The issue of card theft in contact centres is wholly preventable. But until card payments by telephone use DTMF tones to transmit sensitive data, such as with CallGuard, the paying public can only hope their details remain safe.

Would a more stringent vetting process have prevented this latest occurrence of fraudulent misuse of Cardholder Data?

We will never know the answer, but one thing is certain: temptation, coercion, procedural weakness or good-old-fashioned opportunism will not be isolated by an HR Department’s recruitment policy.

The only way to eradicate this type of crime is by eliminating the agent’s exposure to sensitive information.

By removing the spoken word when providing card numbers, a caller can have confidence that their transaction is not exposed to fraudulent agents.

How is this done? By using their own telephone keypad, callers send their card number to the call centre in audio format. Each keypress generates a DTMF (touch-tone) signal. CallGuard’s Filtering technology stops card numbers being stored in call recordings, and CallGuard’s DataShield software stops agents from seeing card data on screen. Working together, card data is removed from temptation.

The solution to restoring faith in telephone payments is in the very hands of the caller – well, their handsets at least …

—

ABOUT VERITAPE AND CALLGUARD

Veritape is a privately owned, innovative technology company specialising in developing powerful PCI DSS compliant call recording software solutions. Veritape has more than a decade of experience in the telecoms industry.

A trusted voice on PCI DSS compliance issues, Veritape is the only call recording company accredited as a PCI SSC Participating Organisation. Veritape regularly helps our customers by representing their views on PCI to the PCI Council.

CallGuard was created by Veritape in 2010. It is a powerfully simple tool which makes recorded calls fully PCI DSS compliant. It works with any call recording system as well as with Veritape’s powerful call recording software.

To find out more about Veritape call recording software visit http://www.veritape.com. For more information on CallGuard, visit http://www.callguard.co.

One of the Council’s key remits is to ensure that the County of Hampshire is well managed, safe and secure and it does this through the provision of a broad range of services to more than 1.25 million county residents. It is vital that, at all times, the Council is able to dependably safeguard the interests of its residents and being PCI DSS compliant falls within this remit.

To read a full case study about how Veritape’s CallGuard product helped Hampshire County Council become PCI DSS compliant for its call recordings, please contact Veritape or click here.

—

ABOUT VERITAPE AND CALLGUARD

Veritape is a privately owned, innovative technology company specialising in developing powerful PCI DSS compliant call recording software solutions. Veritape has more than a decade of experience in the telecoms industry.

A trusted voice on PCI DSS compliance issues, Veritape is the only call recording company accredited as a PCI SSC Participating Organisation. Veritape regularly helps our customers by representing their views on PCI to the PCI Council.

CallGuard was created by Veritape in 2010. It is a powerfully simple tool which makes recorded calls fully PCI DSS compliant. It works with any call recording system as well as with Veritape’s powerful call recording software.

To find out more about Veritape call recording software visit http://www.veritape.com. For more information on CallGuard, visit http://www.callguard.co.

Carnival Corporation & plc, headquartered in Miami, is a global cruise company and one of the largest leisure companies in the world. With a reputation for progression and innovation, its cruise brands include the well-known names of P&O Cruises, Cunard Line, Princess Cruises, Seabourne, P&O Cruises Australia, Holland America Line and Carnival Cruise Lines.

Its UK arm, Carnival UK, is based in Southampton where its large call centre manages calls and bookings from both customers and agents, relating to several of these cruise brands.

Within this busy operation, agents take payments from customers by telephone. As Carnival UK records all of their calls and PCI DSS guidelines prevent the storage of credit card data in recorded calls, Carnival UK was looking to implement a proven solution that would ensure further enhancements to customer data security.

For a copy of the CallGuard case study which details implementation details and benefits to Carnival UK, please contact Veritape or click here.

—

ABOUT VERITAPE AND CALLGUARD

Veritape is a privately owned, innovative technology company specialising in developing powerful PCI DSS compliant call recording software solutions. Veritape has more than a decade of experience in the telecoms industry.

