It’s common practice nowadays for organisations to record telephone calls between staff and customers. This might be for quality control, for staff monitoring and training, or as part of customer service and complaints review. Indeed, in many industries (particularly financial services) the recording of calls is a regulatory requirement.
Call recording throws up a number of issues, many of which our Finance Director Jonathan Graham talked about in a previous blog post. However in this article I want to concentrate on the specific issue of taking card payments over the phone and the compliance challenges arising when you need to do this during a call that’s being recorded.
The problem arises with card MOTO payments (mail order / telephone order). If a customer reads out their card details to your agent and those details are then captured in the call recording then you may be in breach of PCI DSS regulations, particularly if you’re then storing the PAN and CV2 numbers as part of the voice recording. So what to do?
There are a number of ways around this problem, each with its own pros and cons.
- Don’t record calls at all – In many ways this is the simplest solution. If you’re not recording calls at all, and the agents who take payments are operating in a ‘clean room’ environment with no means to capture the sensitive card information themselves, then you may be OK from a PCI DSS compliance point of view. However if you go down this route then you lose all the other customer service and complaints-handling benefits associated with having calls recorded, and of course if you’re in an industry where call recording is a regulatory requirement then this option is not available to you in the first place, so you will need to look for another solution.
- Tagging calls and masking card details – Another option is to carry on recording all your calls and taking customer payments as before. You can tag any call in which a card payment is taken and then go back into each one of these calls afterwards and ‘mask’ the card details, for example by overlaying them with white noise so that they cannot then be retrieved from the recording. This obviously introduces a significant extra administrative burden and can also be subject to human error.
- Pause and resume – Using this approach, either the agent or an automated process pauses the call recording at the point at which the caller is giving their card details, and then resumes it once the payment is taken so the card details are not included in the recording. However if the agent controls the process, they may forget to activate the pause and resume system or may activate it incorrectly. And of course the agents themselves remain exposed to the card details so could still misuse them. Cutting out or masking a portion of the recording means you have no way of knowing what happened during that part of the call, and may also mean that you no longer comply with regulations such as those laid down by the FCA.
- De-scoping your call centre and call recordings – Fortunately there’s a new way to take card payments over the phone that enables you to record the whole of the call whilst remaining fully PCI DSS compliant. Using a system such as Syntec’s CardEasy solution, customers key their card numbers in directly using their telephone keypad (DTMF touchtones) rather than reading them out to the agent. As these tones are masked, the agent cannot hear or see the sensitive card information, nor can the card details be picked up in call recordings so there’s no way that the caller’s card details can be identified by anyone with access to the recording.
This means that the whole conversation between customer and agent can be recorded full length, with no need to ‘pause and resume’. As there’s no longer any need to break the recording off or mask it at any point, there’s no room for human error nor any gap in the recording during which a mistake could be made or fraud committed. Organisations subject to FCA call recording regulations also remain fully compliant as the whole call is now recorded.
And perhaps most importantly, customer service and trust levels are maintained or even improved. Research by Davies Hickman for Avaya in 2013 found that only 5% of consumers feel that sharing their card details with a human agent (usually a stranger) was inherently secure. Whereas in the same survey over 80% said they would feel more comfortable and secure entering a password on a keypad to confirm their identity when calling a contact centre.
The experience of our CardEasy users such as Miele confirms this. Customers prefer keypad entry to reading their card numbers out, as it feels much more secure. It also speeds up the transaction as it means that card payment can be seamlessly taken during the call, and there are far fewer mis-keying errors as customers are entering their own card details rather than the agent doing in on their behalf. Using keypad payment by phone also means that the reputation of the company is protected and the whole call centre environment is ‘de-scoped’ from costly and time-consuming PCI DSS audit requirements.
De-scoping payments in this way tackles this broader consumer trust issue as well as resolving PCI compliance for your call recordings (see also the Syntec white paper about consumer concerns regarding fraud in call centres).
About the Author – Danny Cresswell
For additional information see the Syntec Website or see their Company Profile
Be the first to comment on "How to make your call recordings PCI DSS compliant"