PCI Compliance Best Practices for Call Recording and Transcription

A woman is looking at her credit card while on her phone, sat at a desk next to a computer
Filed under - Industry Insights,

CallMiner share their top tips for PCI compliance in regard to call recordings and transcriptions.

PCI compliance call recording and transcription refers to the requirements set in the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is a set of strict regulations created to protect private financial information and prevent credit card fraud. To thwart would-be fraudulent activity, both the card number itself and the CV2 security number must be hidden and protected by any entity which receives and stores the numbers in any way.

There are many organisations which, for one or more reasons, collect credit card numbers over the phone. These phone calls are often kept for many reasons, including:

  • Protection against liability
  • To ensure the quality of customer service
  • To train and evaluate call centre staff

The strongest reason companies record and/or transcribe calls is that it’s often required by government entities. However, in order to be compliant with the PCI DSS, the CV2 security number on the back of most credit cards must not be included in audio or transcribed conversations. The primary reason this number should not be included is that both the account number and the CV2 are required for criminal use of a stolen card.

Methods for Ensuring PCI Call Recording & Transcription Compliance

There are two primary categories that offer solutions to the issue of PCI compliance in the call centre — manual and software solutions.

Manual Filtration

Manually filtering recordings and transcripts is a process that takes place after the call has happened. A representative of the company changes or covers the audio when a CV2 number has been mentioned. This method is obviously burdensome, but it is also unreliable in many cases.

Pause Recordings

A more effective strategy for PCI DSS compliance is to keep credit card information from ever being recorded in the first place. Before the conversation comes to a point where these details are said, the representative pauses the recording and resumes it once details have been entered. A potential drawback of manually pausing is that part of a conversation could be missed if the representative fails to resume recording.

With the advancements of computer technology, software solutions are available to automatically pause recordings when private information is shared during calls. Predictive algorithms listen for certain words and phrases in order to know exactly when to pause the call.


One of the most streamlined and sophisticated methods for maintaining PCI compliance is to use a redact solution. The redact is triggered when the system identifies sensitive data (such as credit card numbers) and it then replaces that data with the word “redacted” in text transcripts and a silence block in audio calls.

By removing all sensitive data without sacrificing the context of conversations, companies can get the full benefits of customer engagement and speech analytics solutions to boost customer service and agent performance while simultaneously maintaining compliance.

Caller Entry

Some organisations opt to remove the need for screening, pausing or augmentation of recordings by allowing cardholders to input their own private information. The caller dials the card numbers using the keypad on the phone, eliminating the potential for breach. There are still potential issues, including the different tones certain telephones produce for each number.

The Broader PCI DSS Focus

Call recordings and transcriptions are only a part of the requirements listed on the PCI DSS. Holistic policies and full compliance should be the aim of every organisation under the authority of these guidelines. There are 12 individual requirements listed in the PCI DSS.

Some more notable of the 12 include:

  • Create and maintain a secure network
  • Restrict access to cardholder information only to those who “need to know”
  • Encrypt data when it is digitally transferred on public networks

Penalties for Non-Compliance

Transgressing the PCI DSS will likely mean fines, but how these fines are handled gets a bit tricky. Typically, it’s banks that are fined for non-compliance, and fines range from $5,000 to $100,000 per month.

However, according to PCIComplianceGuide.org: “The banks will most likely pass this fine along until it eventually hits the merchant.”

After fines have found their way to merchants, the banks often change their relationship with said merchant. Depending on the severity of the problem, the bank could terminate any relationship or raise fees. Any of these actions can be detrimental to businesses with non-compliance issues.

The Need to Implement or Improve PCI Call Recording & Transcription Compliance

According to one Verizon study from 2017, 4 out of 5 businesses are not payment compliant. Lack of compliance puts businesses at an incredible risk. The average cost of a data breach is $3.62 million dollars, but with proper measures these costs have been shown to reduce dramatically.

For example, one of the PCI DSS requirements is to encrypt payment details. While breaches and data loss could occur regardless of preparations, proper encryption could remove nearly $400,000 from the average cost of a breach, according to IBM Security.

Compliance is as sensible as it is necessary. It’s vital to carefully review the standards required by all security regulations. And when choosing solutions for your call recording and transcription, ensure security is a priority. These steps will save potential fines, better protect customers and reduce the damage in the event of data loss.

Expert PCI Compliance Tips & Best Practices

Looking for expert advice and strategies for maintaining PCI compliance? Below, we’ve rounded up 17 tips and best practices for PCI compliance from industry and regulatory experts.

1. Look at the bigger PCI compliance picture

“The activities you’ll incorporate can vary depending on your PCI DSS scope, but some examples include scope validation, segmentation checks, bi-annual firewall reviews, active logging and monitoring, vulnerability scans, security awareness training, and policy and procedure updates.”

– Brand Barney, The Secret to Smooth PCI Compliance, PCIComplianceGuide.org

2. Double-check that your entire network’s security system is adhering to the regulations

“It’s also critical to ensure an entire network system is compliant with PCI guidelines. This begins with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the internet.”

