The Tricky Business of Meeting PCI DSS Requirements While Recording Calls
Security and privacy compliance mandates and regulatory requirements can pose a challenge for any market sector. The call center industry is especially vulnerable, however, and needs to tread extremely carefully with every aspect of conduct. Call recording is of course a major part of call center operations and an important benefit for monitoring service levels, supervising and aiding with training. But call recording layers additional factors onto an already complicated compliance challenge, making it critical that call centers stay on top of compliance requirements.
Payment Card Industry (PCI) standards are perhaps some of the trickiest to navigate when it comes to call recording and call centers. Most payment card companies follow the PCI Data Security Standard (DSS), established in 2006 to provide rules and guidance for merchants and service providers that accept credit and debit card payments. PCI DSS is meant to protect consumers from malicious behavior and misuse of their personal and credit card information, but when call recording is factored in, things get murky.
According to PCI DSS best practices, no cardholder data, including name, expiration date, etc., may be stored in any form unless it is required for a business transaction. Since data may be stored in digital, audio and video formats, sometimes encrypted, sometimes not, masking or removing it isn’t so simple. But call recording systems are expected to mask and encrypt all information appropriately, regardless of format, which can be a tall order.
Additionally, call centers are required to enforce authentication codes for employees and agents who have access to this data and ensure processes are being routinely followed. Call centers also need to ensure employees aren’t writing down sensitive data in unauthorized places like a notepad or a random desktop app, to be transferred to the appropriate application at a later time.
There are a number of additional steps call centers can take to ensure they are meeting PCI DSS requirements when it comes to their call recording. While the methods are not foolproof, they will go a long way toward preventing an unwanted audit and the financial and reputation damage that come along with it.
In addition to implementing the aforementioned authentication controls for employees who will access call recordings, call centers need to make sure all system configurations are secure and standards compliant. Configurations should be routinely tested for vulnerabilities.
One of the easiest ways to create a vulnerability or breach is to maintain a direct network connection to the Internet for systems recording and storing call data. By making an indirect connection, call centers can avoid major security risks and lessen their chances of a breach or other malicious activity. As mentioned previously, all sensitive data should be masked and encrypted appropriately. And all agents, whether local or remote, should have firewalls installed at their locations and also have the latest virus protection and security patches installed on their systems.
By following these standard best practices, as well as always informing callers that calls are being recorded at the beginning of the call, call centers can avoid expensive, tedious and damaging audits and fines. Meeting PCI DSS requirements while recording calls is tricky, but not impossible, and having the correct processes and checks and balances in place is key to maintaining compliance.
Edited by Alicia Young