If you're a call center and you sell anything, or even simply facilitate sales, you're probably storing personal financial data in the form of payment cards in your call center. Even if you're not storing the information, chances are, you're inputting the information somewhere. Chances are also good that if you record calls for quality, performance management and training purposes, the data is getting stored anywhere, even if indirectly and you never intend to actually use the card data again. If you do this, then out of necessity, you must be complying with Payment Card Industry Data Security Standards (PCI (News - Alert) DSS).
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for that companies handling cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards must comply with. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls and security around cardholder data to reduce credit card fraud as a result of data loss or theft. Validation of compliance is done annually by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
To assure compliance, call centers that record telephone calls must adopt best practices that ensure that the company's call recording system eliminates capture of customer cardholder data from processing and storage. It's easier said than done, however. Contact centers are stumbling in find ways to handle customer payment card transaction and understand how technical and architectural compliance assessments can determine how the call recording system may be removed from Payment Application Data Security Standards validation.
CallCopy (News - Alert) will sponsor a Web event tomorrow titled, “Does Your Call Recording Comply with PCI Data Security Standards? Learn Best Practices for Secure Handling of Customer Payment Card Data.” The event will detail how a company's call recording system can be implemented not to be “payment aware” at any time and not qualify as a “payment application” according to the PCI Security Standards Council’s definition. When implemented as specified, a contact center's call recording will not negatively impact PCI DSS compliance and will ensure that customers’ payment card data are being handled securely.
Edited by Stefania Viscusi