– Scott Kendrick, 10 Keys to PCI Compliance in the Contact Centre, Contact-Centres.com

3. Expand your call recording practices

“First, establish a plan and policy to record audio calls beyond simple client transactions. This should cover expanded regulatory expectations and, more importantly, best practices for audio recordings when business, products, and offers are discussed.”

“Recording enough calls and call types helps avoid providing a guided path to malfeasance and conduct risk. This sets the expectation within your organization that there is compliance monitoring and there isn’t a loophole to avoid recording.”

Theta Lake, Financial Services Compliance: Best Practices for Audio Recording Supervision, HubSpot

4. Ensure that your vendors are supportive and compliance-minded

“The best way to narrow down your search for PCI-compliant service providers is to check their PCI data security standards (PCI-DSS) compliance status. This method ensures that they have the internal security controls in place required by the PCI Data Security Standards Council (PCI-SSC).

“The PCI-DSS is a global standard that was adopted by all payment card brands to apply to service providers and is set by the PCI-SSC. To meet compliance, a service provider must have the following goals for their internal controls.

    • Create and maintain secure networks
    • Protect cardholder data when in storage, and during transmission through public networks by using encryption methods
    • Have a vulnerability management program to protect software programs, systems and applications
    • Apply strong access control measures to prevent unauthorised employee access
    • Monitor secure networks to track access to cardholder data and regularly test security systems
    • Develop and maintain an information security policy for all your employees

A reliable service provider who is dedicated to maintaining PCI compliance will have undergone a PCI assessment and security validation.”

– Joseph DeRose, Experts Tips on How to Select a PCI-Compliant Service Provider, I.S. Partners

5. Ensure that you are operating under the correct understanding of PCI compliance for your contact centre

“The impact of PCI DSS has been far-reaching, and its goal to minimise payment card data loss (malicious or otherwise) from merchant and service provider environments is becoming a reality. For all merchants and service providers, this requires appropriate measures to protect any systems that store, process and/or transmit cardholder data.”

“This impacts call recording management and storage, and control of the agent/caller interface within the physical call centre space. The PCI SSC produced this Information Supplement to clarify the PCI DSS requirements on voice recordings, to provide some best practices, and to promote consistency among merchants, service providers and the assessor community.”

– Information Supplement: Protecting Telephone-Based Payment Card Data, PCI Security Standards Council

6. Map data flow and practise transparency at every step of the payment process

“Requirement 3 of PCI DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organisations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.”

– Andrada Coos, 5 Best Practices for PCI DDS Compliance, Endpoint Protector Blog

7. Take the necessary steps to guarantee the security of all of your servers

“Even if credit card data passes through your self-hosted (i.e. non-SaaS) e-commerce platform, you are still on the hook for ensuring that any related servers you control (be it your database server, PoS system software, credit card processing terminal, utility server or internet application server) are sufficiently secure and compliant.”

– Jon C. Marsella, Everything You Need to Know About Achieving PCI Compliance, BigCommerce

8. Train agents thoroughly on everything compliance-related and integrate PCI best practices into their scripts

“Make sure that all call centre agents understand the rules and regulations specified in the PCI DSS policies for call centres. Provide remote agents with continuous training focused on PCI DSS compliance and measure their progress over time.”

– Implementing Complying PCI DDS to Offshore Call Centres, Global Outsourcing

9. Implement role-based security log-ins

“In any contact centre environment, agent and supervisor desktops should have role-based log-ins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job.”

– Scott Kendrick, 5 Keys to PCI Compliance in the Call Center, CallMiner

10. Meet all PCI DSS employee background check requirements

“The PCI DSS requires (via Requirement 12.7) that a background check be performed on any prospective employee who will have access to cardholder data or the cardholder data environment. Background checks are also recommended (but not required) for employees who only have access to one card number at a time when facilitating a transaction, such as store cashiers.”

“Background checks can include verification of previous employment history, criminal record, credit history and reference checks. The PCI DSS does not specifically say you have to do all of these things, only that you ensure background checks are completed prior to hire and that you conduct the background checks ‘within the constraints of local laws.’”

– Dwain Wright, What Does the PCI DSS Say About Employee Background Checks?, PCIComplianceGuide.org

11. Document all updates and protocol changes

“Once you have the needed documentation, it is important to keep it updated. Companies should document all changes to the security environment throughout the year. It may be helpful to schedule monthly time on your calendar to create updates based on agent and management feedback. This information will be very helpful during your annual PCI compliance review.”

– Shelby Farris, PCI Compliance: What It Is and How Call Centers Achieve Compliance, Customer Think

12. Obtain a certificate of compliance

“If you are verified as having passed the requirements, then you can obtain a certificate of compliance from an approved acquirer. The annual self-assessment is just one part of the test for PCI DSS compliance. For most of us, that self-assessment questionnaire is enough, but if you are processing a high volume of transactions then you may need to conduct quarterly vulnerability scans.”

