What Doesn’t Work
In the past, three methods have been used to ensure PCI compliance in contact centres where calls are recorded:
Automated IVR payment solutions: Using voice recognition or keypad entry, these systems allow payments to be taken without the card details being recorded. However, customers are likely to drop out at the first sign of any difficulty, meaning they end up giving their payment details to an agent rather than a machine.
PCI compliant call recording solutions: Pausing the call recording at the moment a payment is being taken is often suggested as a way for call centres to comply with PCI DSS. But with this method, both the agent and the desktop they are using are still within scope for PCI DSS, as the sensitive data passes through them.
Encryption of call recordings: Many organisations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, the CVC2/CVV2 security code should not be stored under any circumstances, even if it is encrypted.
Semafone believes that these solutions have failed to provide a comprehensive answer to the problem and that a far simpler remedy is to stop sensitive payment information from entering your systems in the first place. This takes your call centre out of scope for PCI DSS and has the added benefit of reducing fraud risk. Read more about the Semafone solution.Partners >>