A trusted voice on PCI DSS compliance issues, Veritape is the only call recording company accredited as a PCI SSC Participating Organisation. Veritape regularly helps our customers by representing their views on PCI to the PCI Council.

CallGuard was created by Veritape in 2010. It is a powerfully simple tool which makes recorded calls fully PCI DSS compliant. It works with any call recording system as well as with Veritape’s powerful call recording software.

To find out more about Veritape call recording software visit http://www.veritape.com. For more information on CallGuard, visit http://www.callguard.co.

Shortly after the end of its 2012 financial year, Veritape has today announced all-time record revenue, continuing the increasing trend of recent years. The specialist provider of contact centre call recording and PCI DSS scope reduction products also reported a sharp rise in sales of its CallGuard system.

CallGuard blocks credit card data from any call recording system, ensuring that contact centres comply with the stringent PCI DSS credit card processing security requirements.

Managing Director of Veritape, Cameron Ross, said “We’re very grateful to our long-standing clients for continuing to use Veritape’s call recording software year after year. We’re also really appreciative of all those new companies who have started using CallGuard this year, to block credit card information from other call recording systems.”

Veritape’s CallGuard customer base has grown significantly in the last financial year, ending 31 August 2012.

“The contact centre industry is seeing a rather slow adoption of traditional approaches to PCI DSS and call recording, such as ‘pause and resume’,” said Mr Ross. However, he believes methods such as CallGuard (where the caller continues to talk with the agent throughout the call and is still able to shield their card data by using DTMF keypresses) are seeing much more rapid take-up. “That’s been the message of the year for us: callers want to keep their personal card data private, and are increasingly demanding to make payments using DTMF.”

To make a payment over the phone by DTMF, the caller types credit card numbers into their telephone handset. This means that the call centre agent no longer hears the customer speaking their credit card number. In turn, the customer is assured that their personal card details are safe – not just from call centre agents, but also from people in their workplace or commuter train who may otherwise overhear them.

“From a broad range of new clients, we’re receive a consistent message: DTMF payments are helping us not just to protect customers’ credit card details and comply with the PCI DSS, but also to improve the customer experience at the same time,” said Mr Ross.

Further, Mr Ross believes that the increasing desire to meet both compliance and customer service requirements is not unique to any one sector: “It’s such a diverse range of companies moving in this direction. From specialist home-working provider Sensée, to Carnival Cruises, one of the world’s largest vacation companies, to Trulia, a rapidly-growing USA real estate and rental listings site with 450 staff. These are the sort of companies adopting DTMF payments using CallGuard.”

“This year we’ve also implemented with some major international outsourcers. One is Affinion Group, which is very pleasing; they have 3000 employees. Once, large outsourcers thought it was too difficult to implement a PCI DSS-compliant call recording system in an environment where they use multiple payment applications. CallGuard is showing them that actually the opposite is true, and I think it marks a real turning point for compliance activities within the outsourcing industry.”

Such strong demand in the market for CallGuard has also resulted in a new major supply agreement between Veritape and a leading call recording supplier. Through this new partnership, CallGuard will be delivered to new customers in every market globally.

Mr Ross explains: “In recent years, we have established a trusted network of resellers and referral partners in North America, Australia and Europe. This new agreement has extended that reach substantially, opening new doors for our CallGuard technology in every country. We’re particularly excited to have a global reach for CallGuard, as the demand for PCI DSS call centre products hots up in markets like Asia and the Middle East.”

ABOUT VERITAPE AND CALLGUARD

Veritape is a privately owned, innovative technology company specialising in developing powerful PCI DSS compliant call recording software solutions. Veritape has more than a decade of experience in the telecoms industry.

A trusted voice on PCI DSS compliance issues, Veritape is the only call recording company accredited as a PCI SSC Participating Organisation. Veritape regularly gives direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.

