyourbusinessororganizationacceptspaymentcards,itisinyourbestinteresttobecome

compliantwithPCI-DSS.Inadditiontothestandards,therearemanyotheractionsyoucantaketo

helppreventbreachesofsensitivecardandpersonalinformation.

11

Workwithyourinformationtechnologydepartmentbeforeimplementingcontactcenter-specificsolutions.Complianceisanorganization-widecommitment.ITmayhaveanoverallsecurityplanthatcontactcentersmustadopt.Forexample,individualsthatrequireaccesstoarchivedcallsthat

mayincludecarddatamustbespecificallyauthorizedtoaccessthisinformation.

Makesureyourorderentry,newcustomerapplications,andanyothercustomerdatabasesthatyouragentsfrequentlyaccessmaskoutcredit,debit,andothersensitiveinformation.

Limittheamountoftimethatcardinformationiskeptinthecallrecordingserverdatabase(bothvoiceandscreenrecordings).Itmaybenecessaryforcorporategovernance,legalandQAdepartmentstoworkoutacompromisebetweenwhatisneededtoadheretothePCI-DSSandregulatorycompliancerequirements(requirement3.1).

Ensurethatproperuserauthenticationisimplementedforstaff,agentsandadministrators(requirement3.2).

Segmentcontactcenteroperationssothatalimitednumberofemployeeshaveaccesstopaymentcarddata.Forexample,paymentcardinformationcanbeenteredbyasalesagent,butacustomerservicerepresentativemayhaveaccessonlytothemaskedPAN(requirements8.1and8.5).

Beverycarefulaboutwhoyouhire.Iftheagentwillbeacceptingcardpaymentsorotherwise

beprivytosensitivepersonalinformation,conductathoroughbackgroundcheckbeforeextendingapaymentoffer.

Makeclearthatunauthorizeddisclosureofsensitivepersonalinformationisgroundsfortermination.

Ifanemployeeisterminatedorresigns,immediatelychangethepasswordtothatindividuals

workstation.Dontwaituntiltheendoftheworkday.

Ifyouareworkingwithoutsourcers,rememberthatPCI-DSSisaninternationalrequirement.Theoutsourcermustalsobecompliant.

Understandthedatasecurityprecautionstakenbyoutsourcers.

Donotallowthumbdrivesoranyotherportablestoragedevicesintoyourcontactcenter.

Agentsorotheremployeesshouldneveropenemailsfromunknownsources.Thisisafavoredmethodbycybercriminalsforinstallingkeyloggersandothermalware.

Makesureyoumaintainstrictprocessesthatpreventagentsfromjottingdowncardnumbersforlaterentryintothecustomerdatabase.

Contactcenteragentsshouldbediscouragedfromrevealingtheiroccupationonsocialnetworkingsites.Youdontwantthemtobecomeunsuspectingtargets.

EnsurethatagentsandsupervisorsdonotshareuserIDsandpasswords.Eachusermustbeuniquelyidentifiedbytheirownlogincredentials.Thisinformationshouldbeencryptedwhenstoredinanycomputersystems.

ReviewyourCRM,salesautomation,collectionsandorderentrysystemstoassurethatcompletecardnumbersandthesecuritycodearenotdisplayed.Thesecuritycodeshouldneverbestored.

FindouthowyourcurrentrecordingsoftwarehandlesPCI-DSScompliance.Somevendorsdonothaveasolution.Othersmayrequiredeletingentireinteractionsthatinvolvecardtransactions,makingitimpossibletoconductqualityevaluationsonthesecallsorretrievethemforcomplianceorverificationpurposes.

RestrictaccesstoQArecordingandCRMdatacontainingpaymentcarddatabasedontheuserslog-inaccountandcorporaterole.

Ensurethatstoredrecordingsarenotplayedbackoveraspeakerphoneifpaymentcardinformationisincluded.

Ifyouareconsideringanewinteractionrecordingsystem,lookintotheapproachadoptedbyVPI.VPIprovidesencryptionatnoextracost.Forcompaniesthatpreferamoreflexibleapproach,VPIsVPICAPTUREcallrecordingsoftwarecanautomaticallydetectwhenanagententersascreenwhereacreditcardfieldistobefilledoutandthenmaskboththevoiceandscreenentriesforthedurationoftheagentsactivitieswhileworkinginthosescreens.Thesecuritycodecanbepermanentlydeletedfromboth,voiceandscreenrecording.Thesystemmasksthesensitiveinformationinvoiceanddatarecordings,whichcanonlybeaccessedbyauthorizedpersonnel.

