PCI compliant call recording in light of the upcoming GDPR

With the upcoming GDPR quickly approaching it is important that all businesses assess whether they are compliant with new regulations.

From 25th May 2018 all businesses must change the way that they store customer’s personal data and the way in which it is processed. For companies that work with customer data regularly they must ensure they are meeting the new requirements in all aspects of their business activities, particularly call recording.

Call recording and PCI compliance

For businesses that record their calls data protection will always be at the core of the legislation they must adhere to. Specifically, in cases where businesses take card payments over the phone they must ensure that they are meeting the Payment Card Industry Data Security Standard (PCI DSS) compliance regulations.

PCI DSS was created to prevent credit card fraud in 2004, with the most recent update in 2016. The legislation puts the responsibility for avoiding fraud onto the merchant, therefore it is essential that businesses are keeping to the regulations.

To be successful in fraudulent activities the perpetrator must have both the card number and the CV2 number, along with key information such as the name and full address. Because of this it is advised by the standard that CV2 numbers are not recorded during calls.

For businesses that take over the phone payments this has proved a difficult task, especially as call recording often helps companies to improve efficiency and time management. Some of the most common solutions we have enabled our clients to implement include:

  1. Pause and resume the phone call

To avoid the CV2 number from being stored in the call recording the agent can simply pause the recording whilst the customer gives over their card details. Once the details have been supplied the recording can be resumed.

  1. Muting or masking the CV2 number

By muting the recording or masking the CV2 number with a filter, previously this was a difficult task however software has been created to make this much easier, with automatic filters at the correct point in the data collection.

  1. Keypad payments

Instead of taking information verbally the card details are entered into the keypad, therefore there is no need to pause the phone call at any point. Also as the agent never hears the card details another layer of compliance is added.

Potential issues with PCI DSS compliance

Even though businesses are making the correct movements regarding PCI and DSS compliance during call recording none of the above solutions are 100% fool proof. As with any manual activity there is always the risk of human error which, should this occur, could result in a breach of PCI regulations.

Also in cases where the call is still being recorded there is the potential of human error here where the agent fails to correctly pause and resume the recording. There may even be issues with FDA compliance as they require call recordings to be provided for transparency.

Ensure your call recordings are PCI compliant

Our team are helping businesses to ensure their processes, specifically call recording and data collection, meet the new requirements laid out by GDPR.

If you feel your business needs assistance or guidance on the new regulations, reach out to us and one of our experts will be on hand to help.