Call Recording and PCI DSS Compliance

Initiatives like chip and PIN and 3D Secure have greatly reduced face to face and e-commerce credit card fraud so there is a shift to fraud involving telephone based payments. However there is still a lot of confusion around call recording and PCI DSS compliance.

It's very important for a contact centre to record calls for purposes such as dispute resolution, FSA compliance and agent training. However if you take credit card payments over the phone then how do you protect your customer's credit card data? As soon as you capture credit card data in a format that is easy to copy and easy to search then you have problems.

Thankfully Visa have published some good guidelines for handling call recordings and payments over the telephone.

There is a common misconception that it is okay to record credit card transactions if the recording is encrypted. This is wrong. You cannot store the CVV data for a card even if it is encrypted.

There are several methods you can use to make sure that the CVV is not stored:

1. Don't record any calls that involve credit card payments. This is problematic as you lose the ability to have dispute resolution and raise issues with FSA compliance.
2. Have the agent stop the recording while a payment is being made. This is error prone (does the agent remember to stop the call recording every time a payment is taken) and is open to abuse by agent. It's easy for the agent to "accidentally" not record a challenging call.
3. Use speech recognition to identify when a payment is being made. Speech recognition can never be guaranteed to be 100% accurate and relying on agents remembering to say specific phrases while a payment is being taken.
4. Have an automated system take the payment instead of an agent. The only safe way to remain compliant is to have the payment taken by an automated system. This has the huge added benefits of greatly reducing the opportunity for fraud and if the solution also supports tokenisation then it has the great advantage of reducing the PCI DSS scope.

Credit card fraud in the contact centre can be a very serious problem, with potentially huge damage done to the reputation of a brand. A good example of this is the famous case of call centre worker at Tesco Direct.

Contact centres can no longer afford to be complacent about the potential for fraud committed both by outsiders and by their employees and need to be investigating solutions that allow them to be secure without being prohibitively expensive.

Find out more about NewVoiceMedia's PCI solution.