How does PCI DSS Affect Your Call Recordings?
Does your business or organisation take card payments over the phone and records its calls? If so, under PCI DSS regulations, you cannot store any sensitive authentication data in your call recordings. So put simply, there are four ways in which you can ensure this data is not stored:
- Switch off your your call recordings. This is an impractical option and you would lose all the benefits associated with call recording such as training, customer service and compliance. It is also impossible for business operating in regulated financial sectors.
- Transfer the customer to an automated payment card processing solution such as an IVR. This is not customer-friendly solution and it also requires significant integration with back-end IT and telephony systems which will cost time and money.
- 'Pause and Resume'. This commonly involves using a call recording system which records the entire call apart from the sensitive authentication data. This method is technically very difficult to robustly set up, and difficult to maintain during future changes in your organisation. Even Automatic Pause and Resume is not recommended by the PCI SSC.
- Filtering out the sensitive card data from the recording system, so it is never recorded. This is how CallGuard works.
Using CallGuard, you will make your existing call recording system PCI DSS compliant. A neat ‘bolt-on’ to any call recording system, it solves the headache created by the demands of making your call recordings PCI DSS compliant. In addition, CallGuard also stops agents from seeing card data, and does not require any changes to your existing payment, telephony or computer systems.
For more information on the methods for becoming PCI DSS compliant for call recordings, please see our comparison table.
Some approaches to securing call recordings are not compliant with PCI DSS.