Call Recording: PCI-DSS compliance

Compliant Call Recording Solutions should offer the ability to obfuscate (mask out) one or more sections of the audio of an telephone call with an audible tone, preventing the listener from hearing the original speech, on playback.

This is normally required for compliance in certain industries where regulations dictate that certain spoken information be masked out, e.g. the Payment Card Industry – Data Security Standard (PCI-DSS).

In this example, we will adopt the PCI-DSS example where telephone calls that contain spoken credit card information needs to be masked out by an audible tone, but only during those parts of the call when the card details are being spoken, leaving intact the rest of the call audio.

In this scenario, we’ll assume that employees that make or receive telephone calls utilise an in-house or third-party data entry system or payment gateway into which credit card details are entered using a computer.

How it works

During obfuscation, it is necessary that a user or device sends at least two signals to the call Redorder. Together, these two signals allow the recorder to mask out the audio between the two points in time that each signal was received.

At the point in time during an agent’s call when obfuscation is necessary – e.g. “Can I have your CVV number please?” is spoken by the agent – a signal is sent by the agents screen to the recorder, which records the event along with the exact time it was sent. Similarly, when the sensitive part of the call has completed, a further signal is sent by the agent to the recorder, which is also being recorded.

A single telephone call can contain more than one obfuscation and the number of signals required is always twice the amount of obfuscations in a call.

More like this