My Cart


PCI compliance and the telecoms sector

Posted on

The term "PCI compliant" has become increasingly popular as card security breaches at merchants like;eBay, Adobe, and British Airways land thousands of card details in the hands of criminals. According to the 2014 Verizon Business Data Breach Report, more than 80% of data stolen in breaches is payment card data.

PCI compliance has to do with a set of requirements put there to help businesses process card payments safely and contribute to reducing card fraud. PCI applies to organizations that accept, transmits or stores any card holder data; with the main aim being toimprove payment account security throughout the transaction process. 

UK Telecoms sector and PCI compliance

As telecommunications companies across the UK extend their services to offer Internet-based all-in-one services to merchants, they begin to look a lot like service providers concerning PCI purposes. The more they convert analog voice data to digital data and provide additional services like firewalls, routers, and interactive voice response (IVR) systems, the more they cross over into the "application layer of the communications link" and fall into the conventional definition of a service provider.

Call recording and taking card payments

When it comes to PCI compliance; Call recording throws up somechallenges especially when it comes to the particular issue of collecting card payments over the phone and the compliance challenges arising when you need to do this during a recorded call

If a customer reads out card details to your agent and those details are captured in the call recording then you may be in breach of PCI DSS Regulations, particularly if the PAN and CV2 numbers arepart of the voice recording.

Is it possible to prevent call center agents from stealing customers' credit card details? Can you ensure that recordings of phone conversations in which customers hand over their card details are protected in a way that meets the PCI DSS requirements?

There are a coupleof ways around this problem, although each one comes with its peculiarities.

1. Not recording calls at all– At a glance,this seems the safest and simplest solution. If calls are not recorded, and the agents have no means to capture the sensitive card information themselves, then you may be okay from a PCI DSS compliance point of view. However, going down this route means losing all other customer service and complaints-handling benefits associatedrecording calls, and of course, if you’re in an industry where call recording is a regulatory requirement then this option is not available to you in the first place, so you will need to look for another solution.

2. Tagging calls and screening card details: A second option is to keep recording all your calls and taking customer payments as before. You can tag callswhere a card payment is received and then go back and ‘mask’ the card details, for example by overlaying them with white noise so that they cannotbe retrieved from the recording. However, this introduces extra administrative strain and can also be subject to error.

3. Pause and resume; involvesthe agent or an automated process pausing the call recording at the point at where the caller is giving their card details, and then resume the call once the payment is takento exclude the card details. However the agent may forget to activate the pause and resume system or may activate it incorrectly; also, the agents themselves remain exposed to the card details so could still abuse them.


4. De-scoping your call recordings:Luckily there’s a new means of taking card payments over the phone that enables recording of the whole call while remaining fully PCI DSS compliant. There are new systems that allow customers to directly key their card numbers in using their telephone keypad (DTMFtouch tones) rather than just reading them out. Since these tones are masked, the agent cannot hear or see the sensitive card information, nor can the card details be picked up in call recordings so there’s no way that the caller’s card details can be identified by anyone with access to the recording.


Get a free demo on our Cloud software for PCI compliance

Welcome to EcoVoip

Enter your email address to receive a EcoVoip Welcome Brochure and exclusive offers right into your mailbox !