Pause Recording for PCI Compliance

Get in Touch

PCI DSS Compliance in Telephone Call Recording: What You Need to Know

Credit/Debit card payments taken over the phone are subject to PCI DSS.

Ensuring you comply with the latest PCI DSS requirements is essential when recording telephone conversations if you are taking credit and debit card payments over the telephone.

With the launch of PCI DSS 4.0 in March 2024, businesses must ensure their payment systems and processes comply with updated standards when recording telephone calls involving credit and debit card payments. These new requirements introduce enhanced security measures and make it essential for organisations to adapt to the latest best practices. 

Under PCI DSS 4.0, VoIP and SIP technologies in organisations are now in scope for compliance, including SIP trunks that control call redirection, as they pose interception risks. Even networks not directly involved in payment processes are included if they connect to environments handling cardholder data. Vidicode UK helps you with essential segmentation to maintain compliance. 

Critical Requirements for PCI DSS Compliance 

To comply with PCI DSS 4.0 when recording telephone conversations for payment processing, you must: 

  • Protect cardholder data through encryption and masking sensitive information during calls 
  • Limit access to sensitive data through Multi Factor Authentication (MFA) which is crucial and ensures only authorised personnel handle cardholder information.    
  • Implement robust security measures including firewalls, intrusion detection systems, and other controls to safeguard recording systems 
  • Establish clear policies and procedures for handling, storing, and managing sensitive information to mitigate the risk of data breaches. Although PCI 4.0 allows organisations to adopt a more customised approach to security they will need to provide more robust documentation and validation to prove their controls are effective. Doing so can help protect your customer’s sensitive information and minimise the risk of fraud and data breaches

Which industries fall under PCI Compliance? 

PCI DSS applies universally to businesses handling payment card information, regardless of transaction volume, method (e.g., POS terminals, online forms, phone), or sector.

NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.”  Everton Stuart, MD 

This includes businesses such as: 

  • Travel & Transport: Booking holidays over the phone 
  • Leisure & Entertainment: Processing bets in the gaming industry 
  • Retail & E-commerce: Handling transactions via websites and mobile apps  

This underscores the relevance of PCI compliance to businesses of all sizes and industries, whether acquiring data via phone, website, or mobile app. 

Why PCI Compliance Matters and How It Affects Your Business 

The consequences of non-compliance with PCI DSS can be severe: 

  • Fines and penalties: Businesses can face significant fines from card schemes for failing to comply, potentially ranging from £3,500 to £250,000 per month 
  • Loss of ability to process payments: Non-compliant companies can be excluded from card acceptance programs and placed on the Terminated Merchant File (TMF), which is effectively a blacklist 
  • Reputational damage: A data breach can erode customer trust and damage your brand’s reputation, leading to loss of business and long-term revenue impacts 

Ensuring compliance protects your business but also your customers, fostering trust and security. 

Dispelling Common PCI Misconceptions 

Achieving PCI compliance is more complex than purchasing an off-the-shelf solution. Compliance hinges not on the call recording solution but on its deployment and integration within existing processes and systems, making each case unique. 

Common approaches that fall short of PCI Compliance include: 

  • Password protecting call recorders 
  • Encryption (only PAN can be retained encrypted, not sensitive authentication data) 
  • Audio masking (retains sensitive data during processing) 

Some cloud-based telephone systems that include free call recording may not be able to pause recording during a call. If customers request their calls, the process of downloading from cloud storage may be non-compliant. Vidicode UK mitigates this problem with encrypted, secure storage in the cloud for as long as the customer requires. 

How Vidicode UK helps you achieve PCI Compliance  

Some voice recording solutions also require expensive add-ons such as CTI and TAPI licenses to facilitae the PCI pause recording feature. That’s not the case at Vidicode UK, where our Apresa call recording system provides users with a choice of four FREE options to ensure PCI compliance.

  • Manual DTMF: Protects cardholder data by masking it during input 
  • PC Application: Automatically ensures sensitive information is excluded 
  • Payment Page App Detection: Recognises when payment information is entered and takes appropriate actions 
  • Payment Page App URL: Identifies secure URLs during transactions and masks sensitive data 

To ensure greater security and protection of any credit/debit card information stored, the Vidicode Apresa also includes.

  • Comprehensive audit trails: Easily search and track recordings to ensure compliance 
  • Fingerprinting & encryption: Ensures the integrity and confidentiality of recordings 
  • Authenticated, restrictive user access: Limits access to sensitive recordings to authorised personnel only 
  • Multi Factor Authentication (MFA): Often referred to as two-factor authentication (2FA), is an added security measure that presents users with additional barriers to entry before granting access to a given account or asset. 

Additional improvements include Voice Crunch AI Speech Analytics, monitors keywords and guarantee that no unauthorised information regarding the customer’s payment card is disclosed. 

To see more about Apresa,

What is PCI DSS? : Requirements when recording calls 

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that major credit card companies developed to help protect against fraud and data breaches.

One of the requirements of PCI DSS is handling and storing credit and debit card information securely. This is especially important when recording telephone calls if credit and debit card payments are taken over the telephone.

