PCI DSS, call recording and your business

If your business or organisation takes card payments over the phone and records its calls, under PCI DSS regulations, you cannot store any sensitive authentication data in any format. Sensitive authentication data refers to the magnetic stripe data and the printed security code (commonly known as the CVC, CVV or CV2 number).

By making your call records PCI DSS compliant, you protect both your contact centre and your customers against fraud - the core objective of the PCI programme. It is important to note that if PCI DSS requirements are ignored, your business or organisation could be fined and ultimately lose the ability to take card payments, resulting in a significant loss of income.

The implications of non-compliance are far reaching. UK contact centres which breach the guidelines are contributing to a huge reservoir of sensitive card data. A well-documented rise in high-profile hacking incidents is creating unnecessary risk. Consumers have every right to be concerned and are increasingly demanding the reassurance of knowing that their cards details are safe when making purchases over the telephone.

To prove that your call recording infrastructure is PCI DSS compliant, you can either:

• self-certify using the ‘SAQ’ self-assessment questionnaire, or
• pay a QSA (Qualified Security Assessor) to audit you

If you are a Level 1 merchant, you have to no choice - your organisation has to be audited by a QSA. Only Levels 2,3 and 4 can self-assess. Engaging a QSA is very expensive and time-consuming.

If you are a Level 2, 3 and 4 merchant and use CallGuard, you can take your call recordings completely out of scope, significantly reducing audit time and costs.

If your call recording system is currently not PCI DSS compliant, click here to find out how you can make it tick the PCI DSS compliance box.