The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant.
More information is available on the official PCI website.
IVRHQ is a PCI Compliant merchant and can securely accept credit card payments for its services.
Applications built with IVRHQ are not covered under IVRHQ ’s compliant status as a merchant.
IVRHQ recommends that customers seek guidance from their legal counsel for any compliance questions concerning their applications. See the questions below for further details.
According the official PCI website, if a customer application processes, transmits or stores credit, debit or prepaid card data, then they are responsible for ensuring that their application is PCI compliant. Merely using IVRHQ for customer transactions does not exclude any company from PCI compliance regulations, as PCI compliance obligations apply to all organizations and merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.
Many businesses have architected their applications in a PCI compliant manner, while still using IVRHQ for part(s) of their workflow. The key is to avoid processing, storing and transmitting cardholder data on IVRHQ. Some techniques that customers have used are as follows:
Verifying a customer’s account using only the last few digits of the PAN via voice, SMS (short messaging services) or DTMF (dual-tone multi-frequency) dialing.
Ensuring that the customer application never transmits entire cardholder data over unencrypted channels including voice, SMS or DTMF.
Not retaining sensitive authentication data after authorization
For telephone operations, “sensitive authentication data” means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call.
The Payment Application Data Security Standard (PA DSS) applies to payment processors. IVRHQ recommends that customers familiarize themselves with the PA DSS requirements and security assessment procedures. Use of a PA DSS compliant application by itself does not make an entity PCI DSS compliant, because the application must be implemented in conformity with the overall PA-DSS Implementation Guide.
Also, the list above is not meant to be comprehensive or replace the PCI standards and guidelines described above. Customers will need to ensure that their applications meet those guidelines. As always, IVRHQ recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications.
According to the PCI website, cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Cardholder Data is a Full magnetic stripe or the PAN plus any of the following items.
Primary Account Number (PAN)
What is considered Sensitive Authentication Data (SAD)?
Full Magnetic Stripe Data
IVRHQ utilizes a third party to process all credit card payments (a tokenization service). Because of this, IVRHQ does not store any customer Cardholder Data.