CallGuard was created by Veritape in 2010. It is a powerfully simple tool which makes recorded calls fully PCI DSS compliant. It works with any call recording system as well as with Veritape’s powerful call recording software.

To find out more about Veritape call recording software visit http://www.veritape.com. For more information on CallGuard, visit http://www.callguard.co.

It’s in this simple way that companies use CallGuard to provide PCI DSS compliance for their call recordings.

Using the handy demonstration phone line, callers gain a strong impression of how real call centre customers continue to talk with an agent during a payment transaction. They can also easily comprehend how real customers can use their credit card for a transaction, but not give their card data to the call centre agent. With CallGuard, customers are not transferred to an automated “robot” such as an IVR, to take payments – they continue talking with their call centre agent. This ensures that the customer experience is second-to-none, and the call centre agent retains control of the call throughout.

CallGuard is a true bolt-on for any existing recording system. It doesn’t require changes to a call centre’s payment, telephony or CRM systems. CallGuard can isolate call centre agents from seeing cardholder data on their screen. If screen recording is in use, then this same approach ensures full PCI DSS compliance for them – no cardholder data appears on the screen, and so the screen recordings don’t store it.

To try the CallGuard demonstration yourself in the UK, dial 08458 99 55 00 and press extension 1. In the USA, dial 917 791 1063 and press extension 1. For all other countries, please dial +44 8458 99 55 00 and press extension 1.

Once the demonstration recording is made, we will email it to you so you can hear how CallGuard will work with your own recording system.

It may be true that this is a new feature for hosted predictive diallers, but let’s be clear about one thing:

• Manually pausing and resuming call recording is not an acceptable method of eliminating cardholder data

There are a few issues with manual pause and resume:

• Agents can pause recording whenever they want. This means agents can mute/pause a recording, say whatever they like to a caller, and then start the recording again. It is precisely this lack of transparency (allowing agents to say whatever they want with no effective monitoring)  that call centre operators don’t like.
• Agents can forget to start the pause, which leads to sensitive cardholder data being stored in the recordings (against PCI DSS guidelines)
• Agents can forget to stop the pause, which leads to the continued masking/blanking of an ongoing conversation, at precisely the time when transactional details are being discussed with the customer.

The solution publicised today is described as giving the agent the ability to “skip recording for 3-10 second pre-set intervals while a customer provides his payment card’s CVV”. Whilst well-intentioned, there is a big problem here:

• The “CVV” is the 3- or 4-digit security check code on your card. Whilst is is forbidden under the PCI DSS to store this code post-authorisation, it is also a requirement that the long card number (PAN) is encrypted if it’s stored. No mention of that here, or on the company’s website. One therefore has to assume that encryption is not in place, and therefore the recordings at not compliant with the PCI DSS.
• Pre-set timings like this inevitably mean that cardholder data is stored on a call. Just imagine what happens if a customer is unable to enter their 16-digit PAN in 10 seconds.

So what’s a better approach? Here are two:

• Integrate your desktop payment tools to automatically pause a call at the point payment information starts being taken, to automatically resume recording afterwards. For most systems, this is the “it-should-work-ok” approach. However, it tends to be very complicated, as the tie-up between a desktop application (where the payment information goes) and the back-end phone recorder is very challenging. There is no direct ‘map’ between a desktop and the telephone line being recorded, and so signalling to the recorder that it’s time to pause/unpause is really very tricky to do properly. Typically, this results in the recordings for line A being paused when customer B is giving card data. So recording A loses salient information for no good reason, and customer B’s card data is still stored. This is not useful in any sense. (If, however, you use Veritape call recording which records on the desktop, there is no ‘mapping’ required….. problem solved!)
• Use CallGuard, which automatically ‘bleeps’ the credit card information as the user provides it. Whether the user is fast or slow, you don’t have to worry. CallGuard ensures that as the customer types credit card information into the telephone handset, the tones produced are automatically blanked from your call recordings. If they make a mistake, no problem - they just re-enter the digits. While a fixed “3-10 second pre-set interval” will fail to block card data from recordings, CallGuard blocks it every time - both the long card number and the short check digits. Simple. And, unlike with IVRs, with CallGuard the caller and the agent continue talking with each other during the transaction. No interruptions, no transfers to a robot, no problems.

