PCI DSS and Your Business

What does PCI DSS means for your business?

Does your business take card payments over the phone and record calls?

If so, you will most likely already be aware that under PCI DSS regulations, you cannot store any sensitive authentication data in any format - even in your call recordings. Sensitive authentication data refers to the magnetic stripe data and the printed security code (commonly known as the CVC, CVV or CV2 number).

By making your call recordings PCI DSS compliant, you protect both your contact centre and your customers against fraud - the core objective of the PCI programme.

IVR Payments

It is important to note that if PCI DSS requirements are ignored, your business or organisation could be fined and ultimately lose the ability to take card payments, resulting in a significant loss of income.

The implications of non-compliance are far reaching. UK contact centres which breach the guidelines are contributing to a huge reservoir of sensitive card data. A well-documented rise in high-profile hacking incidents is creating unnecessary risk. Consumers have every right to be concerned and are increasingly demanding the reassurance of knowing that their cards details are safe when making purchases over the telephone.

To prove that your call recording infrastructure is PCI DSS compliant, you can either:


Self-certify using the ‘SAQ’ self-assessment questionnaire


Pay a QSA (Qualified Security Assessor) to audit you

If you are a Level 1 or 2 merchant, you have no choice - your organisation has to be audited by a QSA. Only Levels 3 and 4 can self-assess. Engaging a QSA is very expensive and time-consuming.

If you are a Level 3 and 4 merchant and use CallGuard, you can take your call recordings completely out of scope, significantly reducing audit time and costs.

If your call recording system is currently not PCI DSS compliant, find out how you can make it tick the PCI DSS compliance box.