Call recording is an integral part of training, quality control and dispute management for organizations and their call centers.
For many industries this is a standard obligation, as outlined by the Financial Conduct Authority (FCA) to prevent, detect and deter market abuse.
A summary from the FCA says:
“The rules in COBS 11.8 oblige firms to retain records of specific telephone conversations and electronic communications of client order services that relate to the reception, transmission and execution of client orders and proprietary trading. It includes communications that are intended to result in a transaction, even if ultimately they do not.”
For organizations who recognize the security risk of recording calls during the payment process, complying with both regulation and best practice payment security can be a considerable challenge. The Payment Card Industry Data Security Standard (PCI-DSS) outlines that card details that are read out verbally over the phone should not be collected or stored within the corporate network.
The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of requirements, initially outlined by the major card providers, to ensure that companies use their clients’ credit or debit card information securely. It protects sensitive information from fraudulent activity, a risk that is growing every year following the rise of remote purchasing.
If not handled appropriately, cardholder data (CHD) is at risk of theft from hackers that are on the lookout for a way to exploit weaknesses in your organization. Whether you’re a large corporation or a small business, PCI DSS was introduced to protect you and your customers in the prevention of data theft.
Non Compliance can affect not only the people whose data has been stolen, but the organization itself is open to massive financial repercussions. Large data breaches can have huge reputational damage, large imposed fines and many other financial downfalls.
When customers are calling to discuss their account, place an order or to make a payment, they are entrusting you with Personally Identifiable Information (PII), such as full name, home address, email address, full payment card details and more. They expect their sensitive information to be handled with the upmost security and by recording the call, that stored file also has to be treated in the same way.
Call recording solutions that don’t exclude sensitive card details are posing a huge security risk, opening organizations to vulnerabilities, such as:
Did You Know?
British Airways faced a £183.4 ($230) million fine from the Information Commissioner’s Office (ICO) following their data breach in 2018. 380,000 customers had their personal and financial details stolen by malicious cyber attackers.
Ultimately, the best way to ensure your customer’s information is safe, is to remove card data from the call altogether. If the details are never stored in the first place, they cannot be stolen or used maliciously.
No customer wants to wake up to find that their financial information has been stolen and misused due to a lack of care, or system security, of a company they thought they could trust.
If you work within an industry where call recording is essential, here are 3 ways you can process card data securely and continue to record your calls:
Calls that involve processing a payment, and have card details being captured on the recording, can be tagged for masking by the agent. A provider or masking solution will process these tagged recordings, applying a filter to the portion of the call when card details were read out loud, muting or replacing it with white noise.
It is an effective method of removing sensitive data when appropriately done; however, it is prone to human error, and it can be a very lengthy process.
Pause and resume is a popular method of removing sensitive information from call recording. This is done by pausing the recording at the point the customer begins to read out their card details, then resume it once they have finished. The result is an audio file that maintains the conversation between agent and customer, but all payment details are redacted.
But, is this really secure?
There are two different methods of Pause and Resume; it can either be carried out manually by the agent, or through an automated process. Either way is open to error, as agents may forget or resume the recording at the wrong point, and automation is susceptible to technical faults. Also, by cutting the information entirely, this can conflict with FCA regulations.
Additionally, by only pausing the recording of the call, the agent can still hear the sensitive information, with the potential to write customer details down and use them maliciously.
DTMF (Dual-Tone-Multi-Frequency) are audio signals generated by pressing the numbers (as well as the “#” and “*”) on a telephone’s keypad. Rather than reading out the information to the agents, customers enter their card details into their telephone keypad. The masking software either replaces the tones or converts the two pitches into a single flat tone to ensure they cannot be decrypted.
DTMF suppression is the most effective way to secure call recording as it allows you to record the entire conversation, without needing to interrupt the call. This helps adhere to strict regulation such as the FCA and achieve best practice payment security.
This method of redacting card details is also the most reliable way for organizations to obtain PCI compliance while continuing to take payments over the phone.
Want to know more about DTMF Masking?
Key IVR’s Agent Assisted Payments service is a PCI-DSS compliant, DTMF suppressed card payments solution that keeps agents connected to their customers throughout the entire call. It serves to improve customer experience and increases payment conversion, whilst also removing the risk of human error.
“Customer engagement has drastically improved since introducing the service. The Agent Assisted solution means we don’t have to worry about pausing recordings mid-way through a call, or asking people to read their card details out loud, something they may feel uncomfortable doing.
The customer can have confidence we are a professional and trusted brand that takes handling our customer’s sensitive financial details seriously.”
– Simon Turner, Clothes2Order
The right question is, how much does it cost NOT to suppress?
In the realms of ICO and the PCI Council, the current legislated fine for each account data known, that is taken from the environment, and then used to transact is £200,000 per transaction. This is why losing entire databases of account data, that should never have been readily available or on your systems, can destroy a business. Millions of pounds worth of fines will be imposed quickly causing immense reputational and financial damage.
It is better to understand what the cost is to your business from not taking protective measures.
Talk to Key IVR and let us help you reduce serious security risks within your Call Center with our PCI-DSS compliant solutions. We work in partnership and integrate with a wide range of payment providers and suppliers with the aim to design a solution that meets your individual business requirements.
Call us on +1 (929) 207 0116 or email [email protected] and we’d be happy to discuss the options in more detail.
If you’re worried about how recording calls whilst taking payments over the phone is effecting the security of your organization, contact us today, and we’d be happy to discuss the best option for you.
