When PCI Compliance for call recording sends you running for cover - BSL Group

When PCI Compliance for call recording sends you running for cover

5 min read
Author Business Systems UK
Date August 18, 2015
Category Call Recording Compliance
Share

We’re all aware of the hot potato that is PCI DSS Compliance. PCI guidelines are in a constant state of flux, with Version 3.1 being the latest iteration of the PCI standard.
With the emphasis on PCI and data security becoming more of an organisational mind-set and with Version 3.1 attempting to make payment security part of the ‘business as usual’ process, now may be the perfect time to re-assess and de-risk your ‘PCI Compliant lifestyle’.

Recap – which PCI requirements are of the greatest relevance?

1. Protecting stored cardholder data
2. Encrypting transmission of cardholder data across open, public networks
3. Maintaining a policy that addresses information security

According to recent statistics in order to adhere to PCI requirements, in 2014 a staggering 59% of UK contact centre operations were using pause and resume technology (the recording stops when the card payment is taking place) thanks to it being a relatively inexpensive option*. With stricter regulations surrounding PCI Compliance and a growing focus upon wider data security, organisations are now looking for alternative ways to de-scope their contact centres even further. The actuality of being PCI compliant now means more than just simply keeping your call recording compliant.

So what are some of the available options?

DTMF Suppression

Simply put, DTMF suppression works its wonders by capturing the DTMF tones and altering them in a way that the cardholder details are not identifiable by the agent, the recording environment or any unauthorised person who may be listening in. The customer is able to input their card details using their telephone keypad, with DTMF tones being altered so they no longer represent the ‘long card number’.

Cloud/Hosted Provision

Another option which completely de-scopes the entire contact centre environment from PCI Compliance is using a hosted or cloud-based solution to capture card data at network level. This means cardholder data is not passed through the contact centre environment de-risking the entire process completely. Cloud-based solution providers often have a dedicated security team whose purpose is to run tests on a recurrent basis than is actually required by PCI DSS, making sure the responsibility to stay compliant on both sides is fully understood.

Being PCI Compliant does not mean things have to be complex, costly or negatively impactful for your organisation. On the contrary, organisations could be utilising their technology to improve security and personal customer data as an attractive selling point for customers providing them a much sought after competitive edge.

For a fuller understanding of each PCI approach and the options available to you – check out our Best Practice guide on ‘How to ensure PCI DSS Compliance’. For more information on how to stay compliant talk to our team – we’d be more than happy to help.

*‘The Inner Circle Guide to PCI DSS Compliance in the Contact Centre’ Contact Babel 2015.