PCI DSS – Practical Implications for Archived Call Recordings

While the implications of PCI DSS are broad, it can be brought into sharp focus as follows: no organisation taking card payments can retain sensitive authentication data, in any format, whether encrypted or not. Sensitive authentication data includes the full magnetic stripe data, card validation codes and PIN numbers.

For call recording, much of the focus for discussion of PCI has been on methods to ensure that your recorder no longer captures authentication data. Liquid Voice recorders address this particular problem with techniques including Automated Pause & Resume or Mute/Un-Mute which ensure that authentication data is not captured.

But that’s only half the story.

Most organisations that record calls store them for long periods of time so you could have an archive of recorded calls built up over a number of years. What can be done to ensure that the archive is PCI compliant?

PCI SSC FAQ 5362 states that “It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorisation even if encrypted.

This has implications for every organisation that stores recorded calls, no matter how small or big they are and regardless of the volume of recordings in the archive. If you currently record calls then you may be storing sensitive authentication data that you are not allowed to keep.

Redaction of stored authentication data within legacy call recordings will allow organisations with non-compliant data stored over a number of years to remove the section of the recordings in which the problem is identified and so ensure that historical data is compliant.

The implications of PCI DSS are real and they affect every organisation that takes card payments while recording calls. They will be in breach of compliance obligations if they retain sensitive authentication data that has been recorded previously. Breaches may incur financial penalties and will lead to an erosion of customer confidence.

That said, the drive for compliance should not restrict your ability to record calls.

Recorders that capture new calls compliantly, and support redaction for existing recordings, will allow you to take card payments and at the same time continue to enjoy the Agent Quality and Customer Experience benefits of Call Recording.