Ifyouareworkingw

outsourcers,remem

thatPCI-DSSisa

internationalrequirem

Theoutsourcermust

becompliant.

VPIsupportsAES2

dataandfileencryp

usingstrongcryptogr

aswellassecureprot

includingSecureSoc

Layer,TransportLay

Security(SSL/TLS)o

InternetProtocolSec

(IPSEC)toprovide

securetransmission

recordedvoiceandsc

recordingsandassoc

dataoverthenetwo

Ensurethatemployee

notshareuserIDspasswords.Eachuser

beuniquelyidentifie

theirownlogincrede

Thisinformationshou

encryptedwhenstore

anycomputersyste

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.


12/15

12

Monitorat-homeag

moreoftenthanin-h

Best Practices for Securing At-Home Agents

Contactcenterat-homeagentprogramsarerapidlygrowinginnumberandsizeduetotheirattractive

benefitsofreducingoperationalcosts,increasingperformanceandimprovingthecustomerexperience.

However,usingat-homeorremoteworkerscarrieswithitamuchgreatersecurityrisk.Whenutilizingand

recordingat-homeorremoteworkers,thefollowingareadditionaladvisablepractices:

Besurethatthesameleveloffirewall,corporateanti-virusprotection,securitypatches,and

definitionfilesareextendedtoremoteagentsandsupervisorsPCs.(Requirements1.4,5.1and6.1)

Remoteworkersshouldbeforbiddenfromcopying,moving,andstoringcardholderdataonto

harddrivesormoveableelectronicmediawhenaccessingcardholderdata.(Requirement12.3.10)

Ensuringremoteagentsandsupervisorsuseatwo-factorauthenticationprocess.(Requirement8.3)

UsestrongnetworkencryptionprotocolssuchasSecureSocketLayerandTransportLayer

Security(SSL/TLS)orInternetProtocolSecurity(IPSEC)toprovidesecuretransmissionofthe

VoIPvoicestreamanddataoverthepublicnetwork.(Requirement4.1)

EnsureeachathomeagentandsupervisorisusingaVPNconnectionintothecorporate

networkwithstrongencryptionprotocolssuchasSSL/TLS.(Requirement4.1)

Requireremoteagentsandsupervisorstoencrypttheirwirelessnetworksusingstrong

cryptography(Requirement2.1.1and4.1.1).AsofJune30,2010,theWiredEquivalentPrivacy(WEP)protocolisnolongerpermissibleforanynewwirelessimplementations

(Requirement4.1).TheuseofWPA2isrecommended.

IfnotusinganenterpriseVoIP-basedtelephonesolution,requireagentstouseanalogue

telephonelineswhentalkingwithcustomers.

At-homeagentsshouldnotuseconsumerVoIPtelephonesystems(suchasVonage)because

theircommunicationsmaynotbeencrypted.(Requirement4.2)

Ensurethatpaymentcardinformationisneversentoveranunencryptedmediumsuchaschat,

SMS/textoremailorothernon-encryptedcommunicationchannels.

Ensuringthatat-homeagentandsupervisorPCshavepersonalfirewallsinstalledand

operational.(Requirement1.4)

Ensurethatat-homeagentandsupervisorPCshavethelatestapprovedsecuritypatchesinstalled.

Requireagentsandsupervisorstouseonlycompany-suppliedsystems.(Requirement12.3)

Monitorat-homeagentsmoreoftenthanin-houseagents.(Requirement12.3)

Annuallyreviewallsecuritypoliciesandprocedureswithallagentsandrequireat-homeagents.to

acknowledgethesecurityrequirementsaspartoftheirdailysign-inprocess.(Requirement12.6)

Dilemma for Contact Centers

PCI-DSScomplianceisonlyoneofa growing listoflaws,regulations,and industrystandardsthat

contactcentersneedtoconsider.Thereareseveralregulationsthatrequireorstronglyrecommendthat

callsberecordedintheirentirety.

