Recorded Calls Must Be PCI Compliant
Compliance, by definition, is not optional. In some instances, compliance can feel like a nuisance, an unnecessary set of regulations that stand in between you and simple business with your customers. PCI compliance, however, is quite necessary because it protects data that should never be exposed.
The Payment Card Industry Data Security Standard (PCI DSS) sets the standard for how businesses handle credit card numbers, especially when it comes to how they are stored. For the same reason that we keep our credit card numbers concealed in our pockets and purses, PCI compliance mandates that companies must hide these numbers from the prying eyes of would-be cyber thieves.
Let’s look at PCI compliance in call recording and talk about how to efficiently build the process of “masking” into our business practices.
Call Recordings Are Vulnerable to PCI Theft
If we think about how credit card numbers are used, we will get an accurate view of when and why they’re vulnerable at times. There’s a good reason that when you speak your credit card number over the phone, a well-trained call agent on the other side will not repeat all of the numbers: others could be listening.
If you’ve ever watched somebody have to input a credit card number manually, there’s a good reason they didn’t write it down on a nearby piece of paper: others could be watching.
And so, there’s an excellent reason that companies should remove credit card numbers from call recordings. Even when your calls are locked up with 256-bit military-grade encryption, there’s another entry point for cybercriminals: from within the company that took your credit card information.
Your call was recorded for (say it with me) “quality and training purposes,” which means that one of your supervisors will potentially have to listen to that call to grade it. That supervisor, or anyone nearby listening, will hear the credit card number being spoken during the call.
And if your supervisor skips the call audio and simply reads the transcript, an unprotected number may be printed on screen or paper. That’s why numbers need to be “masked” before anyone accesses the call recording.
PCI Masking, aka Redaction
Masking, also known as redaction, removes data segments from media to protect them from view. Your customer recordings should all have credit card numbers removed from them before anyone can review or transmit them. Encrypted recordings are safe from external thievery, but we are talking about what happens inside a company, not in the data center where the recording is stored.
Once a credit card number has been used for a transaction, there’s no reason for it to exist on that recording anymore. Even in a dispute, recordings typically contain ample information for identifying the customer and company.
The recording should have the audio portion of the call with the number on it silenced, which is called “masking” and is the most effective form of redaction. In many instances, the recording itself is not altered but has the credit card segment locked so it cannot be accessed by anyone, even within the company.
Businesses Are Vulnerable to PCI Lawsuits
Your customers trust you, and the way the law sees it, that trust is your responsibility. As a regulation, PCI DSS was instituted by the major credit card companies working with The Payment Card Industry Security Standards Council.
This was their way of holding businesses accountable for lax business practices regarding credit cards. Translation: credit card companies will sue your business for PCI violations that result in customer data exposure, but the buck doesn’t stop there.
PCI violations can be astoundingly expensive because three different parties can pursue legal action against you when they occur. The credit card company and the exposed customers can sue you. After that, the government can fine you.
Fines run from $5K to $100K and continue every month until your business is compliant, and that doesn’t include legal fees and lawsuits. There’s no greater financial gift to your legal representation than shrugging off your PCI compliance requirements.
Solve The Problem: PCI Compliance for Call Recordings
Well, credit card numbers do exist in multiple media formats across most companies; cyber thieves love an easy target. Call recordings and their text transcriptions can be a gold mine to these criminals when a company leaves them unredacted.
But your company fields hundreds if not thousands of customer calls with credit cards every single day. Do you have to hire a team of people to scratch the credit card numbers out of every single recording and transcript?
Use AI for PCI Compliance on Your Call Recordings
It’s time to put modern speech recognition to work for you. The system you use to record calls is the best solution for managing your PCI compliance because it can eliminate credit card numbers from the recording before anyone reviews the file. That is, of course, if your call recording platform can successfully auto-mask PCI information in your calls.
In some instances, a call platform requires manual input from a user to mask PCI data. However, the upside of both scenarios is that your call records are no longer hunting grounds for data criminals, which protects your customers and protects your company.
While we’re at it, if your call recording platform can detect credit card information, it should be able to recognize any string of numbers, including National Insurance IDs, Social Security numbers, account numbers, addresses, phone numbers, and so on.
There’s little reason to keep these numbers in your recordings and transcripts as they are typically stored securely in the master account file for each customer. It makes good sense to eliminate these numbers from recordings and transcripts as they can also be exploited by a clever thief.
Become PCI Compliant Now
PCI compliance is one of the most widespread regulations companies face, and yet so many businesses don’t have a plan or practices in place to be PCI compliant. The costs and risks associated with PCI data exposure are far too significant for any company to ignore. The good news is that modern call recording platforms provide cost-effective, time-saving applications that bring companies into PCI compliance with relative ease.