Jump to content
  • 0

PCI-DSS and Open GI CreditLine Plus - Callstream Add-On Explanation


Callstream_Vault

Question

Hello,

 

I wanted to take this opportunity to say Thank you, to the members of the user group, who since 2014, have previously mentioned, recommended and invested in Callstream Vault: to attain PCI-DSS Level 1 Compliance when taking card payments over the phone through Open GI CreditLine Plus (See: https://www.opengi.co.uk/broker-software/accounting/creditline-plus/).

 

What is Open GI CreditLine Plus?

 

 

 

 

What do the FCA and PCI Security Standards Council advise when it comes to Protecting Telephone Based Payment Card Data through Open GI CreditLine Plus?

 

Whilst Insurers and Brokers are regulated by the FCA. It is the PCI Security Standards Council who would mandate that all Insurers and Brokers be PCI compliant. PCI-DSS requirements are developed and maintained by the PCI Security Standards Council but they are not mandated by the FCA.

 

The PCI Security Standards Council published a supplement on Protecting Telephone Based Payment Card Data:  https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf as well as PCI Data Storage 'Do's and Dont'shttps://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

 

(If your business sells Cyber Liability Insurance, you will be aware of the risks of Data Breaches, Data Theft, Governance and Risk). 

 

Pertinent to PCI-DSS, there are 3 High Level SYSC rules and guidance set out in the FCA Handbook:

 

SYSC 3.2.6 - https://www.handbook.fca.org.uk/handbook/SYSC/3/2.html

SYSC 5.1.2 - https://www.handbook.fca.org.uk/handbook/SYSC/5/1.html

SYSC 6.3.6 (4) - https://www.handbook.fca.org.uk/handbook/SYSC/6/3.html

 

Whilst the FCA set out these rules and guidance in the Handbook, ultimately it is the Insurers and Brokers decision what commercial systems and processes it implements.

 

It is important to remember that PCI standards are enforced by the five payment card brands; VISA, Mastercard, American Express, JCB International and Mastercard.

 

For reference, Barclays Bank PCI Breach penalties in (£GBP) passed on to their customers (imposed on Barclays by VISA and Mastercard):

 

Cost-of-PCI-breach.jpg.3a3b85f840960556f032e5cb09539e02.jpg

 

What is Callstream Vault for Open GI CreditLine Plus?

 

Callstream Vault is an PCI-DSS Level 1 hosted telecoms software as a service with an interface that has been developed with Open GI to connect to Open GI CreditLine Plus. It enables Insurers/Brokers to securely process card payments over the telephone. 

 

How does Callstream Vault work?

 

The service can be delivered through either porting your telephone number or diverting telephone numbers to Callstream' 'PCI-DSS Level 1 Cloud Server' which is an highly encrypted server with software that tells the Open GI CreditLine Plus terminal the customers card details. 

 

Simply put, your agent prompts your customer to provide their card number over the phone, clicking a button on their computer to which the customer is given a verbal prompt to enter their card details into their telephone keypad, followed by their card security number. Throughout the process, the agent does not handle the customers card data - hear or see the customers card details or the tones on the keypad being pressed. The card details are securely received by Open GI CreditLine Plus and the transaction is completed, PCI-DSS Level 1 compliant.

 

Food for thought, Callstream Vault explained in a  3 minute 16 seconds YouTube video: 

 

 

 

What are the alternatives to Callstream Vault?

 

It is widely perceived that 'Pause and Resuming' Call Recordings is PCI-DSS compliant, because customers card details are not being stored by the Insurer/Broker. However, this involves designing business and IT system processes to manually or be automated to pause the call recording and then resume it.

 

Then there is the effort, time and associated cost of ensuring that these processes are not prone to human or system error - so card details and data does not accidentally get stored on the call recording.

 

There is also the element of insider theft risk which is brought up in Cyber Liability Insurance: does the agent need to hear the card details? Whilst the call recording is paused - what is being said, advised, saved, stored, stolen...

 

 

Many Thanks and Best Regards,

 

 

Anoop Dhaliwal - Product Specialist - Callstream Vault.

anoop.dhaliwal@callstream.com

5979c49beb06e_callstreamlogo.jpg.54ef12ddf5a761a4a70ab33ce62f9b46.jpg

Callstream Vault won the Insurance Times - Technology Partnership of Year - Award in 2014, 2015.

 

 

 

Link to comment

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Partnership deals that are in the interests of Open-GI's profits and not the best infrastructure for their clients. HP - (30% returns from printers to servers when I worked for a HP partner. Haven't been pleasantly surprised with 6 more years of dealing with their hardware). Microsoft - Oh ook another 60 security holes and a zero-day (mean nothing anyone other than Microsoft can do to fix it) that has been actively exploited for over two months now. Sophos - Tavis Ormandy of Google's top security team, charitably wrote a 30 page paper, which concludes that the company was "working with good intentions" but is "ill-equipped to handle the output of one co-operative security researcher working in his spare time". Recently, they forced through Multi-Factor Authentication for their "cloud" management site (which has a really useless, coutnerintuitve and uninformative interface), that is completely useless in a ransomware take over, you could easily be left without access to your "cloud". They should implement physical keys if they are going to push for this, not software methods that can be taken over as part of an attack. 
    • The real question for Open GI is why is only 1 browser supported?   Why do you think that is?   10 points for each correct answer …
    • Open Attach hasn't changed. It should be a database, more secure, better control over user access, find and retrieve files more quickly, et cetera.   Now everyone is being pushed to use MS Edge. I thought I saw a notice that you could use Firefox or Chrome, that seems to have been retracted and no one in support knows anything about it. Not sure I want to trust payments to a web browser, which is made by the some company that produces Windows, which has 50-100 vulnerabilites each month with 1-6 of them being zero days.
    • A year later, it doesn't seem to be any better. Still getting frequent news flashes of it being down, having problems and one case of a whole afternoon and evening of it being unvailable.    Core seems to be having problems, the level 2 and 3 staff appear to have been lumped into level 1, so their time is being wasted with donkey work and it seems that when people leave, they are not being replaced. Support turn around times are growing and bugs in the code are increasing.
    • So #BIBA for Real is back! Anyone else going?    Handy Tip - "Speak to more people you don't know, than those you do know"   You can thank me later - with flowers 🌻 💖
×
×
  • Create New...