Call Recording: Don’t Leave the Job Half Done

The majority of call centres choose to record at least some of their customer calls, posing a major obstacle in the path of PCI-DSS compliance.

Any agent who can see or hear card numbers will immediately be subject to severe restrictions, and any sensitive card data captured on the recorder potentially brings the entire IT and telephony system into scope. Three fixes to this problem have become commonplace in call centres, yet none of them is fully effective:

1. Automated IVR payment solutions: using voice recognition or keypad entry to take payments without the card details being recorded.
Drawback: customers are likely to drop out at the first sign of any difficulty, so they end up giving their payment details to an agent or abandon the purchase altogether.

2. Pausing the Call Recording: at the moment a payment is being taken.
Drawback: significant risk of error and accidental recording of card data, and both the agent and the desktop they are using are still within scope for PCI DSS.

3. Encryption of Call Recordings:using encryption as a way to manage the risks of storing sensitive card data.
Drawback: the CVC2/CVV2 security code should not be stored under any circumstances, even if it is encrypted.

A far simpler remedy is to stop sensitive payment information from entering the call centre systems in the first place. Semafone takes the call centre out of scope for PCI DSS and significantly reduces fraud risk.