Any business, whether it operates a formal call centre or not, has to take great care when processing sales over the telephone. The handling of all credit and debit card payments is regulated by the Payment Card Industry Data Security Standard (PCI DSS), which sets out strict rules on protecting private financial details.
Here’s a quick guide to what you need to know if you process credit and debit card payments by phone.
The PCI DSS was first introduced in 2004 in a bid to curb credit card fraud, and was last updated in 2016. The PCI represents not only the major card brands, but the banks which issue cards too. The standard itself places the responsibility for avoiding fraud onto merchants.
As far as call recording is concerned, there are particular sensitivities around the storage of private card details. To carry out card fraud, criminals need both the card number and CV2 security number, plus identifying information such as name and address. Since 2010, the standard has required businesses to make “best endeavours” to ensure the three-digit CV2 security numbers are not recorded, or are not identifiable on recordings.
How to block CV2 details
Since the rules on CV2 recording were spelt out, call recording platforms have introduced a number of different ways of excluding numbers from recordings.
Pause and resume
In the immediate aftermath of the 2010 PCI DSS update, often the only way businesses could block the recording of CV2 numbers was by manually pausing and unpausing call recorders when card details were given. Now many platforms use coding technology to automatically pause before CV2 numbers are read out, picking up on cues from the agent or customer.
Mute or mask
Another early manual solution was to go back through recordings and apply a filter which muted or masked the audio when a CV2 number was read out. This obviously created a huge administrative burden, but to solve this, software has been developed which automatically applies the filter during the recording, using the same coding technology as pause and resume.
Another solution that has arisen is to not have card details read out over the phone at all, but instead to have them keyed in on a telephone keypad. This overcomes the problem of card details being recorded altogether, and also in principle adds another layer of compliance because the agent does not hear the card details at all.
Issues with compliance
None of these approaches are 100 percent foolproof, and certainly with manual techniques, there is always the risk of human error leaving you exposed to a breach. But even some of the automated systems raise issues. With pause and resume, for example, you lose track of what takes place on the call while recording is paused. Not only does this create holes if you are recording calls to monitor performance or service levels, it also creates a specific conflict with FCA regulations for the financial services industry, which require certain categories of call to be recorded for transparency purposes.
Even keypad number entry is not completely secure. Because of the different dial tones created by phone keys, it is still possible to work out a CV2 number from key entry. More recent software has therefore introduced DTMF suppression technology to mask these tones.
Is stopping the recording of CV2 numbers enough?
In a word, no. Although CV2 inevitably draws the most attention when it comes to call recording, PCI regulations go much further, covering how sensitive card data is handled by an organisation overall. For example, in 2015 TalkTalk was fined £400,000 under the DSS when hackers broke into its databases and made off with customers’ personal details, including credit card numbers. TalkTalk admitted it had breached PCI rules on how it stored and secured the data.
Aside from call recording, businesses have to ensure any and all personal financial details which enter the company system are properly protected. Even outside of technology, you could be in breach if a colleague jotted down a name and card number and then left it lying around. In terms of digital security, key measures include:
- Proper firewall protection and encryption of all customer and accounts databases
- Limiting access to sensitive data, through systems such as role-based permissions
- Physical security protocols restricting access to company records and servers etc.
Certification of compliance
Although it is not compulsory, the PCI recommends that any business processing credit card payments goes through a certification procedure to confirm it is compliant with the DSS. There are three ways businesses can be certified as compliant with the standards:
- Self-certification: This is only available to businesses which have never been found in breach of the DSS and generally handle small volumes of card transactions. It takes the form of a self-assessment questionnaire which is submitted to the company’s bank.
- Level 1 certification: This is earned via a qualified third party or internal assessor completing a Report on Compliance.
- Service Provider certification: Individuals, either working for a merchant or for a third party, can be certified to carry out compliance assessments on behalf of the PCI.
All certifications must be renewed annually. Although it does provide a recognised quality mark in the industry, certification does not protect you from penalties if you are found to be in breach.