For most businesses, recording calls is compulsory - so how can you make them PCI DSS compliant?
If your business or organisation takes card payments over the phone and records its calls, under PCI DSS regulations, you cannot store any sensitive authentication data in your call recordings. So put simply, there are four ways in which you can ensure this data is not stored:
1. Switch off your call recordings
Without any call recordings, there is no risk. However - this is an impractical option and you would lose all the benefits associated with call recording such as training, customer service and compliance. It is also impossible for business operating in regulated financial sectors.
2. Transfer the customer elsewhere
You could transfer your customers to an automated payment card processing solution such as an IVR. This is not customer-friendly solution and it also requires significant integration with back-end IT and telephony systems which will cost time and money.
3. 'Pause and Resume'
This commonly involves using a call recording system which records the entire call apart from the sensitive authentication data. This method is technically very difficult to robustly set up, and difficult to maintain during future changes in your organisation. Even Automatic Pause and Resume is not recommended by the PCI SSC.
4. Filtering out the sensitive data
Put simply enough, if you filter out the sensitive card data from your call recording systems so it's never recorded - and this will make your existing call recording system PCI DSS compliant. Find out more about how CallGuard works.