TelemarketingSalesRule

FSA(FinancialServicesAuthorityRules

BASELI

Sarbanes-OxleyAct

Gramm-LeachBlileyFinancialServicesModernizationAct

TruthinLendingAct(TILA)andFairDebtCollectionsPracticesAct(FDCPA)Acts

Ensurethatpayment

informationisneversen

anunencryptedmed

suchaschat,SMS/te

emailorothernon-enc

communicationchan

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

PCI-DSScompliance

oneofagrowinglisto

regulations,andind

standardsthatcont

centersneedtoconsi

Thereareseveralregu

thatrequireorstron

recommendthatcal

recordedintheirent


13/15

13

TheUnitedKingdomF

cialServicesAuthority

publishedrulesinMa

of2009requiringfirm

recordtelephoneconv

tionsandotherelectr

communicationsinclu

emailandinstantmes

relatingtotradingor

andtheconclusionoft

actionsintheequity,b

andderivativesmark

Telemarketing Sales Rule

The Telemarketing SalesRule requires a consumers expressverifiableauthorization foruseofbank

accountinformationtoobtainpaymentthroughphonechecksordemanddrafts.Thiscanbedonevia

confirmationbyacallrecordingoftheconsumergivingauthorizationoradvancewrittenauthorization.

Therecordedauthorizationandwrittenconfirmationmustincludethedateandamountofthedraft(s),

thenameontheaccountfromwhichthefundswillbepaid,thenumberofdraftpaymentsauthorized,

ifmorethanone,atelephonenumberansweredduringnormalbusinesshourstattheconsumer

cancallwithquestions,andthedateoftheconsumersauthorization.Manystatesrequireadvance

consentoftherecordedparty;therecordedconfirmationmustshowthattheconsumerunderstands

andacknowledgeseachtermofthetransactionandauthorizesit.

FSA (Financial Services Authority) Rules

TheUnitedKingdomFinancialServicesAuthority(FSA)publishedrulesinMarchof2009requiring

firms to recordtelephone conversationsandotherelectronic communications includingemailand

instantmessages relating totradingordersand theconclusionof transactions intheequity,bond,

and derivativesmarkets. The ruleswere established aspart of the FSAsefforts tocombatmarket

abuse,particularlyinsiderdealingandtohelpdeteranddetectmarketmanipulationandabusein

theUnitedKingdom.TheFSArulesareinaccordancewithMarketsinFinancialInstrumentsDirective

(MiFID)general recordkeeping standards.The rules requireorganizationsto retaintheirrecorded

callsandcommunications6months.Thisis expectedto belonger infuture regulations (the initial

recommendationwasthreeyears).TheFSAmustbeabletoaccessrecordedcallsreadily.

Otherregulatedorganizationsinvolvedinretailactivitiessuchasbanking,insurance,loansormortgages

willstillhavetheoptiontorecordcallsorkeepalternativerecordshoweverrecordingislikelytobecome

mandatory in the near future.Insurance companiescomplyingwith directives suchas the Insurers

ConductofBusiness(ICOB)arealreadyadvisedtointroducecallrecording.Companieswillalsofind

in99%ofcasestheFinancialOmbudsmanServicewillfavortheclientswordiftheorganizationcannot

providearecordedtranscriptofrelevanttelephonecalls.

BASEL II

BASELIIrecommendationsandpolicies,developedbytheBASELcommitteeconsistingofrepresentatives

fromallG-20majoreconomiesaswellasothermajorbankinglocalessuchasHongKongandSingapore,

prescribesthatbanksand theiroutsourcedcontact centers implementOperational RiskManagement

practices.TheBASELcommitteedefinesoperationalriskastheriskoflossresultingfrominadequateorfailed

internalprocesses,peopleandsystemsorfromexternalevents.Inordertoprotectfromtheofficialevent

typesdefinedbyBASELII,includingInternalFraud(misappropriationofassets,taxevasion,intentionalmis-

markingofpositions,bribery),ExternalFraud(theftofinformation),EmploymentPracticesandWorkplace

Safety(discrimination,workerscompensation,employeehealthandsafety),Clients,Products,&Business

