Taking credit card details over the phone? If in your contact centre agents stop the recording to avoid storing sensitive data, you should note that this procedure is NOT PCI DSS compliant. The reason is simple: YOU ARE NEVER GUARANTEED that credit card details do not end up in the recording!
Many people have asked me how to record calls and be PCI compliant at the same time. One common misconception is that they are ok if manually pausing and resuming a phone call, so that credit card data is not stored.
In short, the practice of PAUSE/RESUME for each phone call when a credit card payment is needed, requires the call centre to put in place a process where agents stop and start the recording AT THE RIGHT TIME when the client gives them sensitive credit card data. In particular, when they hear the long number (i.e. PAN code) and the short number at the back of the card (i.e. CVV2 code).
Firstly, this process is open to human error, for example, forgetting to start the pause button in time. Secondly, the recording is never complete and this is something to consider if you also need to comply with the guidelines of the Financial Conduct Authority (FCA) on call recording that requires tapes not to be manipulated or altered. Also, agents will hear the details too, so you need to make sure sensitive data are kept within the contact centre (more admin work required…) and any paper copies with card information are shredded immediately. Finally, even if there is an automated pause for the credit card CVV2 number there has to be an additional long pause too for the PAN number on any stored recordings.
We offer instead a simple technology that makes life easier for agents looking to take card payments safely without the burden of a long and expensive process to comply with PCI DSS standards. Get in touch to receive guidance on how this can be done in a cost-effective way.