The PCI Security Standards Council (PCI SSC) has a ‘frequently asked questions’ (FAQ) document which discusses the applicability of card payments to those operating in the contact centre space. The FAQ applies to call centres which take card payments on the phone, and who record phone calls using a digital telephone recorder or similar system.

The FAQ has been recently updated by the PCI SSC. The wording of the 18 Feb 2010 version of the FAQ is listed below:

Question: Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?

“This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.”

In response to the latest word changing, Veritape has published a White Paper with interpretation of how customers should apply the PCI standards to their telephone conversation recording systems.

For more information on the latest FAQ, interpretation of it, or the complete White Paper “PCI SSC update on call recording and call centres, issued Feb 2010″, please contact us.

===

About Veritape

Veritape provides call recording software to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pci-dss-call-recording.

Veritape’s telephone monitoring software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

For more information on our call recording systems, please see http://www.veritape.com

Results for Veritape’s most recent financial year showed that year-on-year revenue has grown, a trend repeated every year of Veritape’s ten-year operating history.

This year’s result is even more encouraging than previous years, given that Veritape has weathered the worst recession of recent times. Cameron Ross, Veritape’s Managing Director, comments:

“Even in the current recession, new sales have been strong. Veritape’s rental model has been a key element in our success. Several years ago, Veritape implemented a rental pricing model, based on feedback from our customers. That rental model is still unique in the market many years later. As well as eliminating capital expenditure for our customers, it gives them great flexibility in their operations. For us as a business, rental provides Veritape with a stable, consistent revenue stream and the certainty to continue investing a high proportion of our revenue into research and development, unlike many of our competitors.”

Another key element in Veritape’s ongoing growth is industry focus on the PCI DSS credit card payment security guidelines governing call recording. Veritape is an expert in automatically removing a customer’s sensitive credit card details from recorded telephone calls. Veritape is the only call recording company accredited by the PCI’s Security Standards Council as a Participating Organisation, and it regularly provides specialist advice to banks and PCI industry groups. Cameron Ross says:

“During the past year, Veritape has seen dramatic growth in demand for our Call Control software, which helps companies comply with the PCI DSS guidelines. Call Control ensures that the 3-digit or 4-digit security codes on the back of a customer’s card are not stored in the call recording. Our customers don’t even need to own, or be able to control, the websites or applications their call centre agents use. Veritape Call Control works with any website or application, seamlessly. It’s for this ease of implementation, and the fact our customers get instant PCI DSS compliance over their call recordings, that we’ve seen such good growth in this area.”

Veritape’s clients include Jaguar Land Rover, Orange, Travelodge, and Photobox.

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pcidss.

Veritape’s software is trusted every day to improve the operations of:

* four of the world’s five largest car manufacturers.
* major UK travel companies.
* finance and insurance companies of all sizes.
* local and regional government, including Regional Trading Standards.
* pharmaceuticals businesses and major suppliers to the NHS.
* outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

http://www.veritape.com

Contact:

Cleo Maher
Marketing Manager
Veritape Ltd
Tel: 0845 899 5500
Email: cleo.maher@veritape.com

(Please note, there is now an updated blog posting on this topic - read it here).

In an update to their ‘frequently asked questions’ document on call recording, the PCI SSC has simplified its wording, making it clear that only analogue recordings are allowed to store the 3- or 4-digit security codes from credit cards. Calls which are recorded digitally (the overwhelming majority of all call recording) cannot contain the data, known as CVC or CVV codes, even if the recording is encrypted.

Cameron Ross, Managing Director of Veritape, says “This is a sensible move by the PCI Security Standards Council. For the past 2 years, the market has seen real confusion, with QSA companies interpreting the SSC guidelines in different ways. Finally, the call centre industry has a clear message: don’t store credit card information in recorded audio. The statement by the SSC is a result of joint industry efforts to clarify this area. It shows how PCI member companies like Participating Organisations can have a real voice in the way credit card security is improved for banks and customers alike. The PCI SSC is to be commended for their work in simplifying this area. They’ve also recognised that there are a number of businesses which can help to eliminate card data from recorded telephone calls, which means all call centres can put a plan in place to improve the security of recorded telephone calls.”

This is the PCI SSC’s full statement:

This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.

On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analog format after authorization is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.

Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centers must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4.

===

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is at http://www.veritape.com/pcidss

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

http://www.veritape.com

Equidebt had been a long-time user of NICE call recording. When one of Equidebt’s clients (a major bank) approached them with a tight deadline to achieve PCI DSS compliance, Equidebt were prompted to look at alternative suppliers.

In a business where telephone calls are crucial, the bank was keen to ensure that Equidebt would be PCI DSS compliant before they renewed their contract with Equidebt. Compliance with PCI DSS rules meant that Equidebt had to find a solution which would not store sensitive payment card information given during the course of a telephone call, while still recording the call itself.

Read our Equidebt case study for the full story.

Obviously, Veritape staff have a shared understanding that customer data is sensitive, and that credit card security devices like the CVC and a customer’s PIN are in operation to protect cardholder transactions and decrease fraud.

So imagine the surprise of a Veritape staff member (at lunch with a senior Vendorcom representative in London - let’s call him “Paul Rodgers”) when he heard the waitress ask Paul (kindly paying the bill) what his PIN number was, so she could enter it into the payment terminal. Amazing.

Paul (an expert in payment security guidelines), proceeded to take the payment terminal from the waitress, and enter his own PIN - very sensible. But he then followed up with a series of questions to the waitress, which determined that she fairly regularly enter PINs for customers.

It’s obvious that not all people (despite the constant mantra “keep your PIN secret” from banks and card issuers) do keep their PIN secret. If they did, London Waitress wouldn’t have had any success in the past, entering PINs.

