PCI-DSS Call Recording Requirements
Often, organisations will also use these calls for additional reasons, such as staff training and monitoring or customer service and complaints reviews.
However, when taking card payments from a customer over the phone, there are several challenges the company must consider in handling the data appropriately whilst recording the call.
What are the PCI-DSS call recording requirements?
For merchants that take product or service orders over the phone, it’s important to comply with PCI-DSS call recording requirements.
When a customer reads out their card details to your customer service agent, vulnerable cardholder information including the PAN and CV2 numbers would be captured in the audio. Retaining this information through call recording would lead to your company being in breach of PCI-DSS regulations, so it’s important to dispose of this information appropriately to remain compliant.
What are the best methods when call recording for PCI-DSS compliance?
If your business needs to employ call recording whilst remaining PCI-DSS compliant, there are a few methods you could use.
Tagging and masking
This method is fairly straightforward. Your customer service team will need to record all calls as usual, including when taking customer payments. However, immediately after taking payment on a call, you will need to ‘tag’ the call as such, so that you can go back into the recording afterward and conceal, or ‘mask’ the card information.
One of the most effective ways to mask the cardholder data over the phone is to overlay the audio with white noise so the information cannot be heard. Although proven to work, this is a somewhat time-consuming technique that would need to be done with care, as any human error or negligence could still leave you vulnerable to a breach.
Pause and resume
By using the ‘pause and resume’ approach, your team can record the call without capturing any cardholder data in the audio whatsoever. When taking the call, the agent will pause the call whilst the customer gives their card details. Once the payment has gone through, the recording can continue.
As a manual process, it’s still worth considering that the risk of a breach is still present through either human error or negligence. However, it is possible to automate this process which may reduce this risk. Additionally, with the audio missing, it would be hard to pinpoint what happened if something did go wrong.
De-scoping your call center and call recordings
De-scoping may be one of the most effective ways of disguising card data whilst still recording the call. This involves customers keying their card numbers directly using their telephone keypad, instead of reading them out. The sound of the keypad tone is often already masked, meaning that the agent will not hear or have direct access to their cardholder data information, rendering them completely unidentifiable.
Avoid recording calls
If your business is able, the easiest option is to not record calls at all. This is particularly effective if your customer service team operates in a ‘clean room’ environment – this means somewhere where there’s no possible way for the agents to obtain the cardholder information themselves.
Although this method will help you avoid a breach, the downside is that you wouldn’t have the advantage of being able to review staff training and the complaints service. ‘Clean room’ environments are also less common with the advent of home working. Additionally, this option is only available if you’re in an industry where call recording isn’t a regulatory requirement.
Monitor your PCI-DSS call recording policies with Hicomply
Staying on top of your PCI-DSS call recording policies can seem overwhelming – especially if phone calls are used frequently for transactions. This is why Hicomply offers a full-service ISMS platform to help you keep track of all the information you need. Our easy-access dashboard reduces the need for mundane, time-consuming tasks – giving you compliance as you work. Contact us today for more information.