PCI Compliance & Call Recording - What Are My Options?

By Laura Waterton

PCI DSS compliance impacts any organization that handles card payments, including over the phone.

Instigated by leading credit card companies, the regulatory standard requires businesses to put measures in place to prevent the exposure and storage of sensitive card details.

PCI DSS is there to protect both customers and businesses from fraud and malpractice. It gives customers the confidence to buy from you, and it helps avoid the significant harm to reputation and income that a data breach can incur.

PCI compliance also has a specific bearing on businesses that record their calls - which is something that many organisations do, either because they want to or because other compliance standards require it.

If you also take card payments over the phone, then PCI guidelines stipulate that sensitive card data is neither captured nor stored by recording systems.

"In all cases where calls may be intentionally recorded, entities should ensure that sensitive authentication data is not stored after authorization."* 

So how can you record what you need to without compromising security?

Broadly speaking, there are a couple of options available to you. It’s worth considering each one before you invest in a call recording system:

1. Pause and resume recording

2. IVR payment solutions

Pause and resume

Pause and resume recording simply means the recording is stopped before the card details are read out and only resumes afterwards. This can be done manually by staff dialing a code into their keypad or clicking a button onscreen, but is actively discouraged under PCI compliance because it leaves a business wide open to human error and malpractice.  

A better option is automated pause and resume recording, where the system recognizes that a payment gateway has been opened and pauses the recording until the agent has navigated away from the payment screen. Automated pause and resume can be either app-based or browser-based.

Pros: Simple and cost-effective, especially when included with the recording solution. Allows the agent to stay on the phone with the customer. Automated pause and resume is recommended over manual methods.

Cons: Since the agent still hears the card details, a business must take additional steps to ensure full PCI compliance such as ‘clean rooms’ (where agents can’t access pen, paper, phones etc.)

IVR payment solutions

Providing the highest level of security, an IVR payment solution descopes the payment from the contact center entirely. Instead of reading their PAN or CV2 number out to an agent, the customer keys it into their phone pad. The agent’s payment screen is populated with the masked digits. The agent can stay on the phone to help the customer if needed, or the call can be redirected to an automated self-service provider.

Pros: PCI level-1 secure means the highest standard of security without the need for a ‘clean room’ or additional PCI audits. The agent can stay on the phone to support the customer or, alternatively, redirect them to a self-service option to reduce the load on busy call centers. Ideal if you handle lots of payment, recurring revenue and/or large sums.

Cons: Buying an IVR payment solution is an added expense and may not be worth it if you only handle payments occasionally.

How can Oak help?

Helping our customers stay compliant is hugely important to us.  

All Clarify recording solutions, including Clarify for Microsoft Teams, offer automated pause and resume recording as an option, whether you use a payment app or URL payment gateway.

We also work with 8x8 to bring automated pause and resume to 8x8 CCaaS recording customers.  

If you don’t want to risk anything less than the highest level of security or are keen to reduce pressure on your call center by introducing a self-service payment option, then our long-standing partners at Key IVR provide top of the range IVR payment solutions. More details: keyivr@oakinnovate.com  

Find out more:

https://www.oakinnovate.com/pci-compliance

sales@oakinnovate.com

* https://listings.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf pg.19

https://www.oakinnovate.com/pci-compliance

Back to Insights