PCI Compliance in the Age of the Recorded Call

One of the challenges of a call center today is balancing excellence in customer service experience while adhering to strict security standards that maintain customer confidence. When customer service representatives collect any kind of payment, your organization is required to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Keeping customer financial information secure has been thrust to the forefront of the news in recent years.  With companies as large as Target suffering from credit card security breaches, it has become increasingly important businesses of all sizes to protect their customer’s personal information. PCI DSS security requirements are critical to help protect against fraud and instill customer confidence in your business.  This can be especially tricky when it comes to call recording procedures.

Call Recording PCI Compliance Webinar On-Demand CTA

A Standard Set of Transaction Security Procedures

Payment Card Industry Data Security Standard (PCI-DSS) is a standard set of security procedures meant to ensure that all companies safely accept, process, store, or transmit credit cardholder data. Founded in 2006, the PCI Security Standard Council’s mission is to improve the security of the transaction process and payment technology life cycle as a whole. The council is made up of executives from Visa, MasterCard, American Express, Discover, and JCB as well some of the largest retailers and e-tailers worldwide.

Balancing Agent KPIs and Customer Financial Security in the Call Center

Call centers have become the hub of service. Maintaining customer satisfaction is job one, yet customer satisfaction is not something easily measured. Most call centers create agent call center KPIs to assure that standard of behavior are met. Indicators are measured numerically and objectively – number of calls answered, minutes of customer hold time, one-time resolution ration, etc.  These metrics can be measured by the phone systems or call center solutions – with or without recording the actual customer interaction.

As service has become more complicated, so have the ways in which we measure service. An often-used subjective measure of ‘quality of service’ is call scoring.  Call scoring for quality assurance can work one of two ways:

  • Random Audit Live Call Scoring: A supervisor or service coach randomly audits live calls and scores in real time, provid immediate feedback to the agent.
  • Call Recording & Scoring: The service agent’s call is recorded, then listened to and scored by the supervisor at a more convenient time.  With call recording, there is the added benefit of having the customer interaction available for recall should a customer concern arise at a later date.  This is becoming a more common business practice today. We’ve all heard the phrase “This call is being recorded for quality assurance”…

Call Recording to Manage Customer Interactions

As the definition of “excellent customer service” has shifted and the rise in social media use to voice complaints publicly, it has become almost necessary for companies to record their calls.

When a call is recorded, sensitive customer information such as credit card number and card security code (CSC) are also recorded. Recording financial information violates the PCI-DSS Security Standard Councils recommendations for call centers.  Implementing a PCI-DSS compliant call recording system can help lighten this burden.

Metal Wheel Concept regulations compliance

PCI Compliance with Call Recording

Within the area of call recording, there are two basic aspects related to PCI compliance:

  • Information that CAN be recorded:
    • Without encryption, we can record a customer’s name, their service code and credit card expiration date only
    • With encryption, we can record the credit card number itself.
  • Information that CANNOT be recorded under any circumstances: the magnetic strip information, the card security code (also known as the card verification code) nor the card pin (this in fact should never even be requested).

Examples of PCI Compliance Practices for Customer Service

Imagine a real-life scenario.   It’s a heavy volume call day. Maybe your CRM is down, yet calls continue to be taken.  Orders are still need to be taken and good customer service still needs to be provided. During the transaction, how should an agent record the credit card number for use later?  The agent cannot write it down with pen on paper. It is not encrypted nor is it secure.  The agent cannot record the credit card information in a word document either, same problem. What policies and procedures have you already in place for handling sensitive customer financial information? Is it comprehensive enough?

There are a few simple yet effective ways to comply with the PCI-DDS Security Standard Council recommendations.  Here are some examples of some compliance policies you may want to add to your call center:

  • Adopt a whiteboard policy. Rather than using something permanent to record customer information (like a pen or a word doc), consider adopting a whiteboard policy?  All sensitive customer information is recorded on a whiteboard during the call, transactions conducted and then sensitive financial information is simply erased at the end of every shift.
  • Ban cell phones on the call center floor. Even the most encrypted system can fail if the CSR is able to record a customer’s information in their personal device or take a photo of the information for later use.

A few examples of standard methods of assuring PCI compliance with call recording:

  • Roll based security. Differentiate “rolls” within your CRM with different levels of security based on a CSR’s or manager’s skill based.  Being able to play back a call, for example, would only be something a supervisor or manager would be able to do.
  • Call recording redaction. There are two ways to handle call redaction: either at the time of the call at the CSR’s discretion or after the call (although it will still require the CSR to flag when sensitive information is being relayed). Modern contact center solutions have call recording features to automatically mute when account numbers, security codes, and other sensitive information gathered.

What Does PCI Compliance Look Like For Your Call Center?

A plan to protect your customer’s sensitive financial information must be part of the overall operations of every call center. The right telecommunications partner can recommend a PCI compliant recording solution that best fits your business needs as well as suggestions on how to develop and implement policies that promote customer security. Ultimately, it all contributes to the end goal of improving the customers’ journey.
keyboard mouse credit card paying online