Since the release of PCI-DSS 2.0 several years ago, Contact Centers have struggled to understand its implications on Call Recording. Early on, the Security Standards Council was inundated with requests for clarification. This prompted them to issue an FAQ to clarify the requirements, and in fact, they had to revise that FAQ twice because the questions kept pouring in. Finally, they published an Information Supplement in March, 2011 called Protecting Telephone-based Payment Card Data, which focused exclusively on Call Recording.
So before we go any further let’s first help to provide some clarity. Exactly what does PCI-DSS require as it pertains to your Call Recording system?
First, we have to recognize that there is no doubt that Call Recording is in scope. That means that virtually all of the twelve requirements have some impact on your Call Recording systems. As such, your Contact Center will need to apply the same rigorous evaluation to things like network security, data retention, access control, and audit trails, just to name a few.
PCI-DSS 3.2 states that storage of the card validation code or PIN is prohibited, even if encrypted. So you either cannot capture it or you need to delete it immediately after verification.
Storage of the Primary Account Number (PAN) is discouraged, but may be permitted if it is deemed necessary to meet the needs of the business. As stated in requirement 3.4, the PAN must be rendered unreadable. As it pertains to Call Recording, this means that the recording must be encrypted or stored in a format equivalent to encryption. PCI-DSS 3.2 states that disk encryption which is native to the operating system or tied to a user account, is unacceptable. It must be separate and independent.
Your best bet for addressing these requirements is an automated tool from your Call Recording vendor that stops or pauses recording while the credit card information is being exchanged. This type of tool will detect when your payment application comes up on the agent’s screen, or when the agent clicks on a certain field, such as the card number field. These events are used as “triggers” to stop the recording. Another screen event, such as clicking “submit” or closing the payment window, would then trigger recording to resume. Some applications of this type are designed to work out of the box, with minimal configuration. These are sometimes referred to as “desktop analytics” applications by the Call Recording vendors. Others may offer this function as a custom software development or an “API.” Both methods can be effective. However, if you have a choice, I would recommend leaning toward a solution that doesn’t require software development, since this can often involve extra, unexpected costs to build and maintain. In any case, rigorous testing of an automated solution is highly recommended.
In summary, as long as your Contact Center continues to take credit cards over the phone, your Call Recording systems are in scope for PCI-DSS. When evaluating your systems for compliance, you need to apply the same rigorous evaluation to things like network security, data retention, access control, and audit trails, and all the other DSS requirements.
In particular, you need to focus on requirement 3.2, which prohibits the storage of the card validation codes or PINs, even if encrypted. And you need to focus on requirement 3.4, which requires that the PAN is rendered unreadable.
Publish Date: June 28, 2016 5:00 AM
Agara is an autonomous virtual voice agent powered by Real-time Voice AI. It is designed to have intelligent conversations with your customers, vendors, and partners without any assistance from human agents. It can handle a wide variety of calls including inbound customer care calls, outbound lead generation calls, appointment scheduling calls, and overdue payment recovery calls.
Agara is available for several industries including banking, insurance, retail, e-commerce, airlines, and telecom. Powered by advanced Real-time Voice AI that understands speech in real-time, automatically determines the right process to follow and guides the caller along in the process with natural conversation.
PH: +1 (512) 333 4634
|Environmental Changes That Can Impact Call Recording||May 15, 2017 5:00 AM|
|Choosing A NG9-1-1 Recording Partner: 6 Factors to Consider||March 6, 2017 5:00 AM|
|Big Banks & Call Recording: How Technology Can Help||February 6, 2017 5:00 AM|
|Speech Analytics and Quality Monitoring||January 23, 2017 5:00 AM|
|How to Plan for a Recording System Upgrade||January 9, 2017 5:00 AM|
|Improving Your Recording Environment Starts with a Wilmac Assessment||October 10, 2016 5:00 AM|
|Wilmac Support for NICE Systems||September 6, 2016 5:00 AM|
|NICE Inform: What Makes It the Industry Leader?||August 22, 2016 5:00 AM|
|PCI & Your Call Recording System||June 28, 2016 5:00 AM|
|Technology Is Important, but People Still Have a Place||June 2, 2016 5:00 AM|