Ensuring you comply with the latest PCI DSS requirements is essential when recording telephone conversations if you are taking credit and debit card payments over the telephone.
With the launch of PCI DSS 4.0 in March 2024, businesses must ensure their payment systems and processes comply with updated standards when recording telephone calls involving credit and debit card payments. These new requirements introduce enhanced security measures and make it essential for organisations to adapt to the latest best practices.
Under PCI DSS 4.0, VoIP and SIP technologies in organisations are now in scope for compliance, including SIP trunks that control call redirection, as they pose interception risks. Even networks not directly involved in payment processes are included if they connect to environments handling cardholder data. Vidicode UK helps you with essential segmentation to maintain compliance.
To comply with PCI DSS 4.0 when recording telephone conversations for payment processing, you must:
PCI DSS applies universally to businesses handling payment card information, regardless of transaction volume, method (e.g., POS terminals, online forms, phone), or sector.
“NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.” Everton Stuart, MD
This includes businesses such as:
This underscores the relevance of PCI compliance to businesses of all sizes and industries, whether acquiring data via phone, website, or mobile app.
The consequences of non-compliance with PCI DSS can be severe:
Ensuring compliance protects your business but also your customers, fostering trust and security.
Achieving PCI compliance is more complex than purchasing an off-the-shelf solution. Compliance hinges not on the call recording solution but on its deployment and integration within existing processes and systems, making each case unique.
Common approaches that fall short of PCI Compliance include:
Some cloud-based telephone systems that include free call recording may not be able to pause recording during a call. If customers request their calls, the process of downloading from cloud storage may be non-compliant. Vidicode UK mitigates this problem with encrypted, secure storage in the cloud for as long as the customer requires.
Some voice recording solutions also require expensive add-ons such as CTI and TAPI licenses to facilitae the PCI pause recording feature. That’s not the case at Vidicode UK, where our Apresa call recording system provides users with a choice of four FREE options to ensure PCI compliance.
To ensure greater security and protection of any credit/debit card information stored, the Vidicode Apresa also includes.
Additional improvements include Voice Crunch AI Speech Analytics, monitors keywords and guarantee that no unauthorised information regarding the customer’s payment card is disclosed.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that major credit card companies developed to help protect against fraud and data breaches.
One of the requirements of PCI DSS is handling and storing credit and debit card information securely. This is especially important when recording telephone calls if credit and debit card payments are taken over the telephone.
PCI DSS 4.0 introduces updated security standards aimed at providing even greater protection against data breaches. When recording calls where card payments are processed, it is critical to:
Encrypt sensitive information: Mask or remove credit card data such as numbers, expiry dates, and CSV/CVV/CVC / CVN codes
Restrict access to recordings: Implement strict access controls, ensuring only authorised personnel can review sensitive data
Secure networks and systems: Utilise advanced security measures like firewalls and intrusion detection to protect your infrastructure
Maintain clear policies and procedures: Establish detailed guidelines for handling sensitive information and responding to potential breaches
PCI Compliance is categorised into four levels based on transaction volumes over 12 months:
Level 1 companies require yearly on-site reviews and network scans.
Levels 2-4 complete annual self-assessment questionnaires and quarterly network scans.
See how we helped home shopping channel JML with their PCI compliance in this
PCI DSS : Payment Card Industry Data Security Standard. The compliance standard for card payments
PAN: Primary Account Number. The 12-to-19-digit credit or debit card number
CVV: Card Verification Value. The 3-digit security code on the back of the credit or debit card
CSC: Card Security Code. The 3-digit security code on the back of the credit or debit card
CVN: Card Verification Number. The 3-digit security code on the back of the credit or debit card
CVC: Card Verification Code. The 3-digit security code on the back of the credit or debit card
CNP: Card Not Present. Where the physical credit or debit card is not present on a phone call
DTMF: Dual-Tone Multi-Frequency. Tones that are generated on a phone keypad to mask
CTI: Computer telephony Integration. The linking of a phone system with a computer system
TAPI: Telephony Application Programming Interface. Communicates information from a phone system, for example, by viewing data on incoming calls or indicating the status of extensions
Direct Marketing Association-PCI DSS Compliance as it relates to Call Recording