Call recording and transcription: Achieving PCI compliance
Few things are scarier for a business owner than hearing their customers’ data and credit card information has been exposed to bad actors.
According to the Identity Theft Resource Center (ITRC), a mere 1,108 data breaches were responsible for the exposure of over 3.5 million individuals’ personal information in 2020 — including sensitive information such as credit card details.
One often overlooked security risk is customer data found in recorded calls and transcriptions. To protect cardholder data, businesses need to understand and implement proper call recording and transcription practices or risk dangerous security breaches and hefty fines.
PCI compliance in call recording and transcription
If your business or contact center accepts or processes card payments over the phone and stores those details locally or in a data center, you are required to follow the Payment Card Industry Data Security Standard (PCI DSS).
Founded in 2006, the PCI Security Standards Council (PCI SSC) created the PCI DSS to help businesses and vendors improve their cybersecurity and create a safer global network for credit and debit card payments. The PCI DSS comprises 12 requirements, each focused on increasing security and reducing the risk of data breaches.
Every company accepting and processing card payments needs to abide by these standards. However, the frequency of PCI compliance checks required of an individual business depends on how many transactions they process per year. Businesses fall into one of four tiers, with Tier 1 requiring the most rigorous and expensive PCI compliance checks and measures:
- Tier 1: Merchants processing over 6 million transactions per year, or any merchant that has experienced a security or data breach
- Tier 2: Merchants processing 1 to 6 million transactions per year
- Tier 3: Merchants processing 20,000 to 1 million transactions per year
- Tier 4: Merchants processing less than 20,000 transactions per year
Because call recordings and transcriptions can often contain cardholder data — such as credit card numbers and CV2 codes — they fall under the PCI DSS and require enhanced security on the part of the business or vendor. Failure to comply not only increases the risk of a security breach but can also result in fines and long-lasting consequences.
Penalties for non-compliance
The PCI non-compliance fee can range from $5,000 to $100,000 per month depending on the following factors:
- How many transactions does your business process per year,
- The size of your business,
- And how long your company has been out of PCI compliance.
However, the initial fine may only be the tip of the iceberg for businesses that have experienced a security breach.
For example, let’s say a business reports a data breach that has exposed their cardholders’ data. Their payment processing company will go to the bank and investigate records to check how long the business has been operating out of PCI compliance. The payment company will then issue the appropriate fine to the bank, then pass it on to the business as a monthly fine until it is PCI compliant. Depending on the severity of the breach, achieving PCI compliance can take up to two years, with the monthly penalty increasing in value depending on the bank or payment processor.
The higher cost of a data breach usually occurs after the fine is established. The business will then have to pay for the investigation, compensate affected customers, handle potential lawsuits, and immediately be placed in Tier 1 — requiring costly PCI DSS verification audits and security updates. Additionally, if the violation is severe enough and not remedied effectively, banks and payment processors may terminate their relationship with the business and prevent it from accepting card payments in the future.
While larger businesses may weather the storm of fines and security system updates, small businesses that experience a data breach may never recover financial viability and have to close their doors.
How to ensure PCI compliance in your call recording and transcription
Several methods are available to protect your customers’ confidential information in your call recordings and transcriptions. No matter which way you choose, you must protect the following details to remain PCI compliant:
- Credit card number
- CV2 digit
- Billing ZIP code
Erase cardholder information manually
The most straightforward method of protecting sensitive information in call recordings and transcriptions is to manually revisit each call and erase or cover over sections where the customer provides their credit card details. However, depending on how many calls your business or call center receives, this method is the most time-intensive and prone to human error.
Pause the recording
This second method involves pausing the recording before the customer provides their cardholder information, then resuming the recording once they have finished speaking. While less time-consuming than manually listening through a conversation again, phone representatives will need to pay close attention to when a customer is providing their information and be sure to resume the recording once completed. Otherwise, they risk not blocking the information or forgetting to record the remainder of the call.
Enable user keypad entry
Particular call and recording software allows customers to input their credit card information on their phone’s keypad, eliminating the need to record or transcribe their sensitive information altogether. This method is a safer option for customers in busy locations who may not feel comfortable providing their personal data out loud. The one drawback that may compromise security is the audible tones of the keypad, which bad actors can easily decipher.
Automate PCI redaction
The simplest method for ensuring your customers’ sensitive information is protected in call recordings and transcriptions is to rely on automated redaction software to predict and redact a customer’s sensitive information. For example, CallRail’s PCI Redaction feature automatically removes cardholder data from your call recordings and transcriptions using speech analytics and machine learning — replacing financial information with "[redacted]" in your transcripts and a short tone over call audio.
Source: CallRail’s PCI Redaction Feature
By automating your PCI redaction process, you can ensure your business maintains PCI DSS compliance while freeing up time to handle more calls.
Your business and reputation are on the line
Maintaining PCI compliance is more than just a nicety; it's a vital part of building and maintaining trust with your customers. Your business can't skimp by with poor information security. Audit your call recording and transcription systems and check your contact center security policy to ensure your business maintains PCI compliance and protects your customers’ confidential information. Using automated tools to redact your call recordings and transcriptions, you can help ensure your customers' credit card details remain protected while simultaneously guarding your business and reputation.
Protect your call recordings and transcripts with CallRail. Sign up for your free trial today, no credit card required.