Theft of customer payment data exchanged over the telephone could soon be a thing of the past thanks to a simple device developed in less than two months by British company Veritape. Security industry sources have told Veritape that there have been ten major audio data thefts in the last year alone.  This data can easily be searched, to find card numbers and security codes.

The “CallGuard” device (patent pending) solves what has appeared to be a near-insurmountable technical problem for call centres, with other solutions taking months or years to implement and potentially costing millions of pounds. CallGuard can be set up within hours.

Industry rules make protection and non-storage of credit card details a mandatory requirement for call centres, but despite this, most call centres are in breach of the guidelines.  A recent study by Veritape identified 93% non-compliance amongst UK call centres due to the complexity and cost of compliance.

“The eureka moment came during a company away-day, amidst the flip charts and whiteboards,” said Cameron Ross, managing director of Veritape.  “Businesses have been searching for a solution to the problem of protecting customer data given in over-the-phone transactions for years, without a massive overhaul of processes and systems. We’ve worked out a simple and affordable way of achieving that. This is especially relevant where a company has already invested thousands of pounds in a call recording system, only to later find that it does not comply with Payment Card Industry (PCI) regulations”.

“The beauty of Veritape CallGuard is that it is ‘plug and play’ technology, there is no complicated or expensive integration with current systems, it simply ‘bolts on’ to the existing set-up.  In pre-launch discussions with several leading call centres, all have virtually committed to buying our product. We believe that there will be a global market for our new box of tricks.”

CallGuard works by doing two key things.  Firstly, it detects and blocks the ‘DTMF’ tones, the sounds produced when keying in a number.  By doing so it prevents any storage of the numbers being communicated by the customer.  At the same time it automatically enters these card details into password style fields, which themselves are obscured with asterisks or similar.  The technology is built into one computer with an additional small USB device per workstation. It can also work internationally, protecting calls made to off-shore call centres.

Veritape have taken the concept from idea to implementation in just two months. Cameron Ross added:
“Data theft is literally an everyday occurrence, costing billions worldwide every year and yet an amazing 93% of companies operating call centres are currently non-compliant with industry standards on the exchange and storage of credit card details.  CallGuard plugs a very large hole in data security and removes any risk to the customer by shielding the data from potential fraudsters.”

CallGuard is fully compatible with any call recording system.  It ensures that recorded telephone conversations are fully compliant with the PCI regulations.  The PCI Data Security Standards (PCI DSS) are the international guidelines governing credit card transactions. For larger call centres, introduction of the new technology could also have a positive commercial impact in securing them lower/discounted charges with their banks for operating a PCI compliant environment.

Ends -

More information:

Hamish Thompson / hamish.thompson@1238kmh.com / 07702 684290
Veritape Marketing Team / marketing@veritape.com/ 08458 99 55 00

One area which may not have been high on the list of criteria at the time is the PCI DSS (Payment Card Industry Data Security Standards). These are the guidelines which ban the storage of sensitive credit card data in any format, including in recorded telephone calls.

Increasingly, compliance with PCI DSS is is critical to a business’ strategy.

Having already purchased a call recording system, how do you now meet PCI DSS requirements and still retain the benefits of your chosen recording approach?

Luckily, help is at hand.

Veritape CallGuard is a new technology which is going to change the landscape for thousands of businesses taking credit card payments over the phone.

For the first time, any business which already owns a call recording system can easily and simply ‘bolt on’ PCI compliance. Whether you use Verint/Witness, NICE, ASC Telecom or any other call recording platform, Veritape CallGuard will work for you

Here’s the really amazing thing about Veritape CallGuard:

• It’s simple (incredibly so). There’s no time-consuming integration work, no project plans, no requisitioning of 6 weeks of your IT team’s time (which invariably can’t start for another 4 months because they’re tied up).
• It’s less expensive than implementing PCI compliance in any other way (even those proposed by your existing call recording provider).
• You keep every aspect of your existing technology. No changes to your call recording or phone systems, your CRM platform, your payment processes, or (critically) your payment provider. (And if you change any of those things next month or next year, Veritape CallGuard just continues to work…)

And Veritape CallGuard has another trick up its sleeve…

Agents continue talking with a customer during a transaction, but don’t come anywhere near the card data!

Not only does Veritape CallGuard ensure PCI DSS compliance for recorded calls, but also solves the growing problem of internal data security. With Veritape CallGuard, the customer never tells the Agent their card details, and the Agent never sees the card details on screen. Customers type their card details using the telephone keypad, and Veritape CallGuard automatically ‘types’ them into your payment application (but hidden, like ‘*****’ password information). In this way, Agents are completely isolated from the transaction, but they continue to have full control over the call and talk with the customer at all points.

PCI compliance and a “clean desk” policy without the practical challenges of implementing one - it doesn’t get much better than this!

Oh, and…

Veritape continues to provide industry-leading call recording, of course.

Want to hear more?

For more information on Veritape CallGuard, visit www.veritape.com, click to contact us, or call 0845 899 5500.

===

About Veritape

Veritape provides call recording software to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pci-dss-call-recording.

