Hey, I'm Sibun!
Many organisations that use voice recordings throughout the Contact Centre achieve this as a result of it's required for enterprise causes, such as agent training or confirmation of verbal contractual agreements which might be carried out over the phone channel when promoting providers.
Depending upon the transaction kind, regulatory requirements to keep any recordings (for various durations of time) for playback apply. For businesses, notably in the financial providers and retail sectors, further necessities apply because of the fact that when purchase transactions are accomplished over the phone utilizing payment cards, certain knowledge must be protected.
For organisations which are required to document phone conversations and also take cost card particulars over the phone the recording and storage of this information can turn into a PCI compliance concern.
Typically the decision recording will report the entire conversation together with the Primary Account Number (PAN) and the three or 4 digit security code (CAV2, CVC2, CVV2 or CID). In addition to the issues required across the call recordings, enhanced processes and procedures are required for all of the different stages involved in and around the initial call.
There are many things to be thought-about when recording a name containing cardholder knowledge, it's critical to rapidly decide what knowledge must be protected, for what size of time and relying upon what analytical tooling is in place inside your small business; the suitable management and protection of this data is paramount. It is price noting that a number of the largest fraudulent actions that happen are often from throughout the organisation, so it is crucial to ensure that voice recording is looked at from both a expertise and a user process perspective, as they go hand in hand.
Some things to consider
- Is a proper Security Awareness Training programme in place and being maintained?
- Have you developed and carried out a set of PCI DSS compliant Policies?
- Are the call recordings saved securely?
- Is your network securely maintained and guarded against assault?
- Do you keep and secure a detailed set of auditable logs?
Where technology exists to stop recording of those knowledge elements, such technology ought to be enabled. If these recordings cannot be information mined, storage of CAV2, CVC2, CVV type 2 or CID codes after authorisation may be permissible as long as appropriate validation has been performed. This contains the physical and logical protections outlined in PCI DSS that should nonetheless be applied to those name recording formats.
What this implies:
Essentially, the Card Verification Value (CVV) must not be retained post authorisation. In any event, and only as a last resort, where a CVV is retained it must be held topic to extra security controls to satisfy the intent of the Standard, however all the time by way of a compensating management.
Before any such compensation management can be applied it have to be verified by a Qualified Security Assessor (QSA) in turn approval should be obtained for the compensation management from the buying bank.
How can Host Merchant Service assist you to?
Host Merchant Service is a QSA providing a range of services and options that enable organizations to become and remain compliant with the usual. We have developed tailored packages to address the specific requirements of organizations who should adjust to the necessities discussed in this document.