One final thing: the PCI Security Council itself does not allow manual pause and resume as a way of blocking cardholder data from call recordings. Their publication “Protecting telephone-based payment card data” (PDF file) specifically says that if you take credit card details over the phone, you need to:

• “remove sensitive authentication data from [your] recordings, automatically (with no manual intervention by your staff)”.

And with CallGuard, that’s simple.

PCI DSS requirements dictate how companies need to handle credit card information. There is no suggestion that the call centre which employed the recently-jailed man was failing in its PCI DSS obligations. However, as is increasingly clear, stopping agents from handling cardholder data is by far the easiest way to avoid this sort of embarrassing publicity (with its associated brand damage).

It is even more imperative that well-known brands (such as the UK bank involved in the Coventry fraud case) ensure that the white-label call centres who perform a service on their behalf eliminate all credit card data from agents. After all, in a data breach, the (typically anonymous) outsourced call centre operator receives no brand damage - the high-street brand is the one which suffers.

Although it may sound counter-intuitive,  CallGuard allows call centre agents to continue taking card information directly from customers, with no changes to their existing payment or telephone systems.

CallGuard can stop agents and other staff members from:

• hearing cardholder data in call recordings
• seeing cardholder data on screen

In conjunction with a secure hosted portal, CallGuard can also:

• eliminate the storage of cardholder data in databases and back-end processes such as CRM and order processing systems
• stop the transmission of cardholder data across data networks

CallGuard and its associated secure hosted portal can radically reduce your PCI DSS scope - contact us now to find out how.

What is DTMF? Is it widespread?

DTMF stands for “Dual Tone, Multi-Frequency”. It’s a universal standard for sending digits (and some other characters) over the phone.  DTMF is built into every modern telephone - home, office or mobile.

Is DTMF widely used to take information from customers?

Absolutely. Tens of thousands of companies use DTMF to take card payments, PINs and other sensitive data from their customers, including:

• Cinemas and entertainment venues
• Banks and credit card companies (often used as a security measure prior to talking with a staff member)
• Insurance companies
• Cable and satellite television companies
• Healthcare organisations

What is DTMF? Is it widespread?

Why take sensitive data from customers using DTMF?

Because it’s much more secure, and gives customers more confidence that their data is being protected.

Also, taking card details by DTMF can decrease your average call handling time (AHT), as agents do not ‘read back’ a customer’s card details to them (i.e. since they can’t see the card details, they can’t say “1234 (pause) 1234 (pause)” etc. after each series of digits the customer reads to them.

The possibility of errors occurring is also reduced as there is only one phase of data entry:

• without DTMF:  the customer reads out the data and the agent types it in (two chances for error)
• with DTMF: the customer types in the data (one chance for error).

Why are DTMF card details more secure than spoken card details?

Sending sensitive data such as credit card numbers as DTMF has a clear security advantage: DTMF can’t be easily understood by humans, but it is very easily detectable by phone systems or computers.

Therefore, sensitive information can be isolated from both call recording systems and also contact centre staff. Without DTMF, spoken card details can end up permanently stored in call recording systems, and can be stolen by contact centre staff.

What are the benefits for your customers?

By entering their personal data using their phone, your customers are more protected from data theft too. Those around them, whether it be in a busy office or on a crowded train, cannot hear (and hence steal) their card payment details. As a result, your customer feels more secure – a feeling which reflects well on your organisation.

A 2009 UK survey of two groups of customers, one speaking their card details and one typing in their card details, found an increase in customer satisfaction scores in the group using DTMF.

Veritape’s view is that your customers will appreciate the ‘anonymity’ of their personal data.

