For those companies who take credit card payments over the phone PCI compliance isn’t just a suggestion, it’s a requirement enforced by the credit card companies. The trouble is that most companies don’t know what’s required in order to adhere to PCI DSS or that they could be fined thousands of pounds each month for non-compliance.
What is PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards including Visa, MasterCard, American Express, Discover and JCB. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire for companies handling smaller volumes.
Whilst we would always suggest getting an expert to evaluate your particular situation here is our beginners guide on PCI compliance to help get you started.
- Don’t record and store credit card details!
If at all possible, the preferred option is not to record or retain credit card details in the first place. This means there is much less chance of someone obtaining the information necessary to commit credit card fraud. Quite often Swyx monitor is set to record all calls on all trunks meaning that details are recorded without choice. With a few tweaks to Swyx and the GoConnect tool bar from Vox Rocket, an agent can pause the call recording whilst credit card details are taken. Recording automatically starts again ensuring the remainder of the conversation is recorded.
- Stop eves dropping with Swyx encryption.
Swyx has the inherent ability to encrypt call communication. Set this to mandatory in the Swyx configuration to prevent the ability to use a packet sniffing software on the network to listen in on phone calls.
- If you have to record credit card details then prevent access to the data.
Storing credit card details is frowned upon but if don’t have a choice then it is critical that the information is protected. Ensuring that staff can’t just access the recordings and freely search them is a must if you don’t want to risk heavy financial penalties. Using VoxVision with VoxVault call recording archive in conjunction with encrypted file system from Microsoft locks down your important data. The file encryption prevents anyone without the appropriate access from being able to playback Swyx call recordings.
For more information on PCI compliance have a look at www.pcisecuritystandards.org