Cookie Preference Centre

Your Privacy
Strictly Necessary Cookies
Performance Cookies
Functional Cookies
Targeting Cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, your device or used to make the site work as you expect it to. The information does not usually identify you directly, but it can give you a more personalized web experience. You can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, you should know that blocking some types of cookies may impact your experience on the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Cookies used

Performance Cookies

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.

Cookies used

Google Analytics

Functional Cookies

These cookies allow the provision of enhance functionality and personalization, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.

Cookies used




Targeting Cookies

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.

Cookies used


This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties


PCI & Your Call Recording System - Wilmac Company - Blog

PCI & Your Call Recording System

Since the release of PCI-DSS 2.0 several years ago, Contact Centers have struggled to understand its implications on Call Recording. Early on, the Security Standards Council was inundated with requests for clarification. This prompted them to issue an FAQ to clarify the requirements, and in fact, they had to revise that FAQ twice because the questions kept pouring in. Finally, they published an Information Supplement in March, 2011 called Protecting Telephone-based Payment Card Data, which focused exclusively on Call Recording.

So before we go any further let’s first help to provide some clarity. Exactly what does PCI-DSS require as it pertains to your Call Recording system?

First, we have to recognize that there is no doubt that Call Recording is in scope. That means that virtually all of the twelve requirements have some impact on your Call Recording systems. As such, your Contact Center will need to apply the same rigorous evaluation to things like network security, data retention, access control, and audit trails, just to name a few.

PCI-DSS 3.2 states that storage of the card validation code or PIN is prohibited, even if encrypted. So you either cannot capture it or you need to delete it immediately after verification.

Storage of the Primary Account Number (PAN) is discouraged, but may be permitted if it is deemed necessary to meet the needs of the business. As stated in requirement 3.4, the PAN must be rendered unreadable. As it pertains to Call Recording, this means that the recording must be encrypted or stored in a format equivalent to encryption. PCI-DSS 3.2 states that disk encryption which is native to the operating system or tied to a user account, is unacceptable. It must be separate and independent.

Your best bet for addressing these requirements is an automated tool from your Call Recording vendor that stops or pauses recording while the credit card information is being exchanged. This type of tool will detect when your payment application comes up on the agent’s screen, or when the agent clicks on a certain field, such as the card number field. These events are used as “triggers” to stop the recording. Another screen event, such as clicking “submit” or closing the payment window, would then trigger recording to resume. Some applications of this type are designed to work out of the box, with minimal configuration. These are sometimes referred to as “desktop analytics” applications by the Call Recording vendors. Others may offer this function as a custom software development or an “API.” Both methods can be effective. However, if you have a choice, I would recommend leaning toward a solution that doesn’t require software development, since this can often involve extra, unexpected costs to build and maintain. In any case, rigorous testing of an automated solution is highly recommended.

In summary, as long as your Contact Center continues to take credit cards over the phone, your Call Recording systems are in scope for PCI-DSS. When evaluating your systems for compliance, you need to apply the same rigorous evaluation to things like network security, data retention, access control, and audit trails, and all the other DSS requirements.

In particular, you need to focus on requirement 3.2, which prohibits the storage of the card validation codes or PINs, even if encrypted. And you need to focus on requirement 3.4, which requires that the PAN is rendered unreadable.


Publish Date: June 28, 2016 5:00 AM

2020 Buyers Guide Automation


Agara is an autonomous virtual voice agent powered by Real-time Voice AI. It is designed to have intelligent conversations with your customers, vendors, and partners without any assistance from human agents. It can handle a wide variety of calls including inbound customer care calls, outbound lead generation calls, appointment scheduling calls, and overdue payment recovery calls.

Agara is available for several industries including banking, insurance, retail, e-commerce, airlines, and telecom. Powered by advanced Real-time Voice AI that understands speech in real-time, automatically determines the right process to follow and guides the caller along in the process with natural conversation.
PH: +1 (512) 333 4634

View more from Wilmac Company

Recent Blog Posts:
Environmental Changes That Can Impact Call RecordingMay 15, 2017 5:00 AM
Choosing A NG9-1-1 Recording Partner: 6 Factors to ConsiderMarch 6, 2017 5:00 AM
Big Banks & Call Recording: How Technology Can HelpFebruary 6, 2017 5:00 AM
Speech Analytics and Quality MonitoringJanuary 23, 2017 5:00 AM
How to Plan for a Recording System UpgradeJanuary 9, 2017 5:00 AM
Improving Your Recording Environment Starts with a Wilmac AssessmentOctober 10, 2016 5:00 AM
Wilmac Support for NICE SystemsSeptember 6, 2016 5:00 AM
NICE Inform: What Makes It the Industry Leader?August 22, 2016 5:00 AM
PCI & Your Call Recording SystemJune 28, 2016 5:00 AM
Technology Is Important, but People Still Have a PlaceJune 2, 2016 5:00 AM
Submit Event

Upcoming Events

15th annual Best Practice Conference - this is the contact center world's most highly rated event - a whopping 100% of delegates say they would recommend it!

100's of best practice tips and ideas from contact center professionals Read More...

Latest Americas Newsletter
both ids empty
session userid =
session UserTempID =
session adminlevel =
session blnTempHelpChatShow =
session cookie set = True
session page-view-total =
session page-view-total =
applicaiton blnAwardsClosed =
session blnCompletedAwardInterestPopup =
session blnCheckNewsletterInterestPopup =
session blnCompletedNewsletterInterestPopup =