Is Your Call Recorder PCI Compliant?

In last week’s post, we discussed how software-defined wide-area networks (SD-WANs) can boost compliance with the Payment Card Industry Data Security Standard (PCI DSS). However, it is important to note that these regulations aren’t limited to data network security. Any organization that takes card payments over the phone must also comply with PCI DSS.

This often creates a difficult paradox. Many industries require recording of all customer phone contacts to meet legal, regulatory and operational requirements. For example, financial services organizations are required to record all phone-based customer transactions to manage risk and liability. Call centers across all market segments require call recording for quality control, dispute management and agent training.

But without proper precautions, such recordings can be in direct violation of PCI DSS requirements.

Due to the risk of theft by hackers or unscrupulous contact center agents, a 2010 PCI DSS update placed strict stipulations on how card information must be handled after a transaction has been authorized. A cardholder’s full primary account numbers cannot be stored without encryption, and the three-digit or four-digit card verification (CV) code printed on the card cannot be recorded at all.

When these regulations were announced in March 2011, it was a fairly straightforward process to begin encrypting stored recordings to ensure that primary account numbers could not be compromised. Blocking the recording of CV codes was a much trickier problem.

In the immediate aftermath of the new regulation, most organizations implemented manual processes to block CV code recording. This typically involved having agents physically pause and unpause recorders when card details were being given. There were obvious drawbacks. When agents forgot to hit the pause button, codes were recorded anyway. Even when recordings were paused, codes were exposed to the agents.

Another early manual solution was to go back through recordings and apply a filter that muted or masked the audio when a CV code was read. This obviously created a huge administrative burden, and still left codes exposed to agents.

Now that we are a few years down the road with these regulations, the market has addressed the shortcomings of manual processes with a variety of automated solutions that can help bring call recorders into compliance.

Automated “pause and resume” software automatically stops and starts the recording based on what screen is being used by the agent. Automated “mute and unmute” technology mutes both the agent and the caller audio within the recorder while the agent is in the payment details screen. The recording isn’t stopped but, importantly, nothing is recorded, so on subsequent playback, only silence or an audible tone is heard.

Another approach is the use of application programming interfaces (APIs) to create “pause and resume” capabilities from a third-party application. In some cases, the API is configured to stop recording when a cursor is placed over the CV code entry field. Recording begins again when the agent hits the “enter” button or mouses away from the field.

Keypad payment is emerging as perhaps the most effective method. With these solutions, the sensitive information is keyed in on a telephone keypad. Because there is no audible expression, there is nothing to record. Additionally, it ensures that no sensitive information is exposed to the agent.

None of these solutions is foolproof, but they help create layers of security. They should be used in conjunction with a variety of other measures for limiting access to sensitive data, including the use of role-based permissions to limit system access to authorized users and strong physical security measures to restrict access to key areas.