Blog Home

What is PCI Compliance Call Recording & Transcription: Definition, Expert Tips & Best Practices

Company

The Team at CallMiner

April 23, 2019

Smiling woman sitting outdoors talking on mobile phone making online payment on her tablet computer outside on a sunny autumn day
Smiling woman sitting outdoors talking on mobile phone making online payment on her tablet computer outside on a sunny autumn day

PCI compliance call recording & transcription refers to the requirements set in the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of strict regulations created to protect private financial information and prevent credit card fraud. To thwart would be fraudulent activity, credit card numbers (both the card number itself and the CV2 security number) must be hidden and protected by any entity which takes and stores the numbers in any way.

There are many organizations which, for one or more reasons, collect credit card numbers over the phone. These phone calls are often kept for many reasons, including:

  • Protection against liability
  • To ensure the quality of customer service
  • To train and evaluate call center staff

Perhaps the strongest reason companies record and/or transcribe calls is that it’s often required by government entities. However, in order to be compliant with the PCI DSS, the CV2 security number on the back of most credit cards must not be included in audio or transcribed conversations. The primary reason this number may not be included is that both the account number and the CV2 are required for would-be criminals to use a stolen card.

Methods for Ensuring PCI Call Recording & Transcription Compliance

There are two primary categories that offer solutions to the issue of PCI compliance in the call center — manual and software solutions.

Manual Filtration: Manually filtering recordings and transcripts is a process that takes place after calls take place. A representative of the company changes or covers the audio when a CV2 number has been mentioned. This method is obviously burdensome, but also unreliable in many cases.

Pause Recordings: A more effective strategy for PCI DSS compliance is to keep credit card information from ever being recorded in the first place. Before the conversation comes to a point where these details are said, the representative pauses the recording and resumes it once details have been entered. A potential drawback of manually pausing is that part of a conversation could be missed if the representative fails to resume recording.

With the advancements of computer technology, software solutions are available to automatically pause recordings when private information is shared during calls. Predictive algorithms listen for certain words and phrases in order to know exactly when to pause the call.

Redact:  One of the most streamlined and sophisticated methods for maintaining PCI compliance is to use a solution like CallMiner’s Eureka Redact. Eureka Redact is triggered when the system identifies sensitive data (such as credit card numbers), and then replaces that data with the word “redacted” in text transcripts and a silence block in audio calls. By removing all sensitive data without sacrificing the context of conversations, companies can get the full benefits of customer engagement and speech analytics solutions to boost customer service and agent performance while simultaneously maintaining compliance.

Caller Entry: Some organizations opt to remove the need for screening, pausing or augmentation of recordings by allowing cardholders to input their own private information. By using the keypad on the phone, callers dial the numbers on cards, eliminating the potential for breach. There are still potential issues, including the different tones certain telephones produce for each number.

The Broader PCI DSS Focus

Call recordings and transcriptions are only a part of the requirements listed on the PCI DSS. Holistic policies and full compliance should be the aim of every organization under the authority of these guidelines. There are 12 individual requirements listed in the PCI DSS.

Some more notable of the 12 include:

  • Creating and maintaining a secure network
  • Restrict access to cardholder information only to those who “need to know”
  • Whenever data is digitally transferred on public networks, it is to be encrypted

Penalties for Non-Compliance

Transgressing the PCI DSS will likely mean fines, but how these fines are handled gets a bit tricky. Typically, it’s banks that are fined for non-compliance and fines range from $5,000 to $100,000 per month. However, according to PCIComplianceGuide.org, “The banks will most likely pass this fine along until it eventually hits the merchant.

After fines have found their way to merchants, the banks often change their relationship with said merchant. Depending on the severity of the problem, the bank could terminate any relationship or raise fees. Any of these actions can be detrimental to businesses with non-compliance issues.

The Need to Implement or Improve PCI Call Recording & Transcription Compliance

According to one Verizon study from 2017, 4 out of 5 businesses are not payment compliant. Lack of compliance puts businesses at an incredible risk. The average cost of a data breach is $3.62 million dollars, but with proper measures these costs have been shown to reduce dramatically.

For example, one of the PCI DSS requirements is to encrypt payment details. While breaches and data loss could occur regardless of preparations, proper encryption could remove nearly $400,000 off the average cost of a breach.

Compliance is as sensible as it is necessary. It’s vital to carefully review the standards required by all security regulations. And when choosing solutions for your call recording and transcription, ensure security is a priority. These steps will save potential fines, better protect customers and reduce the damage in the event of data loss

Expert PCI Compliance Tips & Best Practices

Looking for expert advice and strategies for maintaining PCI compliance? Below, we’ve rounded up 17 tips and best practices for PCI compliance from industry and regulatory experts.