– Cari Strauss, What Is PCI DDS Compliance (Payment Card Industry Data Security Standard compliance) and What Do You Need to Know?, Fee Fighters

13. Understand not only what data you must protect but where it exists and through what channels it’s transmitted

“Most critically, you need to understand how your people and processes deal with credit card information. Not just at the 60,000 foot high level about what is supposed to happen, but what actually happens.”

“You also need to understand what technologies are in play and what components see the data. A seemingly simple change such as from old-fashioned analogue telephony to VoIP or from a fax to a fax server can have a huge impact on your compliance footprint.”

“Lastly, you need to understand the data itself. In a call centre context, cardholder (and sensitive authorisation) data include the primary account number (PAN), security validation codes, and PINs, regardless of the form or media type.”

“Digitised voice, voice recordings, recordings of IVR/DTMF tones, images, videos, text data, and hard copy all must be protected.”

– Call Centers and PCI Compliance: Things You Need to Know, Control Gap

14. Narrow your PCI scope

“Looking at the matter internally, you will want to narrow that scope to the smallest footprint possible (realistically and in keeping with the PCI DSS guidance). The key to reducing scope is having fewer places that process the sensitive elements of the consumer’s information and fewer connections to external processes or technical environments.”

“This simplifies your compliance efforts and lowers your ‘attack profile’ from the perspective of your security teams. In many ways, this goes back to the basics of consumer privacy. Don’t collect the data if it isn’t necessary… and if you do, take care of it in the proper manner.”

“This can be a bit of effort up front, both for the business and for the IT organisation, but it will be worth it, not just for compliance and peace of mind, but because it also simplifies your operation in the process, producing fewer moving parts that could go awry throughout the course of daily business.”

– Chris Conner, Customer Data Security Part 2: What You Need to Know About PCI Compliance, Astute

15. Give agents answers for real-life consequences for PCI non-compliance

“Since compliance is complex, invest in teaching your agents the rules (based on what your particular compliance issues may be). Your training programme should include written standards for call agents, explaining handling ‘personal identifiable’ information (credit card numbers, social security numbers, birth dates, addresses, etc.).”

“For example, if you take credit information on calls, it is against PCI DSS standards to EVER store the CVV2 number. If you’re recording calls, you must programmatically or manually stop voice recording when the customer provides the CVV2.”

– Best Practices for Call Recording in Call Centers, Ricochet360

16. Give managers a system to police their agents

“Call centres have become the hub of service. Maintaining customer satisfaction is job one, yet customer satisfaction is not something easily measured. Most call centres create agent call centre KPIs to assure that standards of behaviour are met.”

“Indicators are measured numerically and objectively – number of calls answered, minutes of customer hold time, one-time resolution ration, etc.  These metrics can be measured by the phone systems or call centre solutions – with or without recording the actual customer interaction.”

“As service has become more complicated, so have the ways in which we measure service. An often-used subjective measure of ‘quality of service’ is call scoring.  Call scoring for quality assurance can work one of two ways:

  • Random Audit Live Call Scoring: A supervisor or service coach randomly audits live calls and scores in real time, providing immediate feedback to the agent.
  • Call Recording & Scoring: The service agent’s call is recorded, then listened to and scored by the supervisor at a more convenient time.  With call recording, there is the added benefit of having the customer interaction available for recall should a customer concern arise at a later date.  This is becoming a more common business practice today. We’ve all heard the phrase ‘This call is being recorded for quality assurance’…”

– Matt Pingatore, PCI Compliance in the Age of the Recorded Call, Packet Fusion

17. Ensure that all phone systems are PCI-compliant

“Under the rules from the PCI Security Standards Council, recorded phone calls are subject to the same rules as all other types of records that store customer data. If your business records customer phone calls, make sure that there is a way to redact credit card information. In some cases, a customer service representative will need to manually pause recording so that credit card numbers are not recorded and stored. In others, your CRM system will automatically pause so that the credit card number is protected.”

– Joseph DeRose, A Guide to Keeping Phone Orders PCI Compliant, I.S. Partners

This blog post has been re-published by kind permission of CallMiner – View the Original Article

For more information about CallMiner - visit the CallMiner Website

About CallMiner

CallMiner CallMiner is the leading cloud-based customer interaction analytics solution for extracting business intelligence and improving agent performance across all contact channels.

Find out more about CallMiner

Call Centre Helper is not responsible for the content of these guest blog posts. The opinions expressed in this article are those of the author, and do not necessarily reflect those of Call Centre Helper.

Author: CallMiner

Published On: 24th Apr 2019 - Last modified: 30th Apr 2019
Read more about - Industry Insights,

Follow Us on LinkedIn

Recommended Articles

Close up of credit card and lock
An Introduction to… PCI Compliance
PCI - Payment Card Industry acronym in neon lights
The Ultimate Guide to PCI Compliance
Compliance. Chart with keywords and icons on yellow background
How to Ensure Call Centre PCI Compliance
PCI DSS and Call Recording