PCI DSS 4.0 introduces updated security standards aimed at providing even greater protection against data breaches. When recording calls where card payments are processed, it is critical to: 

Encrypt sensitive information: Mask or remove credit card data such as numbers, expiry dates, and CSV/CVV/CVC / CVN codes 

Restrict access to recordings: Implement strict access controls, ensuring only authorised personnel can review sensitive data 

Secure networks and systems: Utilise advanced security measures like firewalls and intrusion detection to protect your infrastructure 

Maintain clear policies and procedures: Establish detailed guidelines for handling sensitive information and responding to potential breaches 

Understanding Levels of Compliance 

PCI Compliance is categorised into four levels based on transaction volumes over 12 months: 

  • Level 1: Over 6 million Visa/Mastercard transactions 
  • Level 2: 1-6 million Visa/Mastercard transactions 
  • Level 3: 20,000-1 million Visa/Mastercard e-commerce transactions 
  • Level 4: Less than 20,000 Visa/Mastercard e-commerce transactions or up to 1 million Visa/Mastercard transactions 

PCI DSS Compliance Requirements 

Level 1 companies require yearly on-site reviews and network scans.  

Levels 2-4 complete annual self-assessment questionnaires and quarterly network scans. 

Implications of Non-Compliance 

  • Monthly fines ranging from £3,500 to £250,000 
  • Withdrawal of merchant services, impacting revenue streams 
  • Loss of customer trust and confidence in data security 

For more information on Apresa’s FREE PCI DSS feature call 0203 4881498 or email enquiries@vidicodeuk.com

See how we helped home shopping channel JML with their PCI compliance in this

Glossary: Acronyms Explained 

PCI DSS : Payment Card Industry Data Security Standard. The compliance standard for card payments 

PAN:   Primary Account Number. The 12-to-19-digit credit or debit card number 

CVV:   Card Verification Value. The 3-digit security code on the back of the credit or debit card 

CSC:   Card Security Code. The 3-digit security code on the back of the credit or debit card 

CVN:   Card Verification Number. The 3-digit security code on the back of the credit or debit card 

CVC:   Card Verification Code. The 3-digit security code on the back of the credit or debit card 

CNP:   Card Not Present. Where the physical credit or debit card is not present on a phone call 

DTMF:   Dual-Tone Multi-Frequency. Tones that are generated on a phone keypad to mask  

CTI:   Computer telephony Integration. The linking of a phone system with a computer system 

TAPI:   Telephony Application Programming Interface. Communicates information from a phone system, for example, by viewing data on incoming calls or indicating the status of extensions 

Important Links

PCI 4.0 Resource Hub 

Direct Marketing Association-PCI DSS Compliance as it relates to Call Recording     

Multifactor Authentication 

Case Studies

Travel Up

Since its inception in 2004, TravelUp has aimed to make worldwide travel effortless for its customers. With so many options for a customer, its bespoke deal finder technology searches masses of different suppliers simultaneously. It quickly returns all the best available deals for flights, hotels or full... Full Case Study

Based in Huddersfield and proud of their Yorkshire heritage TLF Research boast a proven track record of improving the customer experience, satisfaction, and loyalty of their client’s companies through the design and running of customer research programmes. As a full-service agency TLF has assisted customers including Visa, Calor, Co-op and Saint... Full Case Study

SoloProtect

Over the last 20 years, SoloProtect has innovated and evolved to provide an industry-leading lone worker safety solution that is used by thousands of people across the world. SoloProtect work with public, private, and charity sector organisations that employ large numbers of staff who work alone, are community-based, or are required... Full Case Study

As one of Shropshire’s biggest and longest established Motor Dealerships Budgen Motors prides itself on giving excellent service to all its customers. Budgen has been in Shropshire for 40 years and it is still family run today. Originally started by Tommy Budgen in the 70s, Budgen was taken over by the late... Full Case Study

MSL Motor Group was founded by Stephen O’Flaherty who is widely celebrated as one of the great pioneers of modern Irish motoring. His grandson, who is also named Stephen O’Flaherty, is the Chairman of MSL Motor Group today. The O’Flaherty family have a long history in the Irish motor industry and have... Full Case Study

When Infinity Group, one of the UK’s largest IT and Telephony providers were tasked by Right to Health, to find a reliable, user friendly call recording platform that met FCA* compliance standards they turned to Vidicode UK and call recording expert Everton Stuart. Right to Health, founded in 2001, specialise in finding... Full Case Study

DF Markets (Delta Financial Markets Ltd.) is a Forex, CFD and Financial Spread Betting provider established and located in Canary Wharf, London. The company is regulated by the Financial Conduct Authority (FCA register number 534027). The protection of client funds is provided by the Financial Services Compensation Scheme (FSCS). DF Markets offers... Full Case Study

Founded in 1986 by John Mills and now a global operation, JML was once a small family company that developed through consumer exhibitions with exciting live demonstrations of innovative products. Over the last two decades we’ve grown into a household name, one of the nation’s favourite brands and a world leader... Full Case Study

The company was founded in 2003, but in 2007, with the arrival of the new shareholder, we dedicated particular resources and energy to the Investment Management business, focusing on the search for good results and outperformance of the benchmark indices. Our team’s best management skills lie in UCITS Funds and Alternative... Full Case Study