PCI DSS Call Recording Compliance When Taking Card Payments
The PCI Security Standards Council (SSC) is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The SSC issues guidance to companies that take bank or credit card payments and record calls.
PCI DSS Guidance
Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?
This response is intended to provide clarification for call centres that record cardholder data in audio recordings and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorisation, even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorisation if that data can be queried; recognising that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorisation may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.
This requirement does not supersede local or regional laws that may govern the retention of audio recordings.
Achieving Compliance with iCall Suite from Tollring
The call recording module in iCall Suite provides compliance with PCI DSS regulations through ‘Pause and Resume’ functionality which ensures sensitive data is not recorded.
Pause and Resume of Call Recordings
The ability to pause call recording is critical to ensure that card data is not recorded. As soon as an agent expects to receive card information, call recording can be temporarily paused in several ways:
- Enter a number or sequence of numbers on the keyboard dialling pad to pause the recording.
- Use the soft-key feature of the telephony platform to pause and resume the recording (if supported by the telephony platform).
- Use Tollring API automation to automatically pause the recording (triggered by an event such as when an agent opens the payment gateway).
API automation removes the ‘human element’ from the process of stopping and starting recordings.
API commands are typically triggered when an agent opens a payment gateway or simply clicks to move to the next screen. This removes agent input from scope and decreases the likelihood of accidental capture of bank or credit card details.
The second important consideration in achieving PCI DSS compliance is security. Tollring considers security a priority and adheres to a number of security protocols to ensure that iCall Suite can be deployed in environments where data security mission-critical:
- Multi-level security products from leading vendors alongside proven security practices safeguard network security:
- To prevent malicious attacks through unmonitored ports, external firewalls allow only http and https traffic on ports 80 and 443, along with ICMP traffic.
- Security protocols such as SSL & SFTP (for data transmission over public networks):
- Tollring uses a 256bit encryption on the platform and SSL for all client to iCS communications.
- Password security:
- Passwords are automatically generated.
- Login details and passwords are distributed via separate emails.
- Passwords must be changed and can be set to renew on a frequent basis if desired.
- Passwords must contain a minimum combination of upper and lowercase characters including a number and special character.
- Passwords are encrypted using SHA 256 non-reversible encryption using Random Salt.
- Call recording playback permissions:
- The search and playback of recordings and associated metadata is permissions-based. As such we ensure that only personnel with the associated permissions can access the required data. Alongside this, an audit trail displays the history of who accessed which recordings.
- Emailing call recordings for review:
- When call recordings are shared via email, the actual call recording file is not shared. The email notification contains a link to the recording, which is authenticated to the user and expires after 24 hours.