Many organisations that use voice recordings throughout the Contact Centre do so because it's required for enterprise reasons, similar to agent training or confirmation of verbal contractual agreements that are carried out over the phone channel when promoting companies.
Depending upon the transaction sort, regulatory requirements to keep any recordings (for various periods of time) for playback apply. For companies, significantly within the monetary providers and retail sectors, additional necessities apply as a result of the truth that when buy transactions are accomplished over the phone utilizing cost playing cards, certain knowledge must be protected.
For organisations which are required to report telephone conversations and also take cost card particulars over the cellphone the recording and storage of this data can turn out to be a PCI compliance problem.
Typically the call recording will report the entire dialog together with the Primary Account Number (PAN) and the three or four digit safety code (CAV2, CVC2, CVV2 or CID). In addition to the issues required around the name recordings, enhanced processes and procedures are required for all of the other phases involved in and across the initial call.
There are many things to be considered when recording a name containing cardholder information, it is important to shortly decide what knowledge must be protected, for what size of time and depending upon what analytical tooling is in place within your business; the appropriate administration and protection of this data is paramount. It is price noting that a number of the largest fraudulent activities that happen are sometimes from inside the organisation, so it's crucial to make sure that voice recording is checked out from each a know-how and a consumer process perspective, as they go hand in hand.
Some things to think about
- Is a proper Security Awareness Training programme in place and being maintained?
- Have you developed and applied a set of PCI DSS compliant Policies?
- Are the decision recordings stored securely?
- Is your network securely maintained and protected in opposition to assault?
- Do you maintain and safe a detailed set of auditable logs?
Where expertise exists to stop recording of those information components, such technology should be enabled. If these recordings cannot be information mined, storage of CAV2, CVC2, CVV type 2 or CID codes after authorisation could also be permissible so long as acceptable validation has been carried out. This includes the bodily and logical protections outlined in PCI DSS that should nonetheless be utilized to those name recording codecs.
What this means:
Essentially, the Card Verification Value (CVV) must not be retained submit authorisation. In any event, and solely as a final resort, where a CVV is retained it should be held subject to further security controls to fulfill the intent of the Standard, however at all times via a compensating control.
Before any such compensation management can be carried out it should be verified by a Qualified Security Assessor (QSA) in flip approval must be obtained for the compensation control from the acquiring bank.
How can Host Merchant Service allow you to?
Host Merchant Service is a QSA providing a range of services and options that enable organizations to turn into and remain compliant with the standard. We have developed tailored packages to handle the particular necessities of organizations who should comply with the necessities discussed in this doc.
|