Practice-marketmanipulation,antitrust,impropertrade,productdefects, fiduciarybreaches, account

churning),andExecution,Delivery,&ProcessManagement(dataentryerrors,accountingerrors),many

banksrequirefull-timecallrecordingandlong-termstorageoftheirrecordedinteractions.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act extensive guidelines for the documentation of business processes and

transactions,mandatingthatbusinessescreateandmaintainelectronicrecordsaspartoftheirregular

businessprocesses. To helpensure compliancewithSarbanes-Oxley,manyorganizationscurrently

recordandstorealltheircallsintheirentirety.Maintaininganelectronicrecordoftelephonecallsinthe

TheTelemarketingS

Rulerequiresaconsu

expressverifiableauthorizationforuse

bankaccountinform

toobtainpaymentthr

phonechecksordem

drafts.Thiscanbed

viaconfirmationbya

recordingofthecons

givingauthorizatio

oradvancewritte

authorization.


14/15

14

Full-timecallrecordin

frequentlymandatedto

contactcenteremploy

areaccuratelydisclos

informationrequiredb

TruthinLendingActa

complyingwithcollec

practicesrequiredbyth

DebtCollectionsPractic

samemannerasemailshelpstoensurecompliancewithSarbanes-Oxleyandsimplifiesthediscovery

andauditingprocesses,reducingthepotentialforabuseormistakes.

Gramm-Leach-Bliley Financial Services Modernization Act

TheGramm-Leach-BlileyAct(GLBA),alsoknownastheFinancialModernizationActof1999,isa

federallawenactedintheUnitedStatestocontrolthewaysthatfinancialinstitutionsdealwiththe

privateinformationofindividuals.UndertheSafeguardsRule,financialinstitutionsmustcreateand

followawritteninformationsecurityplanthatdetailshowtheywillprotectthenon-publicinformation,

suchasaccountandidentificationnumbers,oftheircurrentandformercustomers.

Callrecordingsolutionsmakeiteasytoincorporatevoice-basedcommunicationsaspartofan

organizationsGLBAcomplianceplan.Inaddition,companiesthatfactorcallrecordingintotheir

electronicrecordsplanhaveanaddedlayerofsecurity,knowingthateveryaspectoftheirbusiness

iscompliant,ratherthanjusttheirwrittendocumentsandtransactions.

Truth in Lending Act (TILA) & Fair Debt Collections Practices Act (FDCPA) Acts

Full-time call recording is also frequently mandated to ensure contact center employees are

accuratelydisclosinginformationrequiredbytheTruthinLendingActandcomplyingwithcollection

practicesrequiredbytheFairDebtCollectionsPracticesAct.

Barclaycard Guidance

BalancingtheneedforPCIcompliancewithotherregulations,lawsandriskmanagementrequirements

withthequalitymanagementrequirementscanposeadilemma.Barclaycardpreparedaveryinformative

whitepaperthat,amongotherthings,advisesthat:

CallcentremanagerswillneedtoensurethatthePANismaskedwhendisplayed(i.e.first6andlast4

digits).Thisispartofrequirement3.3andmayinclude:

Readersareencouragedtoreadtheentirepaperformoresuggestions.

Executive Summary

IdentitytheftisamassiveproblemintheUnitedSatesandglobally.Inresponse,thepaymentcardindustryhasestablishedclearrulestohelpassurethatcriticalfinancialandidentificationdatais

protectedfrommenacesbothoutsideandwithintheenterprise.ThePCI-DSSrequirementsmust

beadheredtobyeveryorganization-regardlessofsize-thatacceptspaymentcards.Thereare

directimpactsoncontactenters,whichinthepasthaveprovedtobefertilegroundsforextracting

paymentcarddetailsfromunsuspectingcustomers.

Inthispaperwehighlightedsomesoundpracticestohelpassuredatasecurity.Wealsonotedthatthe

widespreadpracticeofrecordingviceanddatainteractionsmayresultinabreachofthedatasecurity

standardsandevenaviolationofcertainstatestatuesunlessimportantprecautionsaretaken.Choosingto

RestraintaccesstoQA/recordingandCRMdatacontainingpaymentcarddatabasedontheusers

log-inaccountandcorporaterole;forexample,providingscreenrecordingplaybackinterfaceswherethepaymentcardinformationisdisplayedonlytothemanagersandcomplianceofficersduringlegal

discovery,andhaveitblackedout(masked)forallothersupervisorsandQAspecialists.

Segmentingcontactcentreoperationssothatalimitednumberofagentshaveaccesstopayment

carddata; forexample,payment card informationmay beenteredbya salesagentbut a

customerservicerepresentativewillonlyhaveaccesstothemaskedPAN.


