6 Responses to “The Missing Link In Call Center Recordings”

  1. 1 JD
    September 28, 2017 at 2:44 AM

    I’ve delivered PCI DSS compliance in a number of call centre environments where calls are recorded, with full PAN and SAD, where the calls are recorded ‘end to end’ and stored for FCA purposes. Obviously the line ‘This requirement does not supersede local or regional laws that may govern the retention of audio recordings.’ within the FAQ comes into play so things can get very messy bouncing between the two bodies, PCI and FCA.
    So, do we ignore Req3.2 with the ‘Get out of Jail card’ of them being needed for regulatory purposes or can we apply compensating controls to cover Req3.2 in this scenario.? And if so what?

    • September 28, 2017 at 1:16 PM

      There is no such thing as a “Get Out Of Jail Free” card with PCI unless you can get one or all of the involved card brands to sign off on not protecting that information (like any of them would agree to that). Yes, you have a regulatory requirement, but you still obligated to protect the information.

      So regardless, you will end up doing a compensating control worksheet to deal with requirement 3.2. That will likely involve retaining the information, but encrypting that data as well as severely restricting access to the data and monitoring that data in near real-time for any misuse.

  2. 3 Christi F.
    August 5, 2014 at 7:50 AM

    I work in a call center, for a utility company. Calls are all recorded – for quality purposes, of course. So, based on my company’s training and my own research – they are allowed to record the calls, but, there should be some sort of mechanism that would not allow for the PII to be retained within that recording (i.e., card number, CVV, etc.). There should also be no way for the representative to write down that information via hard- or soft-copy means (paper/pen, email, notepad, etc.). What has brought me searching for any further clarification is there is a rule that has been instituted that states there is a “no cell phone” zone around the call center. I am presuming so no pictures or recordings could be taken of the numbers entered. However, there is no limitation on actual hard phones being utilized within that same area, whereby someone could then overhear the same PII data.

    • August 6, 2014 at 5:04 AM

      Just so we are all clear, if your call recording technology has the ability to remove or not record PII, under the PCI DSS you are required to implement that technology.

      Overhearing PII is one of the risks in a call center environment. The only way to address that issue is with training.

      • 5 Christi F.
        August 6, 2014 at 7:41 AM

        I appreciate your quick response. At this time, it is my understanding that the technology is not available with “this release” – and potentially, if it becomes available it will be a “manual” process of stopping and starting the recording.

        So, for my second portion of the convoluted question I had… Is there an actual requirement in PCI to ban cell phone usage within a particular distance of the call center area?

        Thank you!

      • August 6, 2014 at 2:25 PM

        No. Cell phone bans are just what the best call centers do.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2010

%d bloggers like this: