How NICE Can Support You In Protecting Your Customers Against Identity Fraud

Meeting PCI-DSS (Credit Cardholder Information Security) Requirements with Your NICE Solution

High-profile corporate data breaches are rampant. With some companies reporting damages at dozens of millions of dollars, following the PCI Data Security Standard (PCI DSS) more diligently and ensuring compliance is now on top of the agendas of corporate IT executives worldwide. 

So what is PCI DSS, and how does it affect your contact center?

The payment card industry, particularly the Payment Card Industry Security Standards Council, which was established by founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, developed the PCI DSS standard to help ensure the safe handling of sensitive information and protect customers against identity fraud. Both data storage and transmission of cardholder information that are not secure constitute a security breach.  The risk can come from various sources, whether from  an employee that may try to gain unauthorized access to customer data or from an outside hacker.  

The standard constitutes a set of comprehensive requirements for enhancing payment account data security, including security management, policies, procedures, network architecture, software design and other critical protective measures.

The standard applies to anyone that stores, processes or transmits payment data; merchants, service providers and processors all need to be compliant. It affects all merchants immaterial of how they accept cards, face to face, mail or telephone order and via the Internet.

If you record your customer calls in which bankcard information is provided, your callers want assurance that their account information is safe. Furthermore, PCI DSS compliance helps you manage your risk, avoid punitive measures such as potentially significant fines, and most importantly – protect your corporate brand.

According to the PCI, compliance consists of twelve basic requirements as follows:

 NICE helps you meet the PCI DSS requirements and facilitate compliance while delivering Insight from Interactions, with NICE Perform’s advanced security capabilities.

First, implementation in a PCI DSS-compliant manner requires that all your NICE servers will be stored in secure and monitored locations, to which only authorized personnel have access. Apart from physical protection, the following steps need to be taken to ensure data security:

1. Implementing end-to-end Media Encryption
2. Server hardening, including a limited access to ports
3. Updating the NICE servers with the latest certified Microsoft security patches
4. Installing up-to-date, certified anti-virus solutions
5. Deploying NICE servers in the correct security zone
6. Configuring the system to access the database using Windows Authentication only, where possible
7. Configuring the system to use Active Directory and single sign-on for user authentication, where applicable 
8. Establishing standards for creating strong passwords and account-locking policies
9. Assigning profiles and privileges to NICE users on a strict, need-to-know basis
10. Using the NICE Perform Audit Trail to track malicious activities
11. Facilitating secure remote access and software updates when needed

Let’s take a closer look at data protection via media encryption. 

When a contact center records its interactions with customers, during which the customer renews a subscriptions or changes payment methods, for example, the contact center is capturing sensitive and private cardholder information.  Likewise, when capturing information regarding the agent’s activity from  the agent’s desktop, again – sensitive cardholder information may be involved.

When implementing a customer interaction recording solution, an important aspect of the system’s security is its ability to prevent undesired parties from revealing sensitive data content.  Recognizing the need to provide advanced data protection, and in light of standards such as PCI DSS, among others, NICE has added a major capability in the area of media protection by including an end-to-end media encryption capability for both voice and screen recording.

NICE Perform uniquely offers true end-to-end Media Encryption, which ensures that both audio and screen media will be encrypted immediately upon capture. The media remains encrypted when stored to the logger’s hard disk, backed up to a tape or DVD, transferred to long term storage, or whenever streamed on the network.  The media is only decrypted upon playback at the client workstation (or on the Audio Analysis server).

The highlights of the solution are as follows:

1. End-to-end media encryption for voice and screen recording.
2. Data is encrypted as close as possible to the time of its creation and to its physical location, in order to reduce potential security breaches and increase data security.
3. Once encrypted, the media is kept encrypted throughout its life cycle. Data is also written encrypted to local backup tapes, as well as to Storage Center, and to any NAS/SAN or CAS storage supported by Storage Center.
4. Media is only transmitted over the network in its encrypted format.
5. The media is decrypted for playback and when using Audio Analysis, only just immediately before playback or the analysis process.
6. Random encryption keys are automatically generated and replaced to secure each recorded channel using industry AES (Advanced Encryption Standard) 256 bit strong encryption.
7. The solution complies with security standards and regulations. More specifically, the solution employs standard, strong encryption algorithms, sensitive data like encryption keys are transferred over secured channels only, and the keys are managed and stored in a secured database.

For more information on how to make your NICE environment PCI-DSS compliant you may contact your local NICE representative.