Non-compliant methods

There are several methods that call centres have historically used as a means of removing or securing parts of a conversation. The following are not PCI DSS compliant for call recording.

Manual pause and resume

This is a process where agents can manually pause recordings when taking card data, and then re-activate it afterwards. Manual pause and resume is not compliant with PCI DSS guidelines. The PCI SSC’s March 2011 publication “Protecting Telephone-based Payment Card Data” states that card data should be removed from recordings “automatically (with no manual intervention by your staff).“

In addition to the PCI DSS stance, call centre management often does not favour this approach because:

• Agents can forget to restart recording, meaning that the remainder of that call or several more calls are simply not recorded, and
• Agents have the opportunity to pause recordings during a part of the conversation where they do not want to be recorded (which can lead to a reduction in customer service).

Encryption only

The PCI SSC does not approve of encryption by itself being used as a means of securing sensitive cardholder data in call recordings. The reason for this is simple: in a call centre, team leaders and supervisors, for example, are required to listen to calls as part of their job. Any call recording system which encrypts calls therefore has to have the ability to decrypt calls for playback in the call centre environment which exposes recorded sensitive cardholder data.

While some forms of encryption offer a way of securing calls against external theft, encryption does not secure card data internally. The PCI SSC’s stance on this is clear: “It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.” (Protecting Telephone-based Payment Card Data, March 2011)

Use speech recognition for removal after the recording has been made

The theory behind this method is that speech recognition techniques can detect card information by picking up numbers, words or common phrases used in a payment context. Then an application would remove this, along with some surrounding information, from recordings. In a general call centre context, speech recognition has certainly advanced a lot in the past few years, and it has genuinely useful applications.

The theory however falls down wehre payments are concerned. It is very difficult to detect and remove payment information, which are essentially numbers, without compromising other parts of the recording and a speech recognition method which leaves the 3- or 4-digit security number in place in the recording is not PCI DSS compliant.

PCI DSS compliant methods

To balance the picture and for comparison, those methods which are compliant with the PCI DSS requirements are listed here.