Call Recording, PCI DSS and the risks

numerous organisations that use voice recordings within the Contact Centre do so because it’s needed for business reasons, similar as agent training or evidence of verbal contractual agreements that are carried out over the telephone channel when dealing services.

Depending upon the sale type, nonsupervisory conditions to keep any recordings( for varying ages of time) for playback apply. For businesses, particularly in the fiscal services and retail sectors, farther conditions apply due to the fact that when purchase deals are completed over the telephone using payment cards, certain data needs to be defended.

For organisations that are needed to record telephone exchanges and also take payment card details over the phone the recording and storehouse of this data can come a PCI compliance issue briansclub.

generally the call recording will record the whole discussion including the Primary Account Number( visage) and the three or four number security law( CAV2, CVC2, CVV2 or CID). In addition to the considerations needed around the call recordings, enhanced processes and procedures are needed for all of other stages involved in and around the original call.

There are numerous effects to be considered when recording a call containing cardholder data, it’s vital to snappily determine what data needs to be defended, for what length of time and depending upon what logical tooling is in place within your business; the applicable operation and protection of this information is consummate. It’s worth noting that some of the largest fraudulent conditioning that do are frequently from within the organisation, so it’s imperative to insure that voice recording is looked at from both a technology and a stoner process perspective, as they go hand in hand.

Some effects to consider

1. Is a formal Security mindfulness Training programme in place and being maintained?
2. Have you developed and enforced a set of PCI DSS biddable programs?
3. Are the call recordings stored securely?
4. Is your network securely maintained and defended against attack?
5. Do you maintain and secure a detailed set of auditable logs?
Where technology exists to help recording of these data rudiments, similar technology should beenabled.However, storehouse of CAV2, CVC2, If these recordings can not be data booby-trapped. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

What this means

Basically, the Card Verification Value( CVV) mustn’t be retained post authorisation. In any event, and only as a last resort, where a CVV is retained it must be held subject to fresh security controls to meet the intent of the Standard, but always via a compensating control.

Before any similar compensation control can be enforced it must be vindicated by a good Security Assessor( QSA) in turn blessing must be attained for the compensation control from the acquiring bank.

How can Sysnet help you?

Sysnet Global results is a QSA furnishing a range of services and results that enable organisations to come and remain biddable with the standard. We’ve developed acclimatized packages to address the specific conditions of organisations who must misbehave with the conditions bandied in this document.

Leave a Reply

Your email address will not be published. Required fields are marked *