The law regarding call recording for telephone payments
Payment Card Industry Data Security Standard Specifications (PCI DSS)
PCI DSS affects any business that handles card payments. Specifically, it is there to minimise the risk of fraud. This occurs through the best practice handling of card details. For instance, if your company uses call recording software, that software must also ensure security. Moreover, the security of card validation codes and values i.e. the actual payment details needed to transfer money. In other words, you cannot store this information on your system and risk making it accessible in any way following authorisation.
If you need advice regarding PCI Compliant Call Recording software for your business, contact us today.
There are many organisations which, for one reason or another, collect credit card numbers over the phone. These phone calls are often kept as protection against liability or even to train and evaluate call centre staff. In order to remain PCI compliant the CV2 security number on the back of most credit cards must not be included in any audio or transcribed conversations.
Options to ensure non-recording of certain parts of a call
DTMF Detection – This basic method will work on any system. Specifically, it allows users to pause and resume the recording of a call. You do so by pressing a series of digits on the phone pad. Similarly, it ensures non-recording of the CV2 number yet you can still use the rest of the call for playback. Additionally, a built-in timeout option ensures the system resumes recording if the agent forgets to do this manually.
PCI Click – Software installed on each client PC allows the user to login and use ‘right click’ to stop and start the calls. This method requires a CTI connection.
PCI Web – You can integrate a call recording system with a business’s payment system upon installation. In doing so, this allows operators to pause calls either by a change of URL (when the user goes to a different screen to input payment) or by clicking on specific fields on the payment system. Furthermore, a programmed trigger resumes call recording when the user clicks on a certain field. You need a CTI connection to ensure you pause the correct call.
For further in-depth information regarding this, please read the various resources issued by the PCI Security Standards Council.
If your business needs PCI Compliant Call Recording contact us today!
The PCI DSS website states
“It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorisation even if encrypted.
It is therefore prohibited to use any form of digital audio recording for storing CAV2, CVC2, CCV2, CID codes if that data can be queried… Where technology exists to help prevent the recording of these data elements, such technology should be enabled.”
For any company required to record calls, as well as taking payments over the phone, this is a major compliance issue. Therefore, any call recording software must offer features that allow authorised users to hide or omit certain parts of the calls.
Take advantage of our free offer to review your IT security?
Click here to book your free cyber security health check.