Do you take credit card payments over the phone?
If your company takes credit card payments over the phone, you will have signed an agreement with your card provider. Under this agreement, you are required to comply with a set of security standards defined by the Payment Card Industry (PCI) Security Standards Council. This organisation was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
What does the PCI security policy say about storing credit card security numbers?
The PCI security requirements for processing credit cards state that the 3- or 4-digit credit-card verification number on the back of the card (often called CVC2/CVV2 or CID) is not allowed to be stored in any form. This is an excerpt from the PCI Data Security Standard:
Data Element Storage Permitted?
---------------------------- ------------------
Cardholder Data
Primary Account Number (PAN) YES
Cardholder Name YES
Service Code YES
Expiration Date YES
Sensitive Authentication Data**
Full Magnetic Stripe NO
CVC2/CVV2/CID NO
PIN / PIN Block NO
** Sensitive authentication data must not be stored subsequent
to authorization (even if encrypted).
(Source: PCI Data Security Standard v1.1 Sep 2006, available online at https://www.pcisecuritystandards.org/)
In addition, the PCI Security Standards Council has stated that “the PCI Data Security Standard applies to all cardholder data that is stored, processed, or transmitted, regardless of the capture or storage mechanism” (Source: PCI SSC communication direct to Veritape, complete copy available on request.)
But what about storing the details in audio format?
The security codes can’t be stored in any format. So what happens if you’re recording your telephone calls? You are breaking your agreement with your card provider and with the PCI.
What can happen if we are not compliant with the PCI security requirements?
You card provider can temporarily or permanently withdraw your ability to take credit card payments for your products and services.
So how do I configure my call recording system so that it doesn’t record the credit card security codes?
If you are not using a software-based call recording system, you are most likely unable to do this.
Why does my existing call recording system prevent me from disabling recording while the customer reads the credit card security code?
The short answer is that most call recording systems record ‘trunkside’. This means that all calls in and out of your building are recorded at the point they enter/leave your building. By default, your calls are recorded (which is good), but you have almost no control over which calls (or which part of your calls) are recorded (which is bad).
So what can I do?
You want to record your phonecalls, but you don’t want to record the sensitive portions of your credit card transactions. You need to use a software recording system which gives you complete control over all aspects of your recording.
You need Veritape call recording, and in particular, the Veritape Call Tagging module.
Veritape Call Tagging is a simple, easy method for ensuring that the sensitive portions of conversations, including credit card security details, are simply not recorded. Many companies, such as those in telesales, wish to only record part of a conversation. This is particularly useful if:
- you only want to capture the financial details of a transaction (like credit card details, etc), and not the ’sales pitch’ beforehand
- you want to NOT record sensitive details of a conversation, such as credit-card security details or medical information
- you only want to record the customer giving verbal authorisation for a transaction
- you only want to record details of an appointment arranged for a salesperson, to email to the salesperson
By using Veritape Call Tagging, you can easily link your existing scripting or CRM package with Veritape CallCentre to ensure that only the relevant portions of calls are recorded. This will then happen every time, automatically, and your Agents will not be required to do anything.
Veritape Call Tagging will improve your compliance, allow you to more fully comply with credit card payment security standards, and improve your customers’ peace of mind.