Veritape’s telephone monitoring software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

For more information on our call recording systems, please see http://www.veritape.com

	Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and we regularly provide specialist advice to banks and PCI industry groups.

The PCI Security Standards Council (PCI SSC) has a ‘frequently asked questions’ (FAQ) document which discusses the applicability of card payments to those operating in the contact centre space. The FAQ applies to call centres which take card payments on the phone, and who record phone calls using a digital telephone recorder or similar system.

The FAQ has been recently updated by the PCI SSC. The wording of the 18 Feb 2010 version of the FAQ is listed below:

Question: Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?

“This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.”

In response to the latest word changing, Veritape has published a White Paper with interpretation of how customers should apply the PCI standards to their telephone conversation recording systems.

For more information on the latest FAQ, interpretation of it, or the complete White Paper “PCI SSC update on call recording and call centres, issued Feb 2010″, please contact us.

===

About Veritape

Veritape provides call recording software to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pci-dss-call-recording.

Veritape’s telephone monitoring software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

For more information on our call recording systems, please see http://www.veritape.com

Results for Veritape’s most recent financial year showed that year-on-year revenue has grown, a trend repeated every year of Veritape’s ten-year operating history.

This year’s result is even more encouraging than previous years, given that Veritape has weathered the worst recession of recent times. Cameron Ross, Veritape’s Managing Director, comments:

“Even in the current recession, new sales have been strong. Veritape’s rental model has been a key element in our success. Several years ago, Veritape implemented a rental pricing model, based on feedback from our customers. That rental model is still unique in the market many years later. As well as eliminating capital expenditure for our customers, it gives them great flexibility in their operations. For us as a business, rental provides Veritape with a stable, consistent revenue stream and the certainty to continue investing a high proportion of our revenue into research and development, unlike many of our competitors.”

Another key element in Veritape’s ongoing growth is industry focus on the PCI DSS credit card payment security guidelines governing call recording. Veritape is an expert in automatically removing a customer’s sensitive credit card details from recorded telephone calls. Veritape is the only call recording company accredited by the PCI’s Security Standards Council as a Participating Organisation, and it regularly provides specialist advice to banks and PCI industry groups. Cameron Ross says:

“During the past year, Veritape has seen dramatic growth in demand for our Call Control software, which helps companies comply with the PCI DSS guidelines. Call Control ensures that the 3-digit or 4-digit security codes on the back of a customer’s card are not stored in the call recording. Our customers don’t even need to own, or be able to control, the websites or applications their call centre agents use. Veritape Call Control works with any website or application, seamlessly. It’s for this ease of implementation, and the fact our customers get instant PCI DSS compliance over their call recordings, that we’ve seen such good growth in this area.”

Veritape’s clients include Jaguar Land Rover, Orange, Travelodge, and Photobox.

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pcidss.

Veritape’s software is trusted every day to improve the operations of:

* four of the world’s five largest car manufacturers.
* major UK travel companies.
* finance and insurance companies of all sizes.
* local and regional government, including Regional Trading Standards.
* pharmaceuticals businesses and major suppliers to the NHS.
* outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

http://www.veritape.com

Contact:

Cleo Maher
Marketing Manager
Veritape Ltd
Tel: 0845 899 5500
Email: cleo.maher@veritape.com

(Please note, there is now an updated blog posting on this topic - read it here).

In an update to their ‘frequently asked questions’ document on call recording, the PCI SSC has simplified its wording, making it clear that only analogue recordings are allowed to store the 3- or 4-digit security codes from credit cards. Calls which are recorded digitally (the overwhelming majority of all call recording) cannot contain the data, known as CVC or CVV codes, even if the recording is encrypted.

Cameron Ross, Managing Director of Veritape, says “This is a sensible move by the PCI Security Standards Council. For the past 2 years, the market has seen real confusion, with QSA companies interpreting the SSC guidelines in different ways. Finally, the call centre industry has a clear message: don’t store credit card information in recorded audio. The statement by the SSC is a result of joint industry efforts to clarify this area. It shows how PCI member companies like Participating Organisations can have a real voice in the way credit card security is improved for banks and customers alike. The PCI SSC is to be commended for their work in simplifying this area. They’ve also recognised that there are a number of businesses which can help to eliminate card data from recorded telephone calls, which means all call centres can put a plan in place to improve the security of recorded telephone calls.”

This is the PCI SSC’s full statement:

This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.

On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analog format after authorization is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.

Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centers must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4.

===

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is at http://www.veritape.com/pcidss

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

http://www.veritape.com

Equidebt had been a long-time user of NICE call recording. When one of Equidebt’s clients (a major bank) approached them with a tight deadline to achieve PCI DSS compliance, Equidebt were prompted to look at alternative suppliers.

In a business where telephone calls are crucial, the bank was keen to ensure that Equidebt would be PCI DSS compliant before they renewed their contract with Equidebt. Compliance with PCI DSS rules meant that Equidebt had to find a solution which would not store sensitive payment card information given during the course of a telephone call, while still recording the call itself.

Read our Equidebt case study for the full story.

