Does Recording Calls in a Call Center Violate PCI Security Requirements?
Toronto, Canada, July 28, 2008 --(PR.com)-- Everyone has heard the phrase “Your call may be recorded for quality purposes” but what impact does call recording have on PCI compliance?
According to Don Bundock, CEO of Quality Track International, recording calls that include credit card numbers and other sensitive information is certainly a PCI compliance issue.
“Every day call centers record thousands of agent/customer conversations that contain sensitive credit card information.” says Bundock. “Some call recording systems provide encryption to secure the audio files. But the security resulting from encryption vanishes when play-back for training purposes is initiated as the entire, unmasked credit card number is audible to the user, and anyone else within earshot.
Recognizing the challenge of removing credit card numbers and CCV2 numbers from audio files, the PCI Security Standards Council has made a temporary exception for audio recordings. However, that exception is based on there being no commercially reasonable technology to delete the card information and states that if removal becomes possible, the card numbers should be deleted.
Quality Track International has developed a process that effectively and economically removes card numbers from encrypted audio files. The system has been installed in beta locations and excellent results have been obtained.
“The performance has been very impressive” says Bundock, “We have processed thousands of individual audio recordings and each one has been manually reviewed to determine if the card number removal was successful. In every case, the card number was obscured sufficiently to comply with PCI DSS requirements. An additional benefit of removing the card numbers is that without the card number, a CCV2 number becomes a meaningless 3 or 4 digit number.”
One of the challenges in removing the card data from an audio file is that the numbers are spoken in many different ways, and repeated in whole or in part, often two or more times during the conversation. Processes that rely on keyword triggers often fail to remove all instances of the card number. Systems that allow the agent to mute the recording are susceptible to agent error or fraud and can miss multiple occurrences of the numbers.
The Quality Track proprietary methodology isolates and removes card numbers while leaving important information like pricing, confirmation numbers and phone numbers untouched. The card number removal process can be configured to operate on existing call recording systems. Patents are pending.
Testing and refinements are continuing and it is anticipated that a commercial product will be ready for release by the 4th quarter 2008.
Quality Track International is based in Toronto Canada and provides call recording and agent performance grading services for call centers in North America, Europe and Asia. For information contact: Don Bundock at Don.Bundock@QualityTrack.com
###
According to Don Bundock, CEO of Quality Track International, recording calls that include credit card numbers and other sensitive information is certainly a PCI compliance issue.
“Every day call centers record thousands of agent/customer conversations that contain sensitive credit card information.” says Bundock. “Some call recording systems provide encryption to secure the audio files. But the security resulting from encryption vanishes when play-back for training purposes is initiated as the entire, unmasked credit card number is audible to the user, and anyone else within earshot.
Recognizing the challenge of removing credit card numbers and CCV2 numbers from audio files, the PCI Security Standards Council has made a temporary exception for audio recordings. However, that exception is based on there being no commercially reasonable technology to delete the card information and states that if removal becomes possible, the card numbers should be deleted.
Quality Track International has developed a process that effectively and economically removes card numbers from encrypted audio files. The system has been installed in beta locations and excellent results have been obtained.
“The performance has been very impressive” says Bundock, “We have processed thousands of individual audio recordings and each one has been manually reviewed to determine if the card number removal was successful. In every case, the card number was obscured sufficiently to comply with PCI DSS requirements. An additional benefit of removing the card numbers is that without the card number, a CCV2 number becomes a meaningless 3 or 4 digit number.”
One of the challenges in removing the card data from an audio file is that the numbers are spoken in many different ways, and repeated in whole or in part, often two or more times during the conversation. Processes that rely on keyword triggers often fail to remove all instances of the card number. Systems that allow the agent to mute the recording are susceptible to agent error or fraud and can miss multiple occurrences of the numbers.
The Quality Track proprietary methodology isolates and removes card numbers while leaving important information like pricing, confirmation numbers and phone numbers untouched. The card number removal process can be configured to operate on existing call recording systems. Patents are pending.
Testing and refinements are continuing and it is anticipated that a commercial product will be ready for release by the 4th quarter 2008.
Quality Track International is based in Toronto Canada and provides call recording and agent performance grading services for call centers in North America, Europe and Asia. For information contact: Don Bundock at Don.Bundock@QualityTrack.com
###
Contact
Quality Track International Inc.
Don Bundock
416 693 5426
www.qualitytrack.com
Contact
Don Bundock
416 693 5426
www.qualitytrack.com
Categories