What Every Contact Center Needs to Know about Desktop Analytics for PCI Compliance

  • March 24th, 2017

    Written by TelStrat

    Protecting customer records, particularly their payment card information, is critical to business success. According to Business Insider worldwide payment card fraud reached $14 Billion in 2013 of which half was via U. S. cards. Privacy Rights Clearinghouse reports over 500 million sensitive customer data records breached since 2005. Unauthorized access to Social Security and payment card information make consumers vulnerable to identity theft. A 2009 Javelin Research & Strategy study found victims of data breach are four times as likely to be victims of identity theft.


    The Payment Card Industry (PCI) Data Security Standard (DSS) ensures organizations who receive payment from customers for products and services protect cardholders’ sensitive authentication data. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International developed the security standard to prohibit transaction-handling organizations from storing sensitive authentication data, such as security codes and PIN values, once customer transactions are authorized. The standard defines a dozen requirements including policies, tools, and controls to protect sensitive cardholder data and to enhance data security.


    Businesses and merchants, regardless of size, who process, store, or transmit payment card data must comply with PCI DSS. Non-compliance results in loss of processing payments and fines. Merchants and payment card service providers must periodically validate their PCI compliance.


    The PCI Security Standards Council maintains a directory of Qualified Security Assessors (QSAs) with whom payment card-processing enterprises contract for their periodic audits and compliance validation. The PCI DSS requires contact centers not capture sensitive customer payment card data in the voice and video screen recordings they normally make of customer service agent activity for quality assurance and compliance with other regulations.


    TelStrat’s Engage Desktop Analytics exemplifies tools that contact centers use to prevent customer payment card data from being recorded through automatic pause and resume triggers. These trigger mechanisms stop voice and screen recording of sensitive content in customer interactions. Voice and screen recording stops, ensuring the sensitive data is never captured or stored.  The tool detects fields within the agent’s user interface where the payment card authorization code is entered. When the agent’s cursor enters the payment data entry field, the trigger automatically stops recording voice and screen activity. When the agent’s curser exits the sensitive data field to continue work, recording resumes.


    The PCI DSS also requires contact centers to store the audio and video recordings of customer interactions with AES 256-bit file-level encryption. The encrypted files are secured by passwords and decryption keys kept in separate secured locations.  When authorized users need to retrieve and play interaction recordings, they are transmitted via Secure Sockets Layer (SSL) encryption.  Similarly, recordings are encrypted while streaming from/to agent workstation or transmitted from/to remote secure storage locations. The contact center’s call and screen recording system, such as TelStrat’s Engage WFO, provides tracking of all activity so that auditors can determine who accessed which recordings for playback or export, or performed other activity involving customer data.


    Visit www.pcisecuritystandards.org for more detail and most recent information.