Obviously, Veritape staff have a shared understanding that customer data is sensitive, and that credit card security devices like the CVC and a customer’s PIN are in operation to protect cardholder transactions and decrease fraud.

So imagine the surprise of a Veritape staff member (at lunch with a senior Vendorcom representative in London - let’s call him “Paul Rodgers”) when he heard the waitress ask Paul (kindly paying the bill) what his PIN number was, so she could enter it into the payment terminal. Amazing.

Paul (an expert in payment security guidelines), proceeded to take the payment terminal from the waitress, and enter his own PIN - very sensible. But he then followed up with a series of questions to the waitress, which determined that she fairly regularly enter PINs for customers.

It’s obvious that not all people (despite the constant mantra “keep your PIN secret” from banks and card issuers) do keep their PIN secret. If they did, London Waitress wouldn’t have had any success in the past, entering PINs.

Veritape would hope that this was a one-off occurrence, but we’re not so sure. If you’ve ever been asked for your PIN, drop us a line.

And in the meantime, if you run a business with customer-facing staff who swipe cards through payment terminals, please PLEASE drum into them that the customer should be the one entering their PIN!

www.veritape.com

VERITAPE, the leading provider of call recording software, announced today that it has joined the PCI Security Standards Council as a new participating organisation.  As a Participating Organisation, Veritape will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards.

A recent national poll of UK call centre managers by Veritape made headline news when it identified a potential risk to millions of credit card details, including the 3-digit security code.  According to Veritape the routine practice of storing unedited audio recordings of calls is creating a vast reservoir of sensitive data on the servers of call centres across the UK in direct breach of global industry standards drawn up by the Payment Card Industry Data Security Council.

The PCI DSS, endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., requires merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data integrity.  More information on the council and the standard can be found at www.pcisecuritystandards.org

As a Participating Organisation, Veritape will now have access to the latest payment card security standards from the Council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organisations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents an entity’s best protection against data criminals.  By joining as a Participating Organisation, Veritape is adding its voice to the process.

“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, General Manager of the PCI Security Standards Council. “By participating in the standards setting process, Veritape demonstrates they are playing an active part in this important end goal.”

Cameron Ross, managing director of Veritape, said:  “We’re very pleased to have been confirmed as a participant organisation and we look forward to working with council officials and other members to support the achievement of better levels of compliance in the UK call centre community.”

About PCI Security Standards Council

The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of PCI security standards. For more information, please visit www.pcisecuritystandards.org

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

www.veritape.com

• Three month trial to help Third Sector weed out pressure-selling over the phone by so-called Phuggers at Christmas
• Pressure to meet fundraising targets and tightening of household budgets create unparalleled risk of use of inappropriate phone-selling techniques this Christmas
• As Christmas approaches competition amongst charities to secure donations is mounting and call centre operations are under increased pressure to meet funding targets.

Charities, already criticised for their use of so-called “chuggers” - agents who attempt to secure donations from shoppers on the High Street - are now accused of using telephone fundraisers, or “phuggers”, who put undue pressure on prospective donors.

Hundreds of millions of pounds are raised by charities over the phone each year.

To help charities monitor the quality of calls made by phuggers, call recording software company Veritape is offering third sector organisations a free three-month trial of its recording software.  The software enables charity management to check call records and assess whether pressure selling techniques are being used by call centres staff, including third party providers.

The software automatically identifies hundreds of phrases, such as “I’m not interested”, “please don’t call me again” and “I feel harassed”, alerting charities to the potential use of pressure-selling techniques.

As Christmas approaches and pressure mounts for funding and fundraising in many community organisations, Veritape’s software provides a simple answer for organisations concerned about call quality.

Cameron Ross, managing director of Veritape, said:  “Concerns have been mounting in the charitable sector about the quality of the calls made to potential donors.  There’s no doubt that more calls will be made as the season of goodwill approaches, and organisations will want to be mindful of the increased pressures that households are under to make ends meet.  Our software provides a useful safeguard to ensure that professional call centre staff don’t get too zealous in their attempts to secure donations.”

— Ends —

About Veritape

Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.

Veritape’s software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

www.veritape.com

The move is the latest in a series of happenings that are fast establishing Veritape as a trusted voice and advocate of PCI compliance issues.

In September 2009 Veritape’s MD Cameron Ross addressed attendees at a Vendorcom conference with a presentation which sought to demystify the PCI rules and how they apply to recorded telephone calls. Request the presentation.

October 2009 saw the launch of Veritape’s Silent Number campaign, which highlights the risk of data theft of personal credit card details from call centres when PCI data storage rules are not complied with. It also calls for the definition of a standard for both consumers and call centres, which will ensure that sensitive credit card data is eliminated from recorded calls. The campaign received wide press coverage by titles including The Telegraph, Times Online and Computer Weekly. Veritape also published a white paper entitled ‘The Great Credit Card Gamble‘ which shockingly reveals that more than nineteen in twenty call centres which store recordings of transactional conversations with customers do not delete or mask the credit card details in the recordings.

For further information on how Veritape can help get your company PCI compliant, call our team on 0845 899 5500 or contact us.