How to make your call recordings PCI DSS compliant

PCI DSS

How to make your call recordings PCI DSS compliant

It’s common practice nowadays for organizations to record telephone calls between staff and customers. This might be for quality control, for staff monitoring and training, or as part of customer service and complaints review. Indeed, in many industries (particularly financial services) the recording of calls is a regulatory requirement. In this article I want to concentrate on the specific issue of taking card payments over the phone and the compliance challenges arising when you need to do this during a call that’s being recorded.

The problem arises with card MOTO payments (mail order / telephone order). If a customer reads out their card details to your agent and those details are then captured in the call recording then you may be in breach of PCI DSS regulations, particularly if you’re then storing the PAN and CV2 numbers as part of the voice recording. PCI regulations require that the three digit CVV number should not be recorded or defined in your records. So how can this be achieved?

There are a number of ways around this problem, each with its own pros and cons.

  1. Don’t record calls at all – In many ways this is the simplest solution. If you’re not recording calls at all, and the agents who take payments are operating in a ‘clean room’ environment with no means to capture the sensitive card information themselves, then you may be OK from a PCI DSS compliance point of view. However if you go down this route then you lose all the other customer service and complaints-handling benefits associated with having calls recorded, and of course if you’re in an industry where call recording is a regulatory requirement then this option is not available to you in the first place, so you will need to look for another solution. Additionally ‘clean room’ operating is unpopular with agents and hard to administer, particularly if you have agents working from home as many contact centers do these days.
  2. Tagging calls and masking card details – Another option is to carry on recording all your calls and taking customer payments as before. You can tag any call in which a card payment is taken and then go back into each one of these calls afterwards and ‘mask’ the card details, for example by overlaying them with white noise so that they cannot then be retrieved from the recording. This obviously introduces a significant extra administrative burden and can also be subject to human error. Any approach that requires manual intervention such as this could potentially leave you exposed to a breach either due to human error or by design.
  3. Pause and resume – Using this approach, either the agent or an automated process pauses the call recording at the point at which the caller is giving their card details, and then resumes it once the payment is taken so the card details are not included in the recording. However if the agent controls the process, they may forget to activate the pause and resume system or may activate it incorrectly. And of course the agents themselves remain exposed to the card details so could still misuse them. Cutting out or masking a portion of the recording means you have no way of knowing what happened during that part of the call, and may also mean that you no longer comply with regulations such as those laid down by the FCA.
  4. De-scoping your call center and call recordings – Fortunately CardEasy offers a better way to take card payments over the phone that enables you to record the whole of the call whilst remaining fully PCI DSS compliant. Using CardEasy, customers key their card numbers in directly using their telephone keypad (DTMF touchtones) rather than reading them out to the agent. As these tones are masked, the agent cannot hear or see the sensitive card information, nor can the card details be picked up in call recordings so there’s no way that the caller’s card details can be identified by anyone with access to the recording.

This means that the whole conversation between customer and agent can be recorded full length, with no need to ‘pause and resume’. As there’s no longer any need to break the recording off or mask it at any point, there’s no room for human error nor any gap in the recording during which a mistake could be made or fraud committed. Organizations subject to FCA call recording regulations also remain fully compliant as the whole call is now recorded.

And perhaps most importantly, customer service and trust levels are maintained or even improved.  The experience of CardEasy users such as Hurtigruten confirms this.

The main benefit for us is that our customers know that their card details are safe. We don’t store their card details in any way. It’s all about giving our customers that peace of mind. As a contact center agent, if you call and make a booking with me, I don’t have access to your card details. You don’t have to worry about your card details being fraudulently used by somebody because they are never exposed. The benefit for us is the customer’s peace of mind.

Marc Bainbridge, Head of Operations, Hurtigruten

Customers prefer keypad entry to reading their card numbers out, as it feels much more secure. It also speeds up the transaction as it means that card payment can be seamlessly taken during the call, and there are far fewer mis-keying errors as customers are entering their own card details rather than the agent doing in on their behalf. Using keypad payment by phone also means that the reputation of the company is protected and the whole call center environment is ‘de-scoped’ from costly and time-consuming PCI DSS audit requirements.

De-scoping payments in this way tackles this broader consumer trust issue as well as resolving PCI compliance for your call recordings.