The question we got asked most frequently in 2009 had to be: ‘is my call recorder PCI compliant?’
Unfortunately there is not a simple ‘yes’ or ‘no’ answer to this question because the question itself does not correctly address the issue. The correct question is: ‘what do I need to do with my call recordings, systems and processes to ensure that I meet PCI compliance?’ That is a very different and far more complex question, the answer to which will depend on your specific business processes.
The following will point you in the right direction if you are starting down the PCI route. It begins with a visit to: www.pcisecuritystandards.org/security_standards/pci_dss.shtml and download of the official document. This explains the PCI DSS (Payment Card Industry Data Security Standard) and the security that your company must have in place to protect data if it is to meet compliance. Because there are so many variables in the way data is captured and handled, definition of processes is a matter of interpretation, assessment and audit.
Based on the work involved it is not surprising that some organisations have appointed QSAs (Qualified Security Advisors) to handle the task, but be warned, advice can be conflicting because this is essentially a nascent area of QSA and many advisers are short on experience.
Some examples we have seen in the last year have stated that as long as you have physical safeguards and password protection in place then this should suffice. Others have recommended the use of media encryption, whereas some advocate switching of the recording process when credit card details are discussed. Not all suggestions are practical and alternatively you may find that common sense leads you to better solutions; examples such as the division of data storage so that information cannot be correlated or simply providing more security may be far more practical and cost effective.
Above all remember, your PCI processes should work in harmony with your call recording system which (depending upon age) may require some attention to meet operational compliance, in which case your supplier’s professional services team should be able to help.
For further information email firstname.lastname@example.org or call 0800 458 2988