As we move towards
PCI credit card compliance, I have been asked by our call centre to look at installing a recording function on the phone system (as many do). The problem is that card transactions are taken over these phone lines, which means people's card details are recorded along with the conversation, and these include the security code.
PCI says you can't store this data, so how can certain providers sell their products to call centres and say these recordings can be stored for any length of time unencrypted?
Regarding credit card data protection, it is a requirement of the
Payment Card Industry's Data Security Standard (PCI DSS)
that all records that contain the primary account number (PAN) and the CVV number (the 3-digit security code), if they are stored together (which they shouldn't be), must be encrypted. If the vendor that you've chosen doesn't produce an adequate product for that purpose, I suggest that you look for alternatives elsewhere.
Expert Alan Calder responds to a reader’s question: Must companies outside the EU change their websites to comply with EU cookie regulations?
Expert Alan Calder explains the security and compliance challenges for call centres that record telephone conversations and credit card details.
In this expert response, learn how to achieve laptop security and prevent laptop data theft with encryption.
Read more on Application security and coding requirements