15/15

15

Itisimportantthatany

recordingsystempurchnowcancopewithb

currentandfuturechan

lawsandindustrystand

andthattherecordings

facilitatebestpractices.S

ersmustbeabletoprov

theirproductswillhelp

assurecompliancetoda

havetheflexibilitytoad

futurechanges.

abandoninteractionrecordingaltogetherorlimitittonon-transactionalcallsisnotanoption.Besidesthe

obviousneedtoassureconsistentcallqualitytherearemanyotherlawsAndregulationswhererecording

isalegalrequirementortheonlypracticalmeansofestablishingcompliance.

Itisimportantthatanycallrecordingsystempurchasednowcancopewithbothcurrentandfuture

changesinlawsandindustrystandardsand thattherecordingsolutionfacilitatebestpractices.

Suppliersmustbeabletoprovethattheirproductswillhelpyouassurecompliancetodayandhave

theflexibilitytoadapttofuturechanges.Thebestsolutionistoavoidrecordingofthevalidation

codealtogether,afterapproval.TheVPIsolutionprovidesthisoption.

About the Author

DickBucciisPrincipalofPelorusAssociateswherehespecializesincontactcentertechnologies.Hehas

authoredtenin-depthreportsonworkforceoptimizationapplicationsandover30whitepapers.Asoneof

theindustrysforemostthoughtleaders,hisarticlesandobservationshaveappearedintradeandbusiness

publicationsaroundtheworld.Dickhasover30yearsofexperienceinthetelecommunicationsindustry.

About VPI

VPI is the worlds premier provider of call recording, analytics and

workforceoptimizationsolutionsforenterprises,contactcenters,tradingfloors, government agencies, and first responders. For more than a

decade,VPIhasbeenprovidingproventechnologyandsuperiorservice

tomorethan1,500customersin50countries.VPIsaward-winningVPI

EMPOWERsoftwareisanessentialcomponentforanyorganizationthat

strivesto enhancethecustomerexperience,increaseworkforceperformance,improvebusinessefficiency

andmanagecompliance.VPIEMPOWERleveragesVPIFactFinder,aground-breakingdesktopscreen

analytics technology that automatically detects eventsand data directly from application screens being

usedbyemployeesandtagsthemtoappropriatepointswithinrecordedinteractions.WithVPIEMPOWER,

organizationsofallsizesnowhavetheabilitytorapidlyidentifytherootcauseofimportanttrendsandissues

viatargetedanalysisandevaluationfromanywhereallfromanintuitive,personalizedWeb-basedportalinterface.Inaddition,thesecuresolutionleveragesadvancedfileanddataencryption,isbuiltaroundthe

principlesofopen,service-orientedarchitecture,andisplatformindependenttointegrateseamlesslyintoany

existingandevolvinginfrastructureinjustweeks,resultingincompoundreductionofcostsandasignificantand

rapidReturnonInvestment.Formoreinformation,call1-800-200-5430visitwww.VPI-corp.com/PCI

References

Theinformationprovidedinthiswhitepaperisbelievedtobeaccurate,butispresentedwithoutexpress

orimpliedwarrantyandissubjecttochangewithoutnotice.

TheFTCin2009,annualreportoftheFederalTradeCommission(March,2009)

TheCrimewareLandscape:Malware,Phishing,IdentityTheftandBeyond:AJointReportofthe

USDepartmentofHomelandSecurity,SRIInternationalIdentityTheftTechnologyCouncil,the

Anti-PhishingWorkingGroup,andIronKey,Inc.(September,2006)

SymantecReportontheUndergroundEconomyJuly07-June08,SymantecCorp.,(November2008)

NavigatingPCI-DSS-UnderstandingtheIntentoftheRequirements,Version2.0PaymentCard

Industry(PCI)DataSecurityStandards,PaymentCardIndustry(PCI)(October,2010)

2009DataBreachInvestigationReport,VerizonBusinessRISKTeam

SafeandSound,ProcessingTelephonePaymentsSecurely,BarclayCard(April,2010) Contact VPI Info@VPI-corp.

1.800.200.543

www.VPI-corp.c

vpi - call recording guide to pci-dss compliance by pelorus associates

Documents