Contact Us
General Enquiries Tel: 020 8326 8326
Need Support? Tel: 020 8326 8300
red box logo
NICE fully colourised logo
NICE in contact fully colourised logo
Verint fully colourised logo
Microsoft fully colourised logo
Call Quality Monitoring Systems

Four common mistakes in call recording for PCI Compliance

4 min read
Author Atiq Rehman
Date Jul 17, 2013
Category Compliance

Following my previous blog on PCI DSS Compliance, I had some push-back on my claim that confusion persists in UK organisations regarding call recording for PCI compliance. So it’s only fair and reasonable that I should justify my observations and explain precisely why I believe that some organisations still aren’t getting it.

Business Systems specialises in call recording technology implementations and with 25 years’ experience as an independent provider we have pretty much designed, installed and provided on-going service delivery and support for most solutions. In our work in the industry, we have had a steady stream of engagements where clients have mistakenly believed that their call recording solutions met their PCI obligations.

The four most common mistakes we see are:

Access to our recorder is password protected: while this may be good systems management practice, it is not PCI Data Security Standards compliant. It still does not satisfy Requirement 3.2 which stipulates that no personal identification information should be captured or retained.

Our recordings are encrypted: while this was initially viewed as being OK, there has been further clarification on encryption which rules it out: “Sensitive Authentication Data cannot be stored whether encrypted or not”.

We use audio masking to obscure the sensitive data: while this approach (it’s a bit like a TV Bleep machine) may seem reasonable, it is not PCI DSS compliant as the sensitive authentication data is still being retained.

At collection our agents pause & resume the recording: again this fails to meet requirements and has been the subject of an explicit clarification. Sensitive authentication data must be removed from recordings… “with no manual intervention by your staff”. The fact that the pause has to be initiated manually by the agent means that it is liable to human error as the agent may simply forget to pause the recording.

If you want to find out more on how Business Systems can help you ensure compliance, feel free to contact us: 0800 458 2988, [email protected].