PCI Compliance Call Recording
PCI Compliance Call Recording refers to the requirements set forth in the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of strict regulations created to protect private financial information and prevent credit card fraud.
It is very important that companies record calls for purposes such as dispute resolution, regulatory compliance with regulations such as GDPR, PCI DSS, HIPAA, Dodd-Frank, MIFID II or SOX, agent and sales training, and business intelligence. However, when it comes to accepting credit card payments over the phone, questions begin about how to protect customers’ credit card details.
Problems with PCI DSS compliance
We have to think that none of the approaches are 100% foolproof, and with manual techniques there is a risk that human error will expose the company to infringement. Even some of the automated systems can pose problems. With pause and resume, for example, you lose track of what is happening on the call while the recording is paused. This not only creates holes if you are recording calls to monitor performance or service levels, it also creates a specific conflict with regulations for the financial services industry, such as MiFID II, which require certain categories of calls to be recorded with transparency purposes.
Even using the keyboard for number entry is not completely safe. Due to the different dial tones created by the phone keys, it is still possible to calculate a dialed number from the sound of the key. Therefore, a software that uses Speech Analytics or artificial intelligence to be able to mask or erase the numerical data of credit cards, thus complying with PCI DSS.
How to comply with PCI DSS
Here are some security features that can be used to achieve PCI DSS compliance:
- Access to recordings must be secure, that is, to access call recordings must be through “username and password” to log in.
- Encryption of recordings: Recordia encrypts files using military-grade 256-bit AES encryption. Therefore, the files can only be played through the Recordia web platform.
- Secure access to the web platform through the SSL certificate (https access).
- The download and export privilege can be revoked for users, so the call recording can only be played back through the web portal.
- Authentication rules for user login access, such as locking the user after a specified number of login attempt failures and password rules to ensure a minimum level of password difficulty.
Cannot register CVV data of Credit Cards
There is a misconception that it is okay to record credit card transactions if the recording is encrypted. This is bad. You cannot store CVV data for a credit card even if it is encrypted.
There are several methods you can use to ensure that the CVV is not stored:
- Do not record any calls that involve credit card payments. This is problematic as it loses the ability to resolve disputes and raises issues with compliance with regulations such as MiFID II.
- Have the agent stop the recording while the payment is being made. This is prone to errors (the agent remembers to stop recording the call every time a payment is made) and is exposed to abuse by the agent. It is easy for the agent not to “accidentally” record a conflicting call.
- Use Speech Analytics to identify when a payment is made. Voice recognition can never be guaranteed to be 100% accurate and depend on agents remembering to say specific phrases while making a payment.
- Have an automated system take payment instead of an agent. It is a secure way to remain PCI DSS compliant, but requires the integration of an IVR or similar solution to capture credit card information in compliance with regulations.
PCI DSS compliance is a large and complex area and involves many factors outside of call recording. Even so, there is no one-size-fits-all approach to ensuring best practices when receiving payments over the phone. There are many technical solutions out there and it really comes down to which one works best for your organization.
One of the most recommended options today, with the advancement of technology, is to use artificial intelligence technology to detect with great precision the credit card information based on the capture of numbers according to their context. This approach to capturing credit card data is the one that every day, with the evolution of artificial intelligence, becomes the most effective and efficient.
Learn more about our PCI DSS compliant call recording solution.