Callstream_Vault posted a question in PCI DSS ComplianceHello, I wanted to take this opportunity to say Thank you, to the members of the user group, who since 2014, have previously mentioned, recommended and invested in Callstream Vault: to attain PCI-DSS Level 1 Compliance when taking card payments over the phone through Open GI CreditLine Plus (See: https://www.opengi.co.uk/broker-software/accounting/creditline-plus/). What is Open GI CreditLine Plus? What do the FCA and PCI Security Standards Council advise when it comes to Protecting Telephone Based Payment Card Data through Open GI CreditLine Plus? Whilst Insurers and Brokers are regulated by the FCA. It is the PCI Security Standards Council who would mandate that all Insurers and Brokers be PCI compliant. PCI-DSS requirements are developed and maintained by the PCI Security Standards Council but they are not mandated by the FCA. The PCI Security Standards Council published a supplement on Protecting Telephone Based Payment Card Data: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf as well as PCI Data Storage 'Do's and Dont's: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf. (If your business sells Cyber Liability Insurance, you will be aware of the risks of Data Breaches, Data Theft, Governance and Risk). Pertinent to PCI-DSS, there are 3 High Level SYSC rules and guidance set out in the FCA Handbook: SYSC 3.2.6 - https://www.handbook.fca.org.uk/handbook/SYSC/3/2.html SYSC 5.1.2 - https://www.handbook.fca.org.uk/handbook/SYSC/5/1.html SYSC 6.3.6 (4) - https://www.handbook.fca.org.uk/handbook/SYSC/6/3.html Whilst the FCA set out these rules and guidance in the Handbook, ultimately it is the Insurers and Brokers decision what commercial systems and processes it implements. It is important to remember that PCI standards are enforced by the five payment card brands; VISA, Mastercard, American Express, JCB International and Mastercard. For reference, Barclays Bank PCI Breach penalties in (£GBP) passed on to their customers (imposed on Barclays by VISA and Mastercard): What is Callstream Vault for Open GI CreditLine Plus? Callstream Vault is an PCI-DSS Level 1 hosted telecoms software as a service with an interface that has been developed with Open GI to connect to Open GI CreditLine Plus. It enables Insurers/Brokers to securely process card payments over the telephone. How does Callstream Vault work? The service can be delivered through either porting your telephone number or diverting telephone numbers to Callstream' 'PCI-DSS Level 1 Cloud Server' which is an highly encrypted server with software that tells the Open GI CreditLine Plus terminal the customers card details. Simply put, your agent prompts your customer to provide their card number over the phone, clicking a button on their computer to which the customer is given a verbal prompt to enter their card details into their telephone keypad, followed by their card security number. Throughout the process, the agent does not handle the customers card data - hear or see the customers card details or the tones on the keypad being pressed. The card details are securely received by Open GI CreditLine Plus and the transaction is completed, PCI-DSS Level 1 compliant. Food for thought, Callstream Vault explained in a 3 minute 16 seconds YouTube video: What are the alternatives to Callstream Vault? It is widely perceived that 'Pause and Resuming' Call Recordings is PCI-DSS compliant, because customers card details are not being stored by the Insurer/Broker. However, this involves designing business and IT system processes to manually or be automated to pause the call recording and then resume it. Then there is the effort, time and associated cost of ensuring that these processes are not prone to human or system error - so card details and data does not accidentally get stored on the call recording. There is also the element of insider theft risk which is brought up in Cyber Liability Insurance: does the agent need to hear the card details? Whilst the call recording is paused - what is being said, advised, saved, stored, stolen... Many Thanks and Best Regards, Anoop Dhaliwal - Product Specialist - Callstream Vault. email@example.com Callstream Vault won the Insurance Times - Technology Partnership of Year - Award in 2014, 2015.