Achieving PCI Compliance with Call Recording
Engage Record software, together with Engage Desktop Analytics and Engage Encryption can be used to automate PCI compliance for organizations with regulatory compliance requirements.
As the Compliance Officer for a collections agency, Phil’s firm employs representatives who collect payments on outstanding debts. To remain a competitive choice for his clients, Phil knows his team must be held to a very high standard for customer care. Providing convenient and prompt payment options is key, so Phil’s team accepts payments using debit or credit cards. Drawing on past experience, Phil knows that he can use call recording to achieve and maintain the quality of his teams’ interactions. However, he also knows that when processing payment card transactions over the phone, he must take special measures to protect the card holder information required to conduct these transactions.
The Payment Card Industry-Data Security Standard (PCI-DSS) does allow some payment card details to be recorded if the recording is encrypted; however, it prohibits the recording of the 3 or 4-digit Security Code printed on a credit card or the PIN from a debit card.
These details combine to create a conundrum for Phil. If he can’t record the calls he will sacrifice the important benefit recording the calls can provide. Yet, he also knows that his organization could face stiff penalties if they fail to provide adequate protections for this data. Looking for a solution to this dilemma Phil contacted his communications provider to examine his options. Phil’s provider suggested a conversation with the experts at TelStrat.
The TelStrat team explained the multiple options available in Engage WFO™ to prevent the recording of sensitive data, including the pros and cons of each. These include:
Manual Pause/Resume Recording
Engage Record offers on-demand recording, including the ability to pause and resume recording manually when needed during the call. While this option gives the ability to prevent recording the specific information, it places the burden of remembering to pause/resume on the person taking the credit card data. This approach is exposed to human error, especially in larger environments where oversight could be a burden. Phil decided against this option for his team to avoid putting his compliance at risk to human error. He also preferred to avoid giving this control to agents who might be tempted to abuse it.
Web Services API
Engage Record also provides a powerful Web Services API toolkit. For PCI compliance, this tool is often used to automate pause and resume functions on the recorder, but because Phil’s team uses a bank-hosted website to process these payments this option was not practical.
Engage Desktop Analytics
Phil decided the best method available to avoid recording specific data is using Engage Desktop Analytics (DA). DA is a custom application written by TelStrat to automate the pause and resume functionality for the recorder based on activities observed on the agent’s desktop. Using this option, the DA software can be set to pause the recording when the agent opens the bank’s website. When the agent finishes the transaction and navigates away from the processing web page the recording resumes. This option allows Phil all the benefits of call recording while effectively managing PCI compliance.
Phil saw this as the option that provided the surest method to meet the PCI standard because the process is automatic and required no programming by his firm. He simply had to determine the activity that would trigger the recording to be paused and resumed.