Achieving PCI Compliance Begins with a Plan: Steps to Manage Your Sensitive Data

By Ed Kawecki

May 2010

Given all the advanced communications technologies that have come on the market in the past fifteen years, there is no easier or more cost-effective way to document a transaction than to capture and retain a recording of that conversation.  This is why an increasing number of organizations have been expanding the number of customer transactions they record. 

While the business drivers for recording are significant – and include streamlining business processes and agent monitoring – the information discussed during a recorded conversation often is sensitive and protected by its own set of regulations.  In this article, I discuss one such set of regulations, the Payment Card Industry Data Security Standards (PCI DSS), and suggest a few strategies for achieving compliance. 

The PCI DSS were created in September 2006 when five of the leading payment brands initiated a set of standards to protect customer credit card information.  As the role of credit card cards has expanded over the past decade, so have the instances of identity theft and related crimes.  In 2005, Gartner reported that at least one third of all illegal transfers, withdrawals, and purchases resulted from electronic theft.  Something had to be done to protect the consumer as well as the financial institutions that underwrite the credit cards being stolen.  The PCI DSS regulation was the result. 

At a high level, the standards take the form of twelve requirements, each of which addresses a specific aspect of PCI data security.  These include information access (passwords), network architecture, data storage (encryption), policy compliance (audit trail), retention, and other critical protective measures. 

The requirements of the PCI Security Standards Council provide the following guidance:

1) Install and maintain a firewall to protect cardholder data

2) Do not use vendor-supplied defaults for system passwords

3) Protect stored cardholder data

4) Encrypt transmission of data across open and public networks

5) Use and regularly update antivirus software

6) Develop and maintain secure systems and applications

7) Restrict access to cardholder data by business need-to-know

8) Assign a unique ID to each person with computer access

9) Restrict physical access to cardholder data

10) Track and monitor all access to network resources and cardholder data

11) Regularly test security systems and processes

12) Maintain information security for employees and contractors

While at first glance, implementing the requirements of PCI DSS seems to be a significant undertaking, upon closer inspection PCI DSS mostly demands a basic, sound security practice.  These steps represent the standard operating procedure in many organizations for information security and would likely be present even if there were no requirement for PCI compliance.  These practices are steps that every business should take to protect data and ensure the continuity of operations. 

Predictably, there are many recording systems with features that help organizations meet requirements for security.  However, there are no PCI-compliant products; it is the company itself that becomes compliant through adherence to these requirements.  While I have seen a wide range of acceptable approaches to meeting these requirements, I have found the following methodology helpful in defining a plan for managing recorded media and achieving PCI compliance. 

• Step 1: Verify business case for recording.  While I do not suggest unplugging recorders, companies do need to determine if they are recording too many calls or retaining those calls longer than required for the business case. 

• Step 2:  Acquire technology that can store recorded calls in a standard encryption protocol (such as AES 256), and mask or mute calls that contain sensitive information to restrict access by unauthorized staff. 

• Step 3:  Define requirements for personnel who need access to recorded information; create a process to audit that access.

• Step 4: Develop a media disposal policy.  Limit retention times to no longer than required by the business case, and ensure that either the technology or personnel can implement that policy.

In terms of an adequate call recording system, there are several other key components and functionality you should look for to ensure adequate protection for your organization, including:

• Enhanced security features, such as unique user IDs, alphanumeric passwords, domain authentication, and account-lockout mechanisms 

• 256-bit Rijndael AES audio encryption and standard MD5 fingerprinting 

• Audit trails that allow individual call and user access to be monitored

• Detailed reporting

• The ability to delete stored data and calls from the recording server after a preset time interval

Furthermore, these security elements combined with the four-step methodology can help your enterprise move along the path to attaining compliance with PCI DSS regulations and protect your organization from unnecessary risk and liability. 

Ed Kawecki is senior product manager for CyberTech International, a global call-recording provider offering secure, open, and future-proof solutions for organizations to improve performance, optimize service, mitigate risk, lower costs, and maintain compliance.