Non-Compliant Methods

Believe it or not, there are non-compliant methods to securing calls from cardholder data.

Compliance can not be cheated

Many businesses are under pressure to achieve PCI DSS Compliance and lock down risky procedures. There are many methods on the market, however fast doesn't always equal reliable, or secure. In fact there are several methods that contact centres have historically used as a means of removing or securing parts of a conversation. The methods listed below are not PCI DSS compliant for call recording and ultimately unreliable, leaving you exposed to the same amount of risk as before:

PCI DSS Contact Centre

1. Manual Pause and Resume

Pause and resume is one of the most commonly known processes, where agents can manually pause recordings when taking card data, and then re-activate it afterwards. Manual pause and resume is not compliant with PCI DSS guidelines. The PCI SSC’s March 2011 publication “Protecting Telephone-based Payment Card Data” states that card data should be removed from recordings “automatically (with no manual intervention by your staff).“

In addition to the PCI DSS stance, call centre management often does not favour this approach because:

Human error

Agents can forget to restart recording, meaning that the remainder of that call or several more calls are simply not recorded.

Intentional tampering

Agents have the opportunity to pause recordings during a part of the conversation where they do not want to be recorded.

2. Encryption Only

The Payment Card Industry Security Standards Council (PCI SSC) does not approve of encryption by itself being used as a means of securing sensitive cardholder data in call recordings. The reason for this is simple: in a call centre, team leaders and supervisors, for example, are required to listen to calls as part of their job. Any call recording system which encrypts calls therefore has to have the ability to decrypt calls for playback in the call centre environment which exposes recorded sensitive cardholder data.

While some forms of encryption offer a way of securing calls against external theft, encryption does not secure card data internally. The PCI SSC’s stance on this is clear:

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.” (Protecting Telephone-based Payment Card Data, March 2011)

3. Speech Recognition for Removal After the Recording has Been Made

The theory behind this method is that speech recognition techniques can detect card information by picking up numbers, words or common phrases used in a payment context. Then an application would remove this, along with some surrounding information, from recordings. In a general call centre context, speech recognition has certainly advanced a lot in the past few years, and it has genuinely useful applications.

The theory however falls down where payments are concerned. It is very difficult to detect and remove payment information, which are essentially numbers, without compromising other parts of the recording and a speech recognition method which leaves the 3- or 4-digit security number in place in the recording is not PCI DSS compliant.

PCI DSS Compliant Methods

To balance the picture and for comparison, those methods which are compliant with the PCI DSS requirements are listed here.