How to choose the right PCI compliant call recording system for your business
Your business may record customer phone calls for quality purposes, in-fact most businesses do.
If your business does record calls and accepts payments over the phone, it’s a requirement to have a PCI (“Payment Card Industry”) compliant call recording system or solution in place.
You may or may not be aware of the risks involved with taking card payments over the phone, but in 2015 Financial Fraud Action UK reported that Card Not Present ("CNP") fraud losses were at a 10 year peak, at £331.5m in 2014.
What happens if I don't secure my telephone payments?
If for example a business accepts telephone payments and simply ignores the stringent PCI guidelines and then experience a data breach or theft of cardholder data, they could incur multiple fines and may be liable for the fraud losses incurred against these cards.
Of course, the effect of non-compliance on businesses does not stop at monetary fines. Reputational damage, reduced partner and consumer confidence, and lost business are just some of the negative impacts that could follow.
Compliance with PCI DSS ("Payment Card Industry Data Security Standard") can help build user and consumer trust by demonstrating your commitment to best practice and protecting your clients' data.
So what are the options to secure your call recordings?
There are a few different PCI DSS compliant call recording systems available. Implementing the right solution is crucial for keeping your business compliant and ensuring customer data protection, as well as making sure your contact centre continues to run smoothly. When choosing, you should consider that not all are as customer friendly as others and some are not recommended by the PCI Security Standards council ("PCI SSC").
These are three popular solutions:
Automated 'pause and resume' technology. This solution automatically stops the call recording when sensitive data is being entered by the caller, and then resumes call recording once the agent is passed through to the payment screen on their system. This solution still leaves you vulnerable to contact centre fraud, because even though the data isn't recorded by call recorders, the data is still exposed to the agent handling the call.
Automated 'mute and unmute' technology. In principle this is similar to the 'pause and resume' solution. With this method, the technology mutes both the agent and the caller audio within the recording while the agent is at the payment details screen during the call. The recording isn't stopped at any point but anyone listening back to the recording will not be able to hear any audio during the payment procedure. As with the 'pause and resume' technology the card data is not entirely safe as the agent still has exposure to the card data.
Telephone keypad payment or 'DTMF masking'. This considered by far the best solution available on the market to adhere call recording to PCI compliance standards. With this approach the agent asks the customer to submit their sensitive card details (PAN & CV2) by using their telephone keypad rather than saying them out loud to the agent. This solution uses DTMF masking or tokenisation technology so that the sensitive data is not seen or heard by the agent and is untraceable through the call recording. Keypad payment technology takes agents and call recordings out of the PCI audit scope entirely.
As data protection regulations are becoming stricter on an international scale, it's really worth considering whether you should adopt a quick shortcut, with the likes of pause and resume, or entirely remove your risk with methods such as DTMF masking or audio tokenisation.
In the long-run it is your business, customers, and reputation at risk, so make sure you consult all options as recommended by the PCI SSC and your own QSA.By:
If your business is under pressure to lock down data storage, especially…
Your business may record customer phone calls for quality purposes, in-fact most…