Glossary of Terms
This glossary covers terms and acronyms used in the call recording, payment card and call centre industries.
Acquirer (or acquiring bank)
A member of a card association (such as Visa or MasterCard) which maintains merchant relationships and receives all card transactions from the merchant.
The personally identifiable data associated with a cardholder. It includes account number, expiry date, name, address, and social security number. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Card Validation Value or Code
Data element on a card’s magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:
- CAV - Card Authentication Value (JCB International payment cards)
- CVC - Card Validation Code (MasterCard payment cards)
- CVV - Card Verification Value (Visa Inc. Inc. and Discover payment cards)
- CSC - Card Security Code (American Express)
Note: The second type of card validation value or code is the three-digit value printed to the right of the credit card number in the signature panel area on the back of the card. For American Express cards, the code is a four-digit unembossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic. The following provides an overview:
- CID - Card Identification Number (American Express and Discover payment cards)
- CAV2 - Card Authentication Value 2 (JCB payment cards)
- CVC2 - Card Validation Code 2 (MasterCard payment cards)
- CVV2 - Card Verification Value 2 (Visa payment cards)
The generic term used for these codes is CV2. CV2s are forbidden to be stored in any format, including audio, by the PCI security standards. CallGuard will eliminate CV2s from audio recordings automatically.
CLI - Caller Line Identification
Makes a caller’s telephone number visible to the receiver of the call. It tells you which number the person is calling from.
Compensating controls are used when implementing PCI DSS in a business. They are relevant if a company fails to meet a regulatory requirement (often due to legitimate technical or documented business constraints), but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
- meet the intent and rigor of the original stated PCI DSS requirement
- repel a compromise attempt with similar force
- be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)
- be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
CVV / CVV2/ CV2 / CVC / CVC2 - See Card Validation Value or Code
The Direct Dial-In (DDI) is the phone number somebody dials in order to speak with you. A single call centre may have many different DDIs, representing different clients, or different channels of communication. Your phone system may display the DDI prior to your answering the call, so you can determine the appropriate way to answer.
DTMF – Dual Tone Multi Frequency
The signal generated when a telephone’s touch keys are pressed. With DTMF, each key press generates two tones of specific frequencies. One tone is generated from a high-frequency group of tones and the other from a low frequency group, so that each combination is unique.
CallGuard will automatically eliminate DTMF tones from the phone signal being recorded by your call recorder. In this way, your customers can pass credit card and other details to your contact centre without having them stored in your recordings, thus meeting PCI DSS requirements.
The process of transforming information using an algorithm to make it unreadable to anyone except those possessing a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).
Extension-side recording refers to the call recording system being connected to the extension side of a telephone switch.
FSA – Financial Services Authority
The regulator of the UK financial services industry.
Interactive voice response (IVR) is a phone technology that allows a computer to detect voice and touch tones using a normal phone call. This is typically what is used when you hear “Press 1 to talk to Sales, Press 2 to talk to Support” etc, when you call a company.
Line side recording - See Trunkside recording
Magnetic Stripe Data (Track Data)
Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Merchants are not permitted to retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/ Card Validation Value/CodeCVV, and proprietary reserved values must be purged; however, account number, expiration date, and name, and service code may be extracted and retained, if needed for business.
A block of data being moved from one location to another.
The Primary Account Number (PAN) is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It’s also called Account Number.
Using CallGuard, you can automatically eliminate the PAN from recorded telephone calls.
PSP - Payment Service Provider
Offers merchants online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking. Some PSPs provide unique services to process other next generation methods (Payment systems) including cash payments, wallets such as PayPal, prepaid cards or vouchers, and even paper or e-check processing.
PCI DSS – Payment Card Industry Data Security Standards
Payment Card Industry is a Global body operated by Visa, Mastercard, Amex etc. It was established to ensure merchants meet minimum levels of security when they store, process and transmit cardholder data. Data Security Standards refers to the worldwide information security standard which governs card transactions. Every business which takes card payments is required to comply with the PCI DSS, on penalty of fines or (ultimately) the withdrawal of payment facilities.
PCI SSC - Payment Card Industry Security Standards Council
The governing organisation responsible for promoting the PCI Security Standards, including the Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).
QSA – Qualified Security Assessor
Organisations which are authorized to validate a company’s adherence to PCI DSS requirements.
A physical piece of hardware which directs and forwards information. Routers are typically used to allow groups of computers to communicate with each other, such as in an office, or between one PC and the internet.
SAD - Sensitive Authentication Data
Sensitive Authentication Data is security-related information used to authenticate cardholders and authorise card transactions. Sensitive Authentication Data elements include Magnetic Stripe data and the Card Validation Code - the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2).
Telephony Application Programming Interface (TAPI) is an interface which delivers information about a telephone system to a desktop computer. Typically, TAPI data includes:
- the phone number of the person who is calling (CLI)
- the phone number they dialled to talk with you (DDI)
- information about activity on a particular telephone extension (such as “Extension 17 just started a new call”)
TAPI is a common form of communication between telephone systems and computers. Most telephone systems are capable of transmitting TAPI information to a computer network, but need to be explicitly activated to do so. Your telephony provider may charge extra to enable TAPI on your phone system.
Supplier of telecommunications services.
A computer system where most or all of the processing is done centrally, on a server. End users typically have a keyboard, mouse and a monitor, but no applications/programs are ‘run’ on their computer. Instead, all applications/programs from all users are run on a central, powerful, server. The keyboard/mouse actions are sent from the end-user to the server, and the required screen display is sent back.
A trunk is a line or link that can handle many simultaneous signals, and joins major switching centres (such as telephone exchanges) in a communications network. Trunks are used to interconnect switches to form networks. A trunk can carry telephone calls from a call centre to the local Exchange. Trunkside recording means that the call recording system is connected on the “trunk side” of the switch. (The opposite of ‘trunkside’ is ‘extension-side’, meaning the call recording system is connected to the extension side of a telephone switch.)
Voice-over-Internet-Protocol (VoIP) is a system for sending voice data (typically telephone calls) through the Internet or other packet-switched networks. The ‘IP’ in VoIP stands for ‘internet protocol’, which is the method used to send information in ‘packets’ across the internet.
CallGuard will eliminate your customers’ sensitive credit card data from your VoIP call recording system, automatically.