Call Recording, PCI DSS and the Pitfalls

Team info
Description Many organisations that use voice recordings within the Contact Centre do so because it's required for enterprise causes, similar to agent coaching or affirmation of verbal contractual agreements which might be carried out over the telephone channel when selling services.

Depending upon the transaction sort, regulatory requirements to keep any recordings (for various periods of time) for playback apply. For businesses, notably within the financial services and retail sectors, additional necessities apply due to the truth that when buy transactions are completed over the phone utilizing cost cards, certain information must be protected.

For organisations that are required to record phone conversations and in addition take payment card particulars over the telephone the recording and storage of this data can turn out to be a PCI compliance issue.

Typically the decision recording will document the entire dialog together with the Primary Account Number (PAN) and the three or 4 digit security code (CAV2, CVC2, CVV2 or CID). In addition to the concerns required around the call recordings, enhanced processes and procedures are required for all of the other stages involved in and around the preliminary call.

There are many things to be thought of when recording a call containing cardholder knowledge, it's critical to quickly decide what knowledge needs to be protected, for what size of time and depending upon what analytical tooling is in place inside your business; the appropriate administration and safety of this data is paramount. It is value noting that some of the largest fraudulent actions that occur are sometimes from throughout the organisation, so it is imperative to ensure that voice recording is checked out from both a technology and a consumer process perspective, as they go hand in hand.

Some things to think about

- Is a formal Security Awareness Training programme in place and being maintained?

- Have you developed and carried out a set of PCI DSS compliant Policies?

- Are the decision recordings saved securely?

- Is your network securely maintained and protected towards assault?

- Do you maintain and secure an in depth set of auditable logs?

Where expertise exists to stop recording of these data components, such technology should be enabled. If these recordings cannot be information mined, storage of CAV2, CVC2, CVV type 2 or CID codes after authorisation could also be permissible as long as appropriate validation has been carried out. This consists of the bodily and logical protections defined in PCI DSS that should nonetheless be applied to those call recording formats.

What this means:

Essentially, the Card Verification Value (CVV) should not be retained submit authorisation. In any occasion, and solely as a final resort, where a CVV is retained it have to be held topic to extra security controls to meet the intent of the Standard, however always through a compensating control.

Before any such compensation management may be implemented it should be verified by a Qualified Security Assessor (QSA) in flip approval have to be obtained for the compensation management from the buying financial institution.

How can Host Merchant Service help you?

Host Merchant Service is a QSA offering a range of services and solutions that allow organizations to turn into and remain compliant with the standard. We have developed tailored packages to address the specific requirements of organizations who must comply with the necessities mentioned on this doc.</p></font>
Created 8 Feb 2021
Total credit 0
Recent average credit 0
Cross-project stats
Country Indonesia
Type None
Founder bharata
New members in last day 0
Total members 0 (view)
Active members 0 (view)
Members with credit 0 (view)

©2021 University of Washington

Generated 17 May 2021, 2:35:10 UTC