Does your business accept payment over the phone? Are you using call tracking and recording calls as a means of gathering meaningful attribution and analytics data?
If so, then you should be aware of your responsibilities in protecting your customers’ sensitive data as part of compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Regardless of the vendors you choose and their PCI compliance stats, it is ultimately the business receiving the phone call that is responsible for protecting consumer data.
How can you limit your exposure to potential PCI issues?
The only way to be certain is by not recording the call, however, by taking this approach the value of your call tracking program will be greatly diminished. The insights that you gain from on the call should be at the core of your call tracking program.
So, if you want to realize the benefits of recording calls, there are some basic steps you can take to get started in limiting your exposure to potential PCI issues:
1. Notify callers that they’re being recorded – US Federal law required that at least one party taking part in a call must be notified of the recording. (18 U.S.C. §2511(2)(d)).
By using a detailed custom notification on all inbound calls, alerting the caller of the recording, the caller decides whether they feel comfortable provide credit card payment on a recorded call and can arrange payment in another form or through other means.
2. Redact sensitive credit card information – If you are recording calls that could contain PCI data then having this data redacted from recordings is a must.
By ensuring that ALL recordings are processed for the removal of PCI data, you will be in a good position to maintain privacy and PCI compliance by not storing any sensitive data in the audio files. Redaction allows you to harness the benefits of a call tracking program, and adds an extra data point for analytics!Even with PCI data redacted from call recordings, it is still best practice to ensure that only authorized individuals have access to recordings.
Ensure that your user accounts are managed appropriately by only granting audio file access to authorized personnel. It is also a good idea to ensure your media has an expiration date after which it will no longer be accessible. This will help to protect your data if links/access to the data has been compromised in any way.
With the rich insights available from what is happening on your calls, it is an essential that you include this as a component of any call tracking program. Even more important is your customer’s privacy, so it is imperative that you take this responsibility seriously and are taking the necessary steps to protect your data.
It can be a challenge to balance these seemingly conflicting requirements. However, with the help of partners who are familiar with the best practices to protect sensitive information, you can achieve your marketing goals in a secure way.