Veritape Blog

Five ways to make call recordings PCI DSS compliant

PCI DSS is becoming an accepted regulatory necessity. Differing interpretations of the guidelines can cause confusion to businesses seeking to become PCI DSS compliant.

There is no single approved method for making call recordings compliant. In fact, there are several PCI DSS compliant methods and, if you are looking for such a solution, you need to choose the option which best suits your business.

Here is an overview of which methods, when properly implemented, will make call recordings PCI DSS compliant:

These methods can work

1. Pause and resume

The “pause and resume” method records the entire call apart from the sensitive authentication data. It is technically difficult to set up and tricky to maintain during future changes within your organisation.

2. Turn off your call recording

Literally, switch off your call recorder. You will lose all the benefits associated with call recording such as training, customer service and compliance. This method cannot be used by businesses operating in some regulated financial sectors.

3. Transfer to an IVR

Transfer calls to an automated payment card processing solutions such as an IVR. IVRs are not particular favourites with customers and they do require significant integration with back-end IT and telephony.

4. CallGuard.

CallGuard, by Veritape, automatically detects and blocks DTMF tones and therefore the payment card data from call recordings. Call recording continues as usual and no sensitive data is captured or stored in any format. It works with any call recording system.

5. Semafone

Centrally masks the DTMF digits entered by a caller, so they are not recorded on the call recording system. Call recording continues as usual.

Click here to compare these methods in more detail.

And for completeness, these methods are non-PCI DSS compliant

1. Manual pause and resume. The PCI DSS guidelines state that card data should be removed from calls automatically, not manually.

2. Encryption only. The PCI DSS guidelines bar the storage of sensitive authentication data in any format, even if it has been encrypted.

3. Use speech recognition for removal after the recording has been made. It is tricky to detect and remove payment information (essentially numbers) without compromising other parts of the recording. If some payment information is missed, the recording is not PCI DSS compliant.

CallGuard, by Veritape, will make any call recording system PCI DSS compliant, meaning that you can retain your existing call recording infrastructure. Veritape is the only call recording company credited as a PCI DSS Participating Organisation and we give regular direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council. We understand how PCI DSS impacts on your business.