Guidance notes: PCI DSS Compliance as it relates to call recording

The Payment Cards Industry Data Security Council (commonly referred to as the PCI) is a body representing the major payment card (credit card, debit card etc) issuers set up to develop and promote security standards for account data protection. It produced the Data Security Standard (DSS) to assist merchants with protecting cardholder and accountholder information.

Achieving compliance with the PCI DSS has been a key business objective for many organisations and involves all aspects of data security including (but not limited to) data networks, web servers, database servers, line-of business applications, card processing equipment, file servers, remote access systems and the management of which individuals have access to which systems. Achieving PCI DSS for most organisations requires considerable effort, but the principles of data security that it imposes are recognised by many organisations to be a positive benefit in the long term.

One area that has caused considerable confusion is the issue of the storage of cardholder information in call recording systems, commonly in place in contact centres for the purposes of compliance, quality and training purposes. This document outlines some of the requirements of the PCI DSS in relation to the storage of cardholder information in call recording systems and some potential solutions for contact centre operators.

PCI DSS Compliance as it relates to Call Recording