If your customers pay by credit card, watch out: You may be breaking new industry standards.
To reduce the number of identity thefts, the Payment Card Industry (PCI) recently enacted tougher rules on what data can be stored and how. And if you don’t follow the rules, you might cause your customers to be victims of identify theft.
The PCI – which consists of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. – has asked any company that takes their credit cards for payment to voluntarily follow its Data Security Standard (PCI-DSS).
In short, the standard asks companies not to record calls or keep records of customer’s full credit card information (the card number, verification code, expiration date and magnetic strip). And if you do record those details, the industry asks that it be well encrypted.
Pelorus Associates, a contact center consulting agency, has offered some alternatives for complying with the standards.
- Cease recording all sales and transaction calls.
- Train agents to disable the recording function when card data is required, then restart after the transaction is completed.
- Require agents to delete the section of the recording that includes the authorization code.
- Use third-party devices that require the caller to enter card details via their touchtone pad.
- Do nothing – which many companies have chosen so far.
- Use call recording systems that automatically mask and mute sensitive card details.
You can find more details in the Pelorus white paper, Call Recording Guide to PCI-DSS Compliance.
