Call Recording, PCI DSS & the Pitfalls
Many organisations that use voice recordings within their contact centre do so because it is required for business reasons, such as agent training or confirmation of verbal contractual agreements that are carried out over the telephone channel when selling services.
Depending upon the transaction type, regulatory requirements to keep any recordings (for varying periods of time) for playback apply. For businesses, particularly in the financial services and retail sectors, further requirements apply due to the fact that when purchase transactions are completed over the telephone using payment cards, certain data needs to be protected.
For organisations that are required to record telephone conversations and also take payment card details over the phone the recording and storage of this data can become a PCI compliance issue.
Typically the call recording will record the whole conversation including the Primary Account Number (PAN) and the three or four digit security code (CAV2, CVC2, CVV2 or CID). In addition to the considerations required around the call recordings, enhanced processes and procedures are required for all of other stages involved in and around the initial call.
There are many things to be considered when recording a call containing cardholder data, it is vital to quickly determine what data needs to be protected, for what length of time and depending upon what analytical tooling is in place within your business; the appropriate management and protection of this information is paramount. It is worth noting that some of the largest fraudulent activities that occur are often from within the organisation, so it is imperative to ensure that voice recording is looked at from both a technology and a user process perspective, as they go hand in hand.
Some things to consider
- Is a formal Security Awareness Training programme in place and being maintained?
- Have you developed and implemented a set of PCI DSS compliant Policies?
- Are the call recordings stored securely?
- Is your network securely maintained and protected against attack?
- Do you maintain and secure a detailed set of auditable logs?
Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorisation may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.
What this means:
Essentially, the Card Verification Value (CVV) must not be retained post authorisation. In any event, and only as a last resort, where a CVV is retained it must be held subject to additional security controls to meet the intent of the Standard, but always via a compensating control.
Before any such compensation control can be implemented it must be verified by a Qualified Security Assessor (QSA) in turn approval must be obtained for the compensation control from the acquiring bank.
How can Sysnet help you?
Sysnet Global Solutions is a QSA providing a range of services and solutions that enable organisations to become and remain compliant with the standard. We have developed tailored packages to address the specific requirements of organisations who must comply with the requirements discussed in this document.
For further information on our PCI DSS compliance services for Call Recording, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Alternatively, for a full list of contact details for our worldwide offices and Business Development Managers, please click here.