What changes are needed to your internal payment processes?

With CallGuard, Veritape’s product for DTMF data entry, there are no changes required to your internal payment processes. (Or your CRM system, or the applications your staff use.)

What changes are needed to staff training?

One very minor change is needed. Instead of asking a customer to speak their card details, your staff member will need to ask for them to be typed in using the customer’s telephone keypad.

What should staff members say to your customers?

Here are some suggestions:

• Using your telephone keypad, could you please now enter the long number from the front of your card?
• To allow us to process your card details securely, please type in the long number from the front of your card, using your telephone keypad. (And then) Thanks, now please type the 3-digit security code from the back of the card.

Which details can you take by DTMF?

This technology can be used not just for card details, but also customer PINs, passwords, social security number, date of birth, and any other data which can be taken in numeric format.

What if a customer’s phone is a rotary model, which doesn’t support DTMF?

It’s true that there are a few rotary phones still being used, but the number is incredibly small. In the UK, a 2009 study questioned 3,000 people, but was unable to find a single person with a rotary phone.

What about elderly or infirm customers?

A common question, but thankfully not a common problem. It is true that some elderly or infirm people cannot operate a telephone easily. However, entering card data on a telephone is identical to making a phonecall. So, practically, if the customer can call you, they are able to pay using DTMF.

What percentage of callers can’t use DTMF?

Based on a customer base of approximately 50,000 call centre agents taking payments through DTMF tones, it is estimated that fewer than one person in 10,000 cannot pay in this manner (either through infirmity or because they own a rotary telephone).

What can we do on the rare occasion somebody can’t or won’t enter their card data by DTMF?

There are a couple of easy practical things which means you won’t lose your PCI DSS compliance.

Firstly, if possible, transfer the caller to a member of staff who has been authorised to manually stop their call recordings in this situation. This is typically a trusted supervisor or senior manager who can override a call recording process, or whose phone calls are not recorded.

If you are unable to do this, then work with your PCI DSS security advisor or QSA. Show them how you are implementing DTMF as the standard process through which you take card payments, and that there is a very low probability of payments being unable to be made in this manner. QSAs are typically willing to accept that low-probability ‘exceptions’ processes do not add significant cardholder data into your environment.

Do you want to start using DTMF for your business? For more information, please click here to find out more about CallGuard, or contact Veritape online or by calling +44 (0) 845 899 5500.

Organisations taking payments by telephone and recording their calls, and who are looking to make their call recordings PCI DSS compliant, should look no further than CallGuard, from Veritape.

CallGuard delivers PCI DSS compliance to any call recording system by eliminating sensitive card data from telephone conversations before they are recorded. It can also prevent agents from seeing any card data on screen and hence eliminate the potential for card data theft.

How does it work? Customers, when making payments by phone, enter their card details using their telephone keypad. CallGuard automatically detects and blocks DTMF tones (containing the payment card data) from a call recorder. At the same time, CallGuard automatically enters the customer’s card details into the relevant fields on the Agent’s screen. It obscures the card details, so the Agent handling the call never sees the customer’s personal data. The end result is that you can fully observe PCI DSS call recording requirements and continue to record your calls.

However, Veritape’s technology extends wider than call recordings. Having been incorporated within the ExoIS PeepSafe™ solution, Veritape’s technology can also be used to help remove cardholder data from voice, mail and fax channels. It can also remove cardholder data from entire applications and network segments. This technology partnership gives organisations the ability to completely descope their corporate environment from PCI DSS.

ExoIS is a leading provider of information security, compliance services and products and a PCI Qualified Security Assessor Company (QSAC). It is the powerhouse behind PeepSafe™ 2.0, a cost effective, fully managed secure portal environment that incorporates encrypted email, fax, voice messages, online storage and the safe processing of cardholder data.

