Compliance can not be cheated
Many businesses are under pressure to achieve PCI DSS Compliance and lock down risky procedures. There are many methods on the market, however fast doesn't always equal reliable, or secure. In fact there are several methods that contact centres have historically used as a means of removing or securing parts of a conversation. The methods listed below are not PCI DSS compliant for call recording and ultimately unreliable, leaving you exposed to the same amount of risk as before:
1. Manual Pause and Resume
Pause and resume is one of the most commonly known processes, where agents can manually pause recordings when taking card data, and then re-activate it afterwards. Manual pause and resume is not compliant with PCI DSS guidelines. The PCI SSC’s March 2011 publication “Protecting Telephone-based Payment Card Data” states that card data should be removed from recordings “automatically (with no manual intervention by your staff).“
In addition to the PCI DSS stance, call centre management often does not favour this approach because:
Agents can forget to restart recording, meaning that the remainder of that call or several more calls are simply not recorded.
Agents have the opportunity to pause recordings during a part of the conversation where they do not want to be recorded.
2. Encryption OnlyThe Payment Card Industry Security Standards Council (PCI SSC) does not approve of encryption by itself being used as a means of securing sensitive cardholder data in call recordings. The reason for this is simple: in a call centre, team leaders and supervisors, for example, are required to listen to calls as part of their job. Any call recording system which encrypts calls therefore has to have the ability to decrypt calls for playback in the call centre environment which exposes recorded sensitive cardholder data.
While some forms of encryption offer a way of securing calls against external theft, encryption does not secure card data internally. The PCI SSC’s stance on this is clear:
“It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.” (Protecting Telephone-based Payment Card Data, March 2011)