July 19, 2013 - According to a recent best practice guide on 'How to Ensure PCI DSS Compliance' released by call recording specialists Business Systems, there is still a lot of confusion in the market about the implications for PCI compliance when recording calls.
Any organisation taking sensitive data from a customer, in particular credit or debit card details has a duty to ensure they are taking every step possible to protect customers and their data from fraudulent use and identity theft and this obviously extends into data captured in recorded calls.
In 2012, according to the Financial Fraud Action (FFA UK) website, credit card fraud rose in the UK to £388m up 14% on 2011. Within this figure £32.1m was associated with Card ID theft, a staggering 42% increase on the previous year. As a result, organisations are increasingly being put under the spotlight and fines being issued where breaches in compliance are uncovered.
The Payment Card Industry Data Security Standard (PCI DSS) applies to anyone taking credit/debit card payments in-person, over the internet or by telephone. Yet in the UK, some organisations have still not yet put in place the necessary technology, processes and procedures to ensure full compliance. The main reasons cited for this failure to comply are: (i) they do not fully understand their obligations under PCI DSS or (ii) they wrongly assume the steps required for compliance to be too complex and costly.
The Business Systems best practice guide aims to provide an easy to follow, digestible and practical guide to what PCI Compliance means, the different options for compliant call recording, the pros and cons of these options and a proven approach to help protect organisations and their customers. It goes on to identify some of the common mistakes organisations make when attempting to implement a PCI compliant call recording solution but also highlights the importance of building a solution which does not detract from the overall customer experience.
Atiq Rehman, Consultancy and Training Manager at Business Systems concludes "Performing the development required to make your recording platform PCI compliant can be a daunting and lengthy process. It's important to work with suppliers who can provide comprehensive end-to-end testing to validate that you are no longer capturing or storing payment details and that there are no exceptions. The more experienced providers should be able to achieve this whilst minimising disruption to your current payment process handling infrastructure."