PeepSafe™ can completely de-scope voice-only environments from PCI DSS, removing the risk of “at home agents.” It can also de-scope entire call centres, ensuring that corporate call recording systems are fully PCI DSS compliant, greatly reducing the risk of agent fraud. Incorporating a tokenization engine and integrating with any internal application, database and payment gateway, PeepSafe™ can be quickly implemented with minimal effect on existing business processes.

Together, CallGuard and PeepSafe™ deliver more choice to organisations looking to de-scope part or all of their operation from PCI DSS.

“Our technology partnership allows us to deliver a choice of unique services to a wide range of customers,” says Cameron Ross, Veritape’s Managing Director. “CallGuard works well for organisations wanting to ensure that their call recordings are PCI DSS compliant. PeepSafe’s™ powerful, fully-integrated reach means that organisations can de-scope themselves entirely from the demands of PCI DSS.  And both PeepSafe and CallGuard put the interests of the customer first, by ensuring that card holder data is robustly secure.”

- Ends -

Notes for Editors:

About Veritape:

• CallGuard makes recorded calls fully PCI compliant. Quick to implement, it works with any call recording system.
• Veritape specialises in developing innovative, powerful, PCI DSS compliant call recording software solutions; we deliver cost-effective, flexible alternatives to traditionally expensive fixed hardware call recording solutions.
• Veritape is the only call recording company accredited as a PCI DSS Participating Organisation. Well regarded within the call recording industry, we regularly give direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.
• Our clients include Jaguar, CPM, Exodus Travel, Intasure, PhotoBox and Mobile Mini.
• For more information about Veritape visit us at www.veritape.com. For more information about Callguard, go to www.callguard.co. For interviews and case studies contact Cathy Gibbon, Marketing Manager on 0845 899 5500 x791.

About ExoIS:

• Founded just before the new millennium in the heart of Silicon Valley, ExoIS provides Information Security and Compliance services and products, helping clients identify and mitigate the risks inherent in today’s increasingly interconnected business environments.
• As a PCI Qualified Security Assessor, today its services include a wide range of PCI services and other security and compliance offerings, covering the full spectrum of clients’ information security requirements.
• ExoIS also offers a range of managed services including secure cloud hosting, datacenter outsourcing, compliance SaaS solutions and storage services. Visit www.exois.com to find out more.

As of 01 October 2012, the TIP will be active in the USA (PDF). To qualify, merchants in the USA need to meet these requirements:

1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
3. At least 75 percent* of the merchant’s total transaction count must originate from dual-interface (contact/contactless) enabled chip-reading device terminals.
4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

(* Visa Europe stipulates that this figure should be 95% for EU merchants.)

Over time, as EMV enters the US market, and device terminals are changed for those which support EMV, brick-and-mortar retailers could easily find that they’re achieving 75% of payments in dual-interface terminals.

But what about the remaining proportion, some of which may be processed through contact centres? It’s here that meeting the second Visa TIP requirement becomes a challenge. Let’s have a look at it again:

The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.

Historically, this has proven a challenge for organisations of all sizes, in the contact centre environment. Under the PCI DSS requirements, CV2 data must not be stored at all, post-authorisation, in any format. This includes in telephone call recordings. So to ensure that the Visa TIP remains accessible to you, you need to remove CV2 information from your call recording environment, as a minimum.

Luckily, there are 5 ways in which you can do that. Some are easier than others, and some will not be relevant to your situation. We’ve put together a handy guide to help you decide which approach is best for you. You can read it here: http://www.callguard.co/2011/08/five-ways-to-make-call-recordings-pci-dss-compliant/.

One more thing

If you process only Visa transactions, you can stop reading now. Move along, nothing further to see.

Still here? Yes… because as Branden Williams points out, no merchant processes only Visa transactions, right? It therefore seems unlikely that there would be any organisation which could actually use the TIP to reduce its assessment burden right now. However, we concur with Branden, and we hope (even expect?) that the other card brands will follow suit, and allow many merchants to reduce their compliance costs and burden in the near future.