Jump to content
Why are we here ..... Read more... ×
  • 0
Sign in to follow this  
Callstream_Vault

PCI-DSS and Open GI CreditLine Plus - Callstream Add-On Explanation

Question

Hello,

 

I wanted to take this opportunity to say Thank you, to the members of the user group, who since 2014, have previously mentioned, recommended and invested in Callstream Vault: to attain PCI-DSS Level 1 Compliance when taking card payments over the phone through Open GI CreditLine Plus (See: https://www.opengi.co.uk/broker-software/accounting/creditline-plus/).

 

What is Open GI CreditLine Plus?

 

 

 

 

What do the FCA and PCI Security Standards Council advise when it comes to Protecting Telephone Based Payment Card Data through Open GI CreditLine Plus?

 

Whilst Insurers and Brokers are regulated by the FCA. It is the PCI Security Standards Council who would mandate that all Insurers and Brokers be PCI compliant. PCI-DSS requirements are developed and maintained by the PCI Security Standards Council but they are not mandated by the FCA.

 

The PCI Security Standards Council published a supplement on Protecting Telephone Based Payment Card Data:  https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf as well as PCI Data Storage 'Do's and Dont'shttps://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

 

(If your business sells Cyber Liability Insurance, you will be aware of the risks of Data Breaches, Data Theft, Governance and Risk). 

 

Pertinent to PCI-DSS, there are 3 High Level SYSC rules and guidance set out in the FCA Handbook:

 

SYSC 3.2.6 - https://www.handbook.fca.org.uk/handbook/SYSC/3/2.html

SYSC 5.1.2 - https://www.handbook.fca.org.uk/handbook/SYSC/5/1.html

SYSC 6.3.6 (4) - https://www.handbook.fca.org.uk/handbook/SYSC/6/3.html

 

Whilst the FCA set out these rules and guidance in the Handbook, ultimately it is the Insurers and Brokers decision what commercial systems and processes it implements.

 

It is important to remember that PCI standards are enforced by the five payment card brands; VISA, Mastercard, American Express, JCB International and Mastercard.

 

For reference, Barclays Bank PCI Breach penalties in (£GBP) passed on to their customers (imposed on Barclays by VISA and Mastercard):

 

Cost-of-PCI-breach.jpg.3a3b85f840960556f032e5cb09539e02.jpg

 

What is Callstream Vault for Open GI CreditLine Plus?

 

Callstream Vault is an PCI-DSS Level 1 hosted telecoms software as a service with an interface that has been developed with Open GI to connect to Open GI CreditLine Plus. It enables Insurers/Brokers to securely process card payments over the telephone. 

 

How does Callstream Vault work?

 

The service can be delivered through either porting your telephone number or diverting telephone numbers to Callstream' 'PCI-DSS Level 1 Cloud Server' which is an highly encrypted server with software that tells the Open GI CreditLine Plus terminal the customers card details. 

 

Simply put, your agent prompts your customer to provide their card number over the phone, clicking a button on their computer to which the customer is given a verbal prompt to enter their card details into their telephone keypad, followed by their card security number. Throughout the process, the agent does not handle the customers card data - hear or see the customers card details or the tones on the keypad being pressed. The card details are securely received by Open GI CreditLine Plus and the transaction is completed, PCI-DSS Level 1 compliant.

 

Food for thought, Callstream Vault explained in a  3 minute 16 seconds YouTube video: 

 

 

 

What are the alternatives to Callstream Vault?

 

It is widely perceived that 'Pause and Resuming' Call Recordings is PCI-DSS compliant, because customers card details are not being stored by the Insurer/Broker. However, this involves designing business and IT system processes to manually or be automated to pause the call recording and then resume it.

 

Then there is the effort, time and associated cost of ensuring that these processes are not prone to human or system error - so card details and data does not accidentally get stored on the call recording.

 

There is also the element of insider theft risk which is brought up in Cyber Liability Insurance: does the agent need to hear the card details? Whilst the call recording is paused - what is being said, advised, saved, stored, stolen...

 

 

Many Thanks and Best Regards,

 

 

Anoop Dhaliwal - Product Specialist - Callstream Vault.

anoop.dhaliwal@callstream.com

5979c49beb06e_callstreamlogo.jpg.54ef12ddf5a761a4a70ab33ce62f9b46.jpg

Callstream Vault won the Insurance Times - Technology Partnership of Year - Award in 2014, 2015.

 

 

 

Share this post


Link to post
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Posts

    • @Philr may be able to help - he is the User Group IPID man!
    • Hi just found this forum    We updated from 5.2.1  to 5.82  how many of you are using 5.82 and how you finding it?  Also how are you getting on with IPID docs?  I finding the PDf don't leave the print queue   Pete  
    • Also - once confirmed and tested, make sure you can access the service outside of your local network    If it cant be connected likely it is a firewall / port issue that you will need your IT / Infrastructure team to allow access to   That can be a little painful too ...   M
    • Creditline + is really good, being able to process payment/allocate to OGI in one process is the main advantage to other solutions.   In a previous life we even linked it to our phone system to fully cover PCI DSS compliance (client keyed in cc number so we did not have to pause record) - but that was fairy expensive to do at the time.   You will get the odd blip when payment has gone through but not allocated to OGI but you will have access to an online portal to check payments received if get one which has supposedly failed.
    • We currently use the Worldpay online card payment facility which is becoming more and more expensive.   We are exploring other avenues available including Open GI's own offering (I believe Creditline Plus).   Can anyone that is using the Open Gi offering please give us any feedback.   Also anyone using an outsourced facility other than Worldpay, who do you use?   Thanks :-)
×