6 Responses to “The Missing Link In Call Center Recordings”


  1. 1 JD
    September 28, 2017 at 2:44 AM

    I’ve delivered PCI DSS compliance in a number of call centre environments where calls are recorded, with full PAN and SAD, where the calls are recorded ‘end to end’ and stored for FCA purposes. Obviously the line ‘This requirement does not supersede local or regional laws that may govern the retention of audio recordings.’ within the FAQ comes into play so things can get very messy bouncing between the two bodies, PCI and FCA.
    So, do we ignore Req3.2 with the ‘Get out of Jail card’ of them being needed for regulatory purposes or can we apply compensating controls to cover Req3.2 in this scenario.? And if so what?

    • September 28, 2017 at 1:16 PM

      There is no such thing as a “Get Out Of Jail Free” card with PCI unless you can get one or all of the involved card brands to sign off on not protecting that information (like any of them would agree to that). Yes, you have a regulatory requirement, but you still obligated to protect the information.

      So regardless, you will end up doing a compensating control worksheet to deal with requirement 3.2. That will likely involve retaining the information, but encrypting that data as well as severely restricting access to the data and monitoring that data in near real-time for any misuse.

  2. 3 Christi F.
    August 5, 2014 at 7:50 AM

    I work in a call center, for a utility company. Calls are all recorded – for quality purposes, of course. So, based on my company’s training and my own research – they are allowed to record the calls, but, there should be some sort of mechanism that would not allow for the PII to be retained within that recording (i.e., card number, CVV, etc.). There should also be no way for the representative to write down that information via hard- or soft-copy means (paper/pen, email, notepad, etc.). What has brought me searching for any further clarification is there is a rule that has been instituted that states there is a “no cell phone” zone around the call center. I am presuming so no pictures or recordings could be taken of the numbers entered. However, there is no limitation on actual hard phones being utilized within that same area, whereby someone could then overhear the same PII data.

    • August 6, 2014 at 5:04 AM

      Just so we are all clear, if your call recording technology has the ability to remove or not record PII, under the PCI DSS you are required to implement that technology.

      Overhearing PII is one of the risks in a call center environment. The only way to address that issue is with training.

      • 5 Christi F.
        August 6, 2014 at 7:41 AM

        I appreciate your quick response. At this time, it is my understanding that the technology is not available with “this release” – and potentially, if it becomes available it will be a “manual” process of stopping and starting the recording.

        So, for my second portion of the convoluted question I had… Is there an actual requirement in PCI to ban cell phone usage within a particular distance of the call center area?

        Thank you!

      • August 6, 2014 at 2:25 PM

        No. Cell phone bans are just what the best call centers do.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

February 2010
M T W T F S S
« Jan   Mar »
1234567
891011121314
15161718192021
22232425262728

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,904 other followers


%d bloggers like this: