Keeping call recording PCI compliant
19 January 2021
Not all information is equal. Some can be stored and used. Other information can’t.
The question is how to separate what can and can’t be recorded and stored when your aim is to capture crucial conversations while also ensuring PCI DSS compliance.
Fortunately there are solutions, but not all are created equal.
The dangers of redaction
There is an old saying: prevention is better than cure. As far as PCI solutions for call recording go, there are preventative measures and there are cures. PCI redaction solutions are cures. Customers give all of their payment information to contact centre agents while the call is being recorded. Not only is the information taken by the agent, but it’s now been processed and recorded. Redaction solutions rely on AI to detect the correct information to delete and no solution is 100% effective.
PCI compliant call recording options
Now for the preventative measures: pause and resume and payment gateways. These solutions stop identifiable information from ever being recorded, so there’s no need for an AI bot to go through recordings and transcripts with a black pen.
PCI compliant payment gateways
Payment gateways are the ultimate gold standard in PCI compliance solutions. Not even the contact centre agent has any knowledge of the customer’s details as these are entered by the customer through their keypad. Any dual-tone multi-frequency (DTMF) tones are masked and the agent sees asterisks appear on their screen instead of characters.
Pause and resume for PCI compliance
Payment gateways aren’t for everybody. Depending on the PCI requirements of your business and your budget, a pause and resume solution may be more suitable. Choose from manual or automatic options, depending on your needs.
Manual solutions put the pause and resume of recording in the hands of contact centre agents – allowing them to stop recordings when sensitive information is about to be shared. Of course, this method opens up the potential for human error.
PCI DSS guidelines recommend that merchants using this method check their recordings weekly for identifiable information.
Automatic pause and resume is triggered by window or URL changes, or through custom triggers using an API. Desktop clients don’t require any custom developments and can be easily integrated, while API solutions are more robust, with a lower risk of end-user interference.
Chat to a Dubber compliance expert today to understand how to address PCI compliance when recording calls and storing conversational data.