One of the current problems for call centers is balancing between providing excellent customer service and complying with tight security rules that maintain client trust. When customer service agents accept payments, your company must follow the Payment Card Industry Data Security Standard (PCI DSS).
Technologies such as chip, PIN, and 3D Secure have significantly reduced in-person and e-commerce credit card fraud, hence the shift to fraud involving phone-based payments. Call recording and PCI DSS compliance, on the other hand, remain a source of misunderstanding.
A call center needs to record calls for purposes such as dispute resolution or agent training. But if you’re taking credit card payments over the phone, how should you protect your customer’s credit card data?
There are a few things to keep in mind when it comes to storing credit card information with call recording. To perpetuate card fraud, criminals need both the card number and the CVV security number and identifying information like name and address. For this reason, PCI DSS has required businesses to take the necessary measures to ensure that three-digit CVV security numbers are not recorded or defined in the records.
How to Prevent CVV Security Numbers from being in Call Records?
Since the rules for CVV registration have been explained, call recording platforms have offered several different ways to exclude numbers from recordings.
Pause and resume method
Previously, the only way businesses could block the recording of CVV numbers was when call recorders had to manually pause the recording and then unpause when card details were given. However, many platforms now use various technologies to automatically pause recording by retrieving information from the agent or customer before CVV numbers are read.
Mute or mask method
The “mute or mask” method, which is also a manual solution used in the past, is a method that applies a filter that mutes or masks the sound when a CVV number is read. However, this manual method creates a huge administrative burden. This manual procedure, on the other hand, imposes a high administrative cost. Various software has been developed to tackle the problem that automatically applies the filter during recording utilizing the same coding technology as pause and resume.
Keypad payment method
Another solution that has emerged is not to read the card information on the phone but instead enter it from a phone keypad. A PCI-compliant keypad solution eliminates the problem of saving card details entirely and adds another layer of compatibility in principle, as the agent never hears the card details.
What Are the PCI Compliance Issues Related to Call Records?
None of the approaches outlined above is 100 percent foolproof and does not provide complete protection because manual techniques do not avoid the risk of human error that exposes you to a breach.
Non-PCI compliant keypad number entry is also not completely secure. Because of the dial tones generated by the phone keys, it is still possible to obtain a CVV number from the key input. This is why newer software uses DTMF suppression technology to mask these tones.
What is the Relationship Between Call Records and Cardholder Data?
Contact centers are often subject to many industry and government regulations regarding the way they manage call records. Many firms, for example, may keep complete call logs for regulatory or compliance considerations, depending on the industry.
If the organization also receives payments over the phone, it may pose issues for PCI DSS compliance, which requires it to exclude cardholder data (CHD) from call records.
PCI DSS specifies that organizations that need to log calls should implement appropriate processes and technologies to secure all account data received verbally by call agents and systems during the transaction and remove all sensitive authentication data upon completion of the transaction.
It should be examined how different technology deployments affect the data captured in call and screen recordings when capturing or storing sensitive authentication data records. Next, the controls needed to protect cardholder data and remove sensitive authentication data should be identified.
The following situations may be of interest to PCI DSS in call records:
- Records will capture cardholder data and sensitive authentication data if spoken by the cardholder or received via DTMF tones and in the clear text where the entire conversation is recorded.
- Records do not capture cardholder data and sensitive authentication data if DTMF masking or suppression is applied before data reaches the registry systems.
- Depending on the pause and resume correctness, the records may capture cardholder data and sensitive authentication data if pause and resume are used.
- Organizations using pause and resume call recording solutions can cause many unexpected headaches when scoping contact centers for PCI DSS compliance.
Is it enough to stop the storing of CVV numbers?
While CVV numbers inevitably get the most attention regarding call recording, PCI requirements go much further and cover how an organization generally handles sensitive card data.
Besides call recording, businesses must ensure that all personal financial details in the company system are adequately protected.
It’s a prevalent misperception that recording credit card transactions are OK, provided the data is encrypted. This is the wrong technique because even if CVV data is encrypted, it cannot be stored.
Here are a few ways to ensure that no CVV is recorded in your call logs:
- Do not record calls involving credit card payments.
- Have the agent stop recording while the payment is being made. This approach, however, is prone to delegate error and misuse.
- Use speech recognition to identify when a payment has been made.
- Have the payment made by an automated system instead of an agent. The only safe way to remain PCI compliant is for payment to be received by a computerized system. This has excellent additional benefits, such as significantly reducing the opportunity for fraud, and has the advantage of reducing PCI DSS scope if the solution also supports tokenization.
What are the Shortcomings of Pause and Resume Call Recording Methods?
PCI recognizes that the accuracy of the pause and resume methods may vary and may result in sensitive authentication data being passed into call logs. However, if you choose to use this approach, there are additional controls you must apply.
Manual Pause and Resume
Because the manual pause and resume method rely on call center agents manually stopping the recording at the action point and then restarting the recording after the action is complete, there is a risk that the agent forgets to pause the recording at the right time.
Manual processes are problematic because sensitive authentication data can be accidentally saved if the agent forgets to pause before the process starts. On the other hand, if the agent pauses the recording at the right time but forgets to restart it, the remainder of the call will not be recorded. It will potentially violate industry or regional regulations.
Manual pause and resume practices require continuous monitoring and verification that all agents follow manual processes for each transaction to mitigate these issues.
Suppose you use the manual pause and resume method, in addition to monitoring agent processes. In that situation, you’ll need to make sure the call recorder and call storage don’t contain any sensitive authentication data or cardholder data frequently.
Auto Pause and Resume
Automatic pause and resume systems typically integrate with the desktop application used in an agent’s transaction process. Pausing the call can be triggered when the agent initiates the payment process within the app, and the recording can be restarted after the process is complete.
While this method relieves the agent of remembering to start and stop the registration at the appropriate times, the solution’s efficacy is mainly dependent on the payment application’s integration and the agent’s ability to do the proper steps at the correct times. Furthermore, if the agent can find a means to bypass the integrated process, this approach may become ineffective.
Suppose technology solutions such as pause and resume or stop-start cannot prevent audio or video from being stored. In that case, sensitive authentication data (SAD) must be deleted from the recording as soon as action is taken. It may be unreasonable, if not impossible, for many firms to ensure that critical authentication data is quickly removed once the transaction is completed.
How to Reduce PCI Scope with Pause-Resume Method?
When looking at the call center as a whole, cardholder data might affect a lot more than call recording. For example, suppose the customer verbally provides card information. In that case, the agents themselves, the agent’s computer, the physical environment around the agent, and even CCTV systems that can unintentionally capture audio or video of sensitive authentication data will fall under PCI DSS.
Pause and resume solutions exclude call recording for PCI DSS compliance only but leave everything else in scope. Other solutions must be implemented to reduce the PCI scope further.
PCI recommends avoiding solutions that leave agent environments covered unless there is an unavoidable business need. Therefore, pause and resume solutions that protect most of the agent environment are not viable for large organizations. For enterprise-level organizations, the optimal strategy should be to use a DTMF masking solution for voice payments to exclude the agent and their environment.
DTMF masking reduces the need for extra and restrictive controls with pause and resume. PCI indicates that DTMF masking is one of the technologies that can reduce the risk to account data in the environment and can be used as a method to reduce the scope of PCI DSS.
Payment and PCI compliance is a large and complex field and includes many factors beyond the call log. However, when it comes to establishing best practices for receiving payments over the phone, there is no “one size fits all” solution.