Veritape would hope that this was a one-off occurrence, but we’re not so sure. If you’ve ever been asked for your PIN, drop us a line.

And in the meantime, if you run a business with customer-facing staff who swipe cards through payment terminals, please PLEASE drum into them that the customer should be the one entering their PIN!

www.veritape.com

VERITAPE, the leading provider of call recording software, announced today that it has joined the PCI Security Standards Council as a new participating organisation.  As a Participating Organisation, Veritape will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards.

A recent national poll of UK call centre managers by Veritape made headline news when it identified a potential risk to millions of credit card details, including the 3-digit security code.  According to Veritape the routine practice of storing unedited audio recordings of calls is creating a vast reservoir of sensitive data on the servers of call centres across the UK in direct breach of global industry standards drawn up by the Payment Card Industry Data Security Council.

The PCI DSS, endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., requires merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data integrity.  More information on the council and the standard can be found at www.pcisecuritystandards.org

As a Participating Organisation, Veritape will now have access to the latest payment card security standards from the Council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organisations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents an entity’s best protection against data criminals.  By joining as a Participating Organisation, Veritape is adding its voice to the process.

“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, General Manager of the PCI Security Standards Council. “By participating in the standards setting process, Veritape demonstrates they are playing an active part in this important end goal.”

Cameron Ross, managing director of Veritape, said:  “We’re very pleased to have been confirmed as a participant organisation and we look forward to working with council officials and other members to support the achievement of better levels of compliance in the UK call centre community.”

About PCI Security Standards Council

The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of PCI security standards. For more information, please visit www.pcisecuritystandards.org

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

www.veritape.com

• Three month trial to help Third Sector weed out pressure-selling over the phone by so-called Phuggers at Christmas
• Pressure to meet fundraising targets and tightening of household budgets create unparalleled risk of use of inappropriate phone-selling techniques this Christmas
• As Christmas approaches competition amongst charities to secure donations is mounting and call centre operations are under increased pressure to meet funding targets.

Charities, already criticised for their use of so-called “chuggers” - agents who attempt to secure donations from shoppers on the High Street - are now accused of using telephone fundraisers, or “phuggers”, who put undue pressure on prospective donors.

Hundreds of millions of pounds are raised by charities over the phone each year.

To help charities monitor the quality of calls made by phuggers, call recording software company Veritape is offering third sector organisations a free three-month trial of its recording software.  The software enables charity management to check call records and assess whether pressure selling techniques are being used by call centres staff, including third party providers.

The software automatically identifies hundreds of phrases, such as “I’m not interested”, “please don’t call me again” and “I feel harassed”, alerting charities to the potential use of pressure-selling techniques.

As Christmas approaches and pressure mounts for funding and fundraising in many community organisations, Veritape’s software provides a simple answer for organisations concerned about call quality.

Cameron Ross, managing director of Veritape, said:  “Concerns have been mounting in the charitable sector about the quality of the calls made to potential donors.  There’s no doubt that more calls will be made as the season of goodwill approaches, and organisations will want to be mindful of the increased pressures that households are under to make ends meet.  Our software provides a useful safeguard to ensure that professional call centre staff don’t get too zealous in their attempts to secure donations.”

— Ends —

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

www.veritape.com

The move is the latest in a series of happenings that are fast establishing Veritape as a trusted voice and advocate of PCI compliance issues.

In September 2009 Veritape’s MD Cameron Ross addressed attendees at a Vendorcom conference with a presentation which sought to demystify the PCI rules and how they apply to recorded telephone calls. Request the presentation.

October 2009 saw the launch of Veritape’s Silent Number campaign, which highlights the risk of data theft of personal credit card details from call centres when PCI data storage rules are not complied with. It also calls for the definition of a standard for both consumers and call centres, which will ensure that sensitive credit card data is eliminated from recorded calls. The campaign received wide press coverage by titles including The Telegraph, Times Online and Computer Weekly. Veritape also published a white paper entitled ‘The Great Credit Card Gamble‘ which shockingly reveals that more than nineteen in twenty call centres which store recordings of transactional conversations with customers do not delete or mask the credit card details in the recordings.

For further information on how Veritape can help get your company PCI compliant, call our team on 0845 899 5500 or contact us.

Veritape’s Silent Number campaign, launched just one day ago, has garnered significant media coverage. A snapshot of the coverage can be viewed here.

It includes:

• coverage in many national print and online newspapers
• extensive website articles on IT, legal and consumer websites
• radio interviews with national stations.

In addition, the www.silentnumber.co.uk website has experienced high volumes of both consumers and call centre “sign-ups”.

The Silent Number campaign aims:

• to help consumers reduce the risk of theft of their personal credit card data from call centres,
• to help UK call centres better understand how to eliminate their customers’ sensitive credit card data from recorded calls, and then promote this for their customers’ security and peace of mind, and
• to define a simple Silent Number standard which is easy to understand for both consumers and call centres

For more background on covering the Silent Number campaign, or for interviews with Veritape staff, please contact Hamish Thompson at 1238kmh, on 07702 684290 or email hamish.thompson@1238kmh.com.

www.silentnumber.co.uk

www.veritape.com

— Ends —

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

www.veritape.com

In conjunction with its market survey of UK call centres which found that call centres take unnecessary risks with credit card data, Veritape has released a white paper, The Great Credit Card Gamble. The white paper indicates that more than nineteen in twenty call centres which store recordings of transactional conversations with customers do not delete or mask the credit card details in the recordings.

For a copy of The Great Credit Card Gamble, please contact Veritape.

www.veritape.com