Skip to main content
The Insiders' Guide to Contact Centre PCI Compliance

The Insiders' Guide to Contact Centre PCI Compliance


The Insiders' Guide to Contact Centre PCI Compliance 

With PCI guidelines and explanations being in a constant state of flux, we wanted to put together a short guide to explain everything you may need to know about what being PCI DSS Compliant really means. 

PCI Compliance Explained 

The Payment Card Industry Data Security Standard (PCI DSS) is in its simplest form a set of requirements designed to ensure all companies that process, store or transmit payment card information, whether they are credit, debit or prepaid cards, do so in a secure environment. The PCI DSS was set up by some of the major payment card brands and currently covers all payment cards from American Express, Discover, JCB, MasterCard, and Visa International. It’s important to mention that PCI DSS does not apply only to the physical processing of a card. Acquiring the card and cardholders details over the phone, website or mobile app, falls under the same regime. 
Some PCI requirements which hold the greatest relevance include: 

1. Protecting stored cardholder data
2. Encrypting transmission of cardholder data across open, public networks
3. Maintaining a policy that addresses information security

There are two main drivers for being PCI DSS compliant. The first is that if a non-PCI DSS compliant business suffers a data breach and loses card/cardholder data, it may be liable for Card Scheme fines, covering the fraud losses incurred against these cards, and it may even be barred from the card acceptance programme and get placed in the Terminated Merchant File (TMF) – in essence a blacklist where it is very nearly impossible to be removed from.  The second driver is reputation and the associated costs that will incur if a business fails to a) provide its customers with a secure environment for their transactions and b) protect their details for the designated period of time against any fraudulent attack.

Which sectors are affected by PCI Compliance?

PCI DSS essentially applies to all businesses that process, store or transmit payment card information – regardless of the volume or the amount of transactions and regardless of the medium via which the transaction takes place (pos terminal, online form, telephone etc). Taking this into consideration, almost all sectors need to worry about PCI Compliance - from the Travel & Transport industry which takes payments over the phone for last minute holidays and package deals, to the Leisure industry where bookmakers are handling bets and taking payments for popular sporting events. In short, any business regardless of industry or size that handles in any way payment card details, need to implement all of the relevant controls in PCI DSS. 

Solutions for Contact Centre PCI Compliance

It’s worth re-capping the different solutions available that can be used in conjunction with call recording to help you meet your PCI Compliance needs:  

1. Automate Payment

A common option for PCI compliance is to pass the call to a self-service (IVR) solution at the point that the payment is taking place. The advantage automated payment offers is that by eliminating the agent from the loop there is no danger of sensitive information being recorded. The potential disadvantage here is that for organisations selling products, or even for those processing charitable donations for example the handover to the IVR system can have an impact on the sale. Handing the caller over to an automated system takes the agent out of the loop, reducing the amount of completed transactions.

2. DTMF Suppression

DTMF suppression works its wonders by capturing the DTMF tones and altering them so that the cardholder details (such as cardholder name, expiration date and service code) are not identifiable by the agent, the recording environment as well as any unauthorised person who may be listening in. The customer is able to input their card information using their own telephone keypad, with the generated DTMF tones then being altered or removed. 

3. Automated Pause & Resume

With this approach, PCI compliance is achieved by ensuring the recording system stops during the payment process when sensitive customer information is being given. This can be achieved by integrating the call recorder with the agent desktop or other transactional systems being used. Automated pause & resume ensures that when the agent enters the payment details screen, a trigger is generated to the recorder in order to stop recording. Once payment has been passed beyond the payment screen, a second trigger is generated to restart recording. Although rarer in nature, another similar option is to mute / unmute the call recordings rather than pause and resume, however this solution is dependent on the recording system that is currently in place.

What to take into consideration when becoming PCI Compliant

There is usually a common misconception that in order to become PCI Compliant you are able to buy an off-the shelf-solution that will meet all your requirements. This is not the case. Firstly, it is not the recorder that is PCI DSS compliant but rather the way you deploy it. Secondly, the combination of your business nature, your processes, the transactional systems you currently use and your recorder makes every single case unique. 

Although the most effective way to ensure you are PCI Compliant involves making changes to the way you record calls, there still may be some confusion as to how compliance is achieved. Many promoted approaches sometimes do not result in PCI Compliant recording. Here are a few to watch out for:

Password protecting your recorder
Although limiting access to your recording platform and providing each user with a personal login and password is good systems management practice, this still does not constitute PCI DSS Compliance. 

Encryption
Initially a common belief was that if you encrypted the recordings this would comply with PCI DSS. Further clarification has proven that it is only the Primary Account Number (PAN) that can be retained in an encrypted format. Sensitive Authentication data such as the CVV / CV2 number cannot be stored, whether this be encrypted or not. 

Audio Masking
With this option, an audio tone is inserted over the section of the call when the payment is being processed, similar to that of a TV bleep machine. While this may seem compliant, sensitive data is still being retained and therefore does not adhere to regulations.

Page 2 >