What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
To Whom Does PCI Apply?
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
What are the Six Main Requirements for PCI Compliance?
The vendor must:
1. Build and Maintain a Secure Network:
Install and maintain a firewall configuration to protect cardholder data
Not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program:
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures:
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks:
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
6. Maintain an Information Security Policy:
Maintain a policy that addresses information security
What Data Can Be Stored But Must be Protected?
Primary Account Number (PAN)
What Data Cannot Be Stored?
Full Magnetic Stripe
CAV@/CID/CVC2/CVV2 (3-digit code on back of card) American Express CID Code (4-digit code on front of card cannot be stored – even if encrypted
Is SonicView PCI Compliant?
SonicView call recording software has been developed with PCI DSS in mind to help companies facilitate compliance within the established guidelines. SonicView is a permissions-based solution; only administrators and authorized users have access to call recordings. It can be configured to automatically archive call recordings in order to comply with the useful retention policy of PCI standards.
Also, archived recordings can be moved to a network storage device that is hardware encrypted to keep all call recordings secure. SonicView enables authorized users to access call recordings via links that are double-clicked for easy play back. All call recordings are stored in a centralized location that is 100% secure and tamper-proof;recordings cannot be altered or modified by users, ensuring that management has full-control over all of its call recording data.
back to top
How SonicView Handles Data That Cannot Be Stored
SonicView allows users to easily stop and start recordings in order to adhere to PCI Compliance. Users just have to hit a button to pause recording while taking the 3-digit CVV code or the 4-digit American Express CID code from a customer. Once this information has been provided, the user can simply resume recording the call to complete the transaction.
back to top
Contact Us Today – Ensure Your Business is PCI Compliant!
Tel: (503) 439-9338