The question we get asked daily, “How can I record my calls while taking payments?”
This is a minefield. We have a vast number of clients who are both trying to be PCI compliant, while maintaining their FCA regulations.
Issues Involving The PCI Council and The FCA
Unfortunately for them, the two regulatory bodies didn’t bother speaking to each other, so PCI says you cannot record sensitive card data or any details around it during the payment process, so you have to stop recording or don’t record at all. The FCA and their guideline state that you have to record all the call to maintain best-practice and to be able to investigate and analyse your staff of what’s being said during that financial transaction.
New, Reinterpreted PCI Guidelines
Over the last few years, the way companies have dealt with this is they’ve continued to pause call recording, saying that they can’t comply with PCI while trying to comply with FCA. The PCI council and the ICO, over the last 18 months, decided to reissue interpretation notes. Although the PCI council haven’t changed where the legislation is, what they have changed is their interpretation of what you need to do. What the document issued in November clearly highlights is that simply pausing the call, unfortunately, although it complies with parts of PCI by not storing that card data or sensitive CVC in your telephony platform, the audio that your agent is hearing or your IVR is hearing that you’ve transferred it through to, is still transferring through the phone system and through your network within your building.
What they’re clearly highlighted is that every single network point, every device, every bring your own device, anything connected to that network is a potential hack-access. Therefore, to be PCI compliant, you must actually take the audio and DTMF out of the environment completely, and restrict it from coming into that building to maintain a high level of PCI compliance.
In the call recording world, and pause and resume, there are some changes coming.
Our PCI and FCA Compliant Solutions
Luckily for ourselves, we’ve always adopted the process that you should be able to record a call. A lot of our clients are FCA regulated. So when we designed the solution, we made sure that you could contain full audio conversation throughout the transaction, and the DTMF collected would be inside our own data centre under our level one, PCI compliant protected situation. Anything that was still left in scope, there could be mitigated measures put in place that will be accepted by the PCI council and by the card service provider that you’re using.
Already, you can have contact centre payments fully call recorded, no DTMF, no audio on your network, taking you completely out of scope and putting all the onus on us.