By Aaron Lumnah, Digital Marketing Manager
Nearly every company that process payments over the phone and must preserve records of these calls finds themselves in the same predicament at one point or another: maintaining compliance to the Payment Card Industry Data Security Standard (PCI DSS) while also upholding the integrity of their call recordings. While PCI DSS, dictating that businesses should not record customers’ Sensitive Authentication Data at any point may seem to contradict other state and national regulations that require entire calls to be recorded, there are ways to comply with both at the same time.
The Payment Card Industry Security Standards Council (PCI SSC) has recognized this risk itself, and acknowledged in its informational supplement on protecting telephone-based payment card data that, “there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.”
A popular solution to this issue has come about through stop/start or pause and resume call recording technology. In this method, call center agents have the ability to manually pause the call recording while the customer reads their credit card number aloud, and then resume the call once they are done reading it. There are also automatic methods which pause the call once the technology detects an agent is beginning to take a payment, or from the sound of a dial tone being input, and then resumes the call once complete.
While these stop/start or pause and resume methods may remove call recordings from the scope of PCI DSS, they are prone to error. Agents may forget to pause the recording before the customer reads their credit card number, or may forget to resume the call once the customer is done. And automatic methods are far from perfect and can frequently make many mistakes. It takes just one accidental slip up to break PCI compliance and, even worse, open one’s organization up to a data breach.
Taking the proper precautions in the case of mistakenly recording customer’s sensitive card data can open up a lengthy process. PCI DSS requires, as Mike Chapple writes, “If merchants are unable to prevent recording and are also unable to delete existing call recordings, they must document the reasons for this gap, conduct a risk assessment and implement controls that ensure it is not possible to query sensitive authentication data.”
Perhaps more importantly, pause and resume or stop/start methods only take the call recording out of scope for PCI DSS compliance, but do nothing to remove the agent, telephone, desktop computer, or any other part of the call center infrastructure out of scope. As such, these methods are an incomplete solution to the overall challenge of making the entire contact center PCI DSS compliant, and therefore must either be supplemented, or replaced with a more holistic solution.
There are several alternatives to stop/start or pause and resume call recording on the market, with the first being automated IVR solutions. SearchCRM defines an IVR as “an automated telephony system that interacts with callers, gathers information and routes calls to the appropriate recipient. An IVR system (IVRS) accepts a combination of voice telephone input and touch-tone keypad selection and provides appropriate responses in the form of voice, fax, callback, e-mail and perhaps other media.” Additionally, many companies use IVRs to collect payment card information by having customers key in their payment card number using their telephone keypad.
While this method does effectively remove much of the contact center infrastructure, including the agent, from the scope of PCI DSS that pause and resume methods fail to account for, other challenges concerning customer service may crop up. By transferring a customer from a live agent to an automated line, IVRs create a disjointed customer experience and can lead to dropped calls. At the same time, if a customer has trouble entering their information and has no one to turn to ask for help, they may give up at the first sign of trouble and the sale will be lost.
Encryption of Call Recordings
Another method that organizations employ as an alternative to pause and resume call recording is to encrypt their call recordings. While strong encryption of call recordings does increase the security of them and reduces the risk of a data breach, this method fails to comply with the PCI DSS requirement that sensitive authentication data must not be stored in any way.
As the PCI SSC explicitly notes in their aforementioned informational supplement on telephone payments, “In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business. Sensitive data on the chip or magnetic stripe must never be stored after authorization. If an organization stores the primary account number (PAN), it is crucial to render it unreadable… Essentially, sensitive authentication data must not be retained after authorization and for telephone operations, ‘sensitive authentication data’ means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call.”
This means that even if sensitive authentication data, remains on the call, but is encrypted, it is still in violation of PCI DSS and thus is an inadequate solution to address this issue.
Redaction of Sensitive Data Post Call Recording
Another method that some organizations have turned to in order to patch the holes in some of the previously mentioned alternatives and maintain PCI DSS compliant call recordings is to remove sensitive authentication data after the call has already been recorded through a process called redaction. This solution presents a number of issues on several levels. Not only does it not account for any of the contact center infrastructure that all the payment data has had to pass through in order to process the payment, it also introduces an additional layer of personnel or software that would not have to be accounted for without this method, thus expanding the scope of applicable PCI DSS controls in the contact center.
Before the payment card information is actually deleted, it must be stored in a database, thus increasing the risk of data being exposed until the recording can be cleansed. Implementing this method adds more complexity and associated risk into a process that should only reduce the amount of applicable controls, and coupled with the fact that it’s prone to errors, does nothing but jeopardize an organization’s PCI DSS compliance efforts, makingit less secure.
DTMF Masking – The Most Complete Solution
This leads us to the final and most holistic approach to pause and resume call recording: DTMF masking. DTMF stands for dual-tone multi-frequency signaling, which are the dial tones that sound when a user presses the keys on their telephone keypad. Instead of having a customer read their card numbers out loud over the line as other methods require, they input their card information using their phone keypad and the agent remains on the line with them instead of having to transfer the call to an IVR – allowing them to troubleshoot if the customer runs into any issues. The dial tones are masked so they are unrecognizable to the agent or anyone listening to a call recording and the agent never sees them on their computer screen. The system transmits transaction details directly to the payment service provider and does not store any of the payment card details, thus keeping customer card information out of the contact center entirely and completely removing it from the scope of PCI DSS.
DTMF masking technologies like Semafone’s represent the most complete solutions on the market to address the challenges of PCI DSS compliance for contact centers. Unlike stop/start or pause and resume call recording, call encryption, or call redaction, DTMF masking does not overlook entire aspects of PCI DSS and allows organizations to reduce their cost of compliance while protecting their brand reputations.