PCI DSS Compliance for Secure Telephone Call Recording

25th Jan, 2017 - in Uncategorized - by CDI-Andrew

You think your company is recording telephone calls to improve customer service – but you could end up breaking the law without even knowing …

Most organisations are keen to keep within the law. After all, there can be hefty fines and bad publicity for those who stray outside.  Undoubtedly, as an upstanding company, you will be doing all you can to stay within the law, and will stamp out any behaviours or activities that are even slightly risky…

Who’s looking at your security? Who’s listening to your recordings?

So it’s a shock to realise how easy it is to stray outside the rules of the law, even when you think your organisation is super-vigilant.  In fact, it’s  the super-vigilant who may fall foul of this one: as an extension of data protection – companies who record telephone conversations, need to be extra-careful when taking card payments.

And this article is designed to help companies who use call-recording in their daily business transactions.

  • Does your company take card payments over the phone?
  • Does your company record telephone calls?
  • Then you should be PCI DSS compliant to meet with the *Data Protection Act

Here’s our quick guide to ensuring you are PCI DSS Compliant. 

PCI DSS? What does this even mean?

The Payment Card Industry Data Security Standard (PCI DSS) Is a proprietary data information security standard for all companies that handle credit card details.

Why is PCI DSS Important?

Any business that takes payment card details is handing secure information. If this information is not managed correctly, it could be misplaced or maliciously used.

By following the PCI Data Security Standards, you can minimise the risks to your customers and your business.

Does it Affect Me?

If you take card payments over the phone and record calls then YES!  You need to ensure that you adhere to the PCI DSS.

If you are unsure whether you are affected or not, then you need to know…contact your card payment suppliers to find out.

How to ensure PCI DSS Compliance

The main concern of the PCI DSS compliance is the non-storage of audio/voice recordings containing cardholder’s data and or sensitive authentication data.  This does not mean that phone calls may not be recorded, but it does mean that the part of the call where card validation codes and values are taken (These are referred to as CAV2, CVC2, CVV2 or DIC Codes by the payment brands) must not be recorded.

PCI DSS Compliance Solutions

Several call recording solutions are available on the market to ensure you comply with the PCI Standards.  From Low-tech to high-tech, here are a few of them.



A manual Button Control stop recording on handset.

Whilst this is a cost-effective solution it does mean a manual process and will most probably not always be used. A single card detail being taken whilst recording is still on, means PCI compliance is failed.

Our opinion: low tech, low cost, high risk


Software Integration

Software button integration.

This can be written into your CRM solution so when your operators press a process fed button to take card payment it tells the recording software to pause.

Our opinion: high tech, medium cost, medium-to-low risk




This is one of the more expensive solutions but does tick all the boxes.

The caller would be put through to an automated system that would take all card details and process with no recording and no information being shared within anyone but the system.

Our opinion: highest tech, highest investment, low-to-no risk.



About the Data Protection Act

*The Data Protection Act controls how personal information is used by organisations, businesses or the government.

Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure