Following my previous blog on PCI DSS Compliance, I had some push-back on my claim that confusion persists in UK organisations regarding call recording for PCI compliance. So it’s only fair and reasonable that I should justify my observations and explain precisely why I believe that some organisations still aren’t getting it.
Business Systems specialises in call recording technology implementations and with 25 years’ experience as an independent provider we have pretty much designed, installed and provided on-going service delivery and support for most solutions. In our work in the industry, we have had a steady stream of engagements where clients have mistakenly believed that their call recording solutions met their PCI obligations.
The four most common mistakes we see are:
Access to our recorder is password protected: while this may be good systems management practice, it is not PCI Data Security Standards compliant. It still does not satisfy Requirement 3.2 which stipulates that no personal identification information should be captured or retained.
Our recordings are encrypted: while this was initially viewed as being OK, there has been further clarification on encryption which rules it out: “Sensitive Authentication Data cannot be stored whether encrypted or not”.
We use audio masking to obscure the sensitive data: while this approach (it’s a bit like a TV Bleep machine) may seem reasonable, it is not PCI DSS compliant as the sensitive authentication data is still being retained.
At collection our agents pause & resume the recording: again this fails to meet requirements and has been the subject of an explicit clarification. Sensitive authentication data must be removed from recordings… “with no manual intervention by your staff”. The fact that the pause has to be initiated manually by the agent means that it is liable to human error as the agent may simply forget to pause the recording.
It is because so many organisations are still unclear in many areas that we produced “How to Ensure PCI DSS Compliance” the latest guide in our Business Systems Best Practice series. This paper provides a practical guide to the PCI Data Security Standards and how call recording for PCI compliance should be deployed to comply. The full Best Practice Guide is available for download here >
If you want to find out more on how Business Systems can help you ensure compliance, feel free to contact us: 0800 458 2988, firstname.lastname@example.org.