Confusion persists in UK organisations despite the fact that PCI DSS Compliance has been on our collective agenda since 2006. In our work in the sector, the areas where we encounter most confusion can be brought into focus with three key questions:
What payment card information are we talking about?
We’re talking about sensitive authentication data including the full magnetic stripe data, card validation codes or pin and on no account can organisations retain such information, in any format, even if it is encrypted.
What organisations does it apply to?
Any organisation or merchant, regardless of size or number of transactions. If any of your customers ever pay you directly using a credit or debit card, then Data Security Standards requirements apply.
Any implications for Call Recording?
The rules apply to the capture and retention of information by any type of application including call and screen recording solutions.
For organisations like yours that are using or evaluating call recording, it’s important to have a clear understanding of PCI.
In a nutshell, no organisation, regardless of size or volume of transactions, is permitted to record and retain sensitive authentication data associated with card payments either within the applications you use or the technology you utilise to record calls.
So what can you do?
You can choose to transfer calls to an IVR for automated payment, or transfer calls to non-recorded agents, but both of these options have a negative impact on customer experience. Alternatively you can switch off call recording, but then you will lose all the benefits that you were seeking to achieve when recording was first deployed. Worse still, for organisations in Financial Services that record for compliance purposes, switching recording off might put you in breach of industry regulations.
So if recording is important to your business and you need to take credit card payments, then you need to make changes to how your recording solution is deployed, ensuring that it does not capture and retain any personal authorisation information.
Done correctly, you can record calls and be PCI compliant with no impact to the agent or the customer. You can read more about PCI and how call recording should be deployed to comply in the latest guide in our Business Systems Best Practice series: “How to Ensure PCI DSS Compliance”.
Contact us now or call 0800 458 2988 for more details on how to ensure your organisation is PCI compliant.