Manual pause-and-resume of call recordings is not PCI DSS compliant

Another day, another press release from a company claiming to have made its call recording system PCI DSS compliant.

This time, it's quite a large USA company. They announce a "first ever" pause/interrupt feature for hosted predictive diallers.

It may be true that this is a new feature for hosted predictive diallers, but let's be clear about one thing:

  • Manually pausing and resuming call recording is not an acceptable method of eliminating cardholder data

There are a few issues with manual pause and resume:

  • Agents can pause recording whenever they want. This means agents can mute/pause a recording, say whatever they like to a caller, and then start the recording again. It is precisely this lack of transparency (allowing agents to say whatever they want with no effective monitoring) that call centre operators don't like.
  • Agents can forget to start the pause, which leads to sensitive cardholder data being stored in the recordings (against PCI DSS guidelines)
  • Agents can forget to stop the pause, which leads to the continued masking/blanking of an ongoing conversation, at precisely the time when transactional details are being discussed with the customer.

The solution publicised today is described as giving the agent the ability to "skip recording for 3-10 second pre-set intervals while a customer provides his payment card’s CVV". Whilst well-intentioned, there is a big problem here:

  • The "CVV" is the 3- or 4-digit security check code on your card. Whilst is is forbidden under the PCI DSS to store this code post-authorisation, it is also a requirement that the long card number (PAN) is encrypted if it's stored. No mention of that here, or on the company's website. One therefore has to assume that encryption is not in place, and therefore the recordings at not compliant with the PCI DSS.
  • Pre-set timings like this inevitably mean that cardholder data is stored on a call. Just imagine what happens if a customer is unable to enter their 16-digit PAN in 10 seconds.

So what's a better approach? Here are two:

  • Integrate your desktop payment tools to automatically pause a call at the point payment information starts being taken, to automatically resume recording afterwards. For most systems, this is the "it-should-work-ok" approach. However, it tends to be very complicated, as the tie-up between a desktop application (where the payment information goes) and the back-end phone recorder is very challenging. There is no direct 'map' between a desktop and the telephone line being recorded, and so signalling to the recorder that it's time to pause/unpause is really very tricky to do properly. Typically, this results in the recordings for line A being paused when customer B is giving card data. So recording A loses salient information for no good reason, and customer B's card data is still stored. This is not useful in any sense. (If, however, you use our call recording which records on the desktop, there is no 'mapping' required..... problem solved!)
  • Use CallGuard, which automatically 'bleeps' the credit card information as the user provides it. Whether the user is fast or slow, you don't have to worry. CallGuard ensures that as the customer types credit card information into the telephone handset, the tones produced are automatically blanked from your call recordings. If they make a mistake, no problem - they just re-enter the digits. While a fixed "3-10 second pre-set interval" will fail to block card data from recordings, CallGuard blocks it every time - both the long card number and the short check digits. Simple. And, unlike with IVRs, with CallGuard the caller and the agent continue talking with each other during the transaction. No interruptions, no transfers to a robot, no problems.

One final thing: the PCI Security Council itself does not allow manual pause and resume as a way of blocking cardholder data from call recordings. Their publication "Protecting telephone-based payment card data" (PDF file) specifically says that if you take credit card details over the phone, you need to:

  • "remove sensitive authentication data from [your] recordings, automatically (with no manual intervention by your staff)".

And with CallGuard, that's simple.

Loading Conversation

Posted by admin at 12:11 PM on Jun 12, 2017


Recent Posts

If your business is under pressure to lock down data storage, especially…


Your business may record customer phone calls for quality purposes, in-fact most…


Tokenization is taking the ecommerce industry by storm- but what is it and why…