1.Look at the bigger PCI compliance picture. “The activities you’ll incorporate can vary depending on your PCI DSS scope, but some examples include scope validation, segmentation checks, bi-annual firewall reviews, active logging and monitoring, vulnerability scans, security awareness training, and policy and procedure updates.” – Brand Barney, The Secret to Smooth PCI Compliance, PCIComplianceGuide.org; Twitter: @ControlScan

2. Double-check that your entire network’s security system is adhering to the regulations. “It’s also critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet.” – Scott Kendrick, Vice President of Marketing at CallMiner, 10 Keys to PCI Compliance in the Contact Centre, Contact-Centres.com; Twitter: @contactcentres

3. Expand your call recording practices. “First, establish a plan and policy to record audio calls beyond simple client transactions. This should cover expanded regulatory expectations, and more importantly, best practices for audio recordings when business, products, and offers are discussed. Recording enough calls and call types helps avoid providing a guided path to malfeasance and conduct risk. This sets the expectation within your organization that there is compliance monitoring and there isn’t a loophole to avoid recording.” – Financial Services Compliance: Best Practices for Audio Recording Supervision, Theta Lake; Twitter: @thetalake

4. Ensure that your vendors are supportive and compliance-minded. “The best way to narrow down your search for PCI-compliant service providers is to check their PCI data security standards (PCI-DSS) compliance status. This method ensures that they have the internal security controls in place required by the PCI Data Security Standards Council (PCI-SSC). The PCI-DSS is a global standard that was adopted by all payment card brands to apply to service providers and is set by the PCI-SSC. To meet compliance, a service provider must have the following goals for their internal controls.

  • Creating and maintaining secure networks
  • Protect cardholder data when in storage, and during transmission through public networks by using encryption methods
  • Having a vulnerability management program to protect software programs, systems and applications
  • Applying strong access control measures to prevent unauthorized employee access
  • Monitor secure networks to track access to cardholder data and regularly test security systems
  • Develop and maintain an information security policy for all your employees

A reliable service provider who is dedicated in maintaining PCI compliance will have undergone a PCI assessment and security validation.” – Joseph DeRose, Experts Tips on How to Select a PCI-Compliant Service Provider, I.S. Partners; Twitter: @ISPartnersLLC

5. Ensure that you are operating under the correct understanding of PCI compliance for your contact center. “The impact of PCI DSS has been far-reaching, and its goal to minimize payment card data loss (malicious or otherwise) from merchant and service provider environments is becoming a reality. For all merchants and service providers, this requires appropriate measures to protect any systems that store, process and/or transmit cardholder data. This impacts call recording management and storage, and control of the agent/caller interface within the physical call-center space. The PCI SSC produced this Information Supplement to clarify the PCI DSS requirements on voice recordings, to provide some best practices, and to promote consistency among merchants, service providers and the assessor community.” – Information Supplement: Protecting Telephone-Based Payment Card Data, PCI Security Standards Council; Twitter: @PCISSC

6. Map data flow and practice transparency at every step of the payment process. “Requirement 3 of PCI-DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organizations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.” – Andrada Coos, 5 Best Practices for PCI DDS Compliance, Endpoint Protector Blog; Twitter: @cososys

7. Take the necessary steps to guarantee the security of all of your servers. “Even if credit card data passes through your self-hosted (i.e. non-SaaS) e-commerce platform, you are still on the hook for ensuring that any related servers you control (be it your database server, PoS system software, credit card processing terminal, utility server or internet application server) are sufficiently secure and compliant.” – Jon C. Marsella, Founder and CEO of Jasper, Everything You Need to Know About Achieving PCI Compliance, BigCommerce; Twitter: @Bigcommerce

8. Train agents thoroughly on everything compliance-related and integrate PCI best practices into their scripts. “Make sure that all call centre agents understand the rules and regulations specified in the PCI DSS policies for call centres. Provide remote agents with continuous training focused on PCI DSS compliance and measure their progress over time.” Implementing Complying PCI DDS to Offshore Call Centres, Global Outsourcing; Twitter: @GlobalOutAu

9. Implement role-based security logins. “In any contact center environment, agent and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. A Contact Center World white paper on security and PCI compliance in cloud-based contact centers offers an example of how this might work: ‘A sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same Contact Center or project.’”  Scott Kendrick, Vice President of Marketing at CallMiner, 5 Keys to PCI Compliance in the Call Center, CallMiner; Twitter: @CallMiner

10. Meet all PCI DSS employee background check requirements. “The PCI DSS requires (via Requirement 12.7) that a background check be performed on any prospective employee who will have access to cardholder data or the cardholder data environment. Background checks are also recommended (but not required) for employees who only have access to one card number at a time when facilitating a transaction, such as store cashiers. Background checks can include verification of previous employment history, criminal record, credit history and reference checks. The PCI DSS does not specifically say you have to do all of these things, only that you ensure background checks are completed prior to hire and that you conduct the background checks ‘within the constraints of local laws.’” – Dwain Wright, What Does the PCI DSS Say About Employee Background Checks?, PCIComplianceGuide.org; Twitter: @ControlScan

