Reader Comments

What is PCI Compliance Call Recording & Transcription

by mina nayak (2021-02-08)

In response to How To Get More Money For Your Junk Car

Many organisations that use voice recordings inside the Contact Centre achieve this because it is required for business causes, similar to agent coaching or affirmation of verbal contractual agreements which might be carried out over the phone channel when promoting services.

Depending upon the transaction type, regulatory necessities to maintain any recordings (for varying durations of time) for playback apply. For businesses, notably in the financial providers and retail sectors, further necessities apply due to the truth that when buy transactions are accomplished over the telephone using cost playing cards, certain data must be protected.

For organisations which might be required to record telephone conversations and likewise take cost card details over the phone the recording and storage of this data can turn into a PCI compliance issue.

Typically the call recording will report the whole conversation including the Primary Account Number (PAN) and the three or 4 digit safety code (CAV2, CVC2, CVV2 or CID). In addition to the considerations required around the call recordings, enhanced processes and procedures are required for all of the other levels concerned in and around the preliminary call.

There are many things to be considered when recording a call containing cardholder knowledge, it is vital to rapidly decide what knowledge must be protected, for what length of time and depending upon what analytical tooling is in place within your small business; the suitable administration and safety of this info is paramount. It is worth noting that a number of the largest fraudulent actions that occur are sometimes from within the organisation, so it is imperative to ensure that voice recording is looked at from both a know-how and a consumer process perspective, as they go hand in hand.

Some things to think about

- Is a formal Security Awareness Training programme in place and being maintained?

- Have you developed and implemented a set of PCI DSS compliant Policies?

- Are the decision recordings saved securely?

- Is your network securely maintained and protected against attack?

- Do you maintain and safe an in depth set of auditable logs?

Where know-how exists to forestall recording of these data parts, such expertise should be enabled. If these recordings cannot be data mined, storage of CAV2, CVC2, CVV type 2 or CID codes after authorisation may be permissible so long as acceptable validation has been performed. This includes the bodily and logical protections outlined in PCI DSS that should nonetheless be applied to those call recording codecs.

What this implies:

Essentially, the Card Verification Value (CVV) must not be retained submit authorisation. In any occasion, and solely as a last resort, where a CVV is retained it should be held subject to extra security controls to meet the intent of the Standard, however always by way of a compensating control.

Before any such compensation control may be applied it must be verified by a Qualified Security Assessor (QSA) in flip approval have to be obtained for the compensation control from the acquiring financial institution.

How can Host Merchant Service help you?

Host Merchant Service is a QSA providing a variety of providers and solutions that enable organizations to turn into and stay compliant with the standard. We have developed tailor-made packages to deal with the particular necessities of organizations who must comply with the requirements discussed on this document.





ISSN: 2174-2529