11. Document all updates and protocol changes. “Once you have the needed documentation, it is important to keep it updated. Companies should document all changes to the security environment throughout the year. It may be helpful to schedule monthly time on your calendar to create updates based on agent and management feedback. This information will be very helpful during your annual PCI compliance review.” – Shelby Farris, Marketing Manager at Bright Pattern, PCI Compliance: What it is and How Call Centers Achieve Compliance, Customer Think; Twitter: @customerthink

12. Obtain a certificate of compliance. “If you are verified as having passed the requirements, then you can obtain a certificate of compliance from an approved acquirer. The annual self-assessment is just one part of the test for PCI-DSS compliance. For most of us that self-assessment questionnaire is enough, but if you are processing a high volume of transactions then you may need to conduct quarterly vulnerability scans.” – Cari Strauss, What is PCI-DDS Compliance (Payment Card Industry Data Security Standard compliance) and What Do You Need to Know?, Fee Fighters; Twitter: @FeeFighters

13. Understand not only what data you must protect, but where it exists and through what channels it’s transmitted. “Most critically, you need to understand how your people and processes deal with credit card information. Not just at the 60,000 foot high level about what is supposed to happen, but what actually happens. You also need to understand what technologies are in play and what components see the data. A seemingly simple change such as from old fashioned analogue telephony to VoIP or from a fax to a fax server can have a huge impact on your compliance footprint. Lastly you need to understand the data itself. In a call center context, cardholder (and sensitive authorization) data include the primary account number (PAN), security validation codes, and PINs regardless of the form or media type. Digitized voice, voice recordings, recordings of IVR/DTMF tones, images, videos, text data, and hard copy all must be protected.” – Call Centers and PCI Compliance: Things You Need to Know, Control Gap; Twitter: @ControlGap

14. Narrow your PCI scope. “Looking at the matter internally, you will want to narrow that scope to the smallest footprint possible(realistically and in keeping with the PCI DSS guidance). The key to reducing scope is having fewer places that process the sensitive elements of the consumer’s information and fewer connections to external processes or technical environments. This simplifies your compliance efforts and lowers your “attack profile” from the perspective of your security teams. In many ways, this goes back to the basics of consumer privacy. Don’t collect the data if it isn’t necessary… and if you do, take care of it in the proper manner. This can be a bit of effort up front, both for the business and for the IT organization, but it will be worth it, not just for compliance and peace of mind, but because it also simplifies your operation in the process, producing fewer moving parts that could go awry throughout the course of daily business.” – Chris Conner, VP of US Customer Operations at Astute Solutions, Customer Data Security Part 2: What You Need to Know About PCI Compliance, Astute; Twitter: @astutesolutions

15. Give agents answers for real-life consequences for PCI non-compliance. “Since compliance is complex, invest in teaching your agents the rules (based on what your particular compliance issues may be). Your training program should include written standards for call agents, explaining handling ‘personal identifiable’ information (credit card numbers, social security numbers, birth dates, addresses, etc.). For example, if you take credit information on calls, it is against PCI-DSS standards to EVER store the CVV2 number. If you’re recording calls, you must programmatically or manually stop voice recording when the customer provides the CVV2.” Best Practices for Call Recording in Call Centers, Ricochet360; Twitter: @speedtocontact

16. Give managers a system to police their agents. “Call centers have become the hub of service. Maintaining customer satisfaction is job one, yet customer satisfaction is not something easily measured. Most call centers create agent call center KPIs to assure that standard of behavior are met. Indicators are measured numerically and objectively – number of calls answered, minutes of customer hold time, one-time resolution ration, etc.  These metrics can be measured by the phone systems or call center solutions – with or without recording the actual customer interaction.

As service has become more complicated, so have the ways in which we measure service. An often-used subjective measure of ‘quality of service’ is call scoring.  Call scoring for quality assurance can work one of two ways:

  • Random Audit Live Call Scoring: A supervisor or service coach randomly audits live calls and scores in real time, providing immediate feedback to the agent.
  • Call Recording & Scoring: The service agent’s call is recorded, then listened to and scored by the supervisor at a more convenient time.  With call recording, there is the added benefit of having the customer interaction available for recall should a customer concern arise at a later date.  This is becoming a more common business practice today. We’ve all heard the phrase ‘This call is being recorded for quality assurance’…” – Matt Pingatore, CEO at Packet Fusion,  PCI Compliance in the Age of the Recorded Call, Packet Fusion; Twitter: @PacketFusion 

17. Ensure that all phone systems are PCI-compliant. “Under the rules from the PCI Security Standards Council, recorded phone calls are subject to the same rules as all other types of records that store customer data. If your business records customer phone calls, make sure that there is a way to redact credit card information. In some cases, a customer service representative will need to manually pause recording so that credit card numbers are not recorded and stored. In others, your CRM system will automatically pause so that the credit card number is protected.” – Joseph DeRose, A Guide to Keeping Phone Orders PCI Compliant, I.S. Partners; Twitter: @ispartnersllc

What are your company’s biggest challenges when it comes to PCI compliance?

Contact Center Operations Quality Monitoring Risk Management & Compliance North America EMEA APAC