PCI compliance is designed to protect consumers. The digital security standards (DSS) were created by the world’s major credit card companies as a way of enabling the payment card industry (the PCI in “PCI”) to guard against fraud from online and phone transactions. PCI DSS mandates that companies do not keep their customers’ sensitive account data such as card numbers and access codes, protecting them from fraud in the case of a data breach.
But PCI compliance protects companies, too. Most companies that transact with customers remotely need to keep recordings of financial transactions for dispute resolution, quality assurance or other regulatory compliance purposes. PCI compliance means doing so safely, without the account numbers that could expose them to massive liability in the case of a data breach. Companies that neglect PCI compliance are also subject to fines and may lose access to card processing and other financial services as well, so finding the right PCI compliance solution is essential.
The 3 Methods of PCI Compliance
Most call recording solutions allow businesses to achieve compliance through one of three different methods:
- Manual intervention
- API call
- Automatic redaction
CallCabinet’s award-winning Atmos platform offers all three. Atmos, the first cloud-native compliance solution ever, was designed to be foundationally compliant, regardless of how a business operates. For financial services compliance leader CallCabinet, the flexibility of having 3 different PCI compliance methods means that more businesses will be able to meet their compliance requirements.
However, the three methods are not equally effective. So which is the best? Let’s explore.
GOOD – Manual Intervention
Manual intervention is the PCI compliance technique utilized by call recording software that is not compliance-based. It requires that the agent manually stop or pause their recording while sensitive numbers are being read or entered.
While this method certainly works, it can be less than reliable. Agents must remember to stop their recordings at the right time and then remember to resume them afterward. This adds an extra layer of responsibility that companies may not be comfortable granting to sales or support personnel. Being able to stop a recording manually can damage the recording’s value as a dispute resolution tool and potentially expose the company to other non-compliance issues.
Manual intervention can also take place after the fact. However, it can be extremely time-consuming to manually scrub compliance data from recordings and transcripts does not eliminate the potential for human error. Plus, once recordings are altered in any way, the file is no longer compliant and cannot be utilized in any litigation instances.
Many unified communications (UC) systems such as Microsoft Teams, Webex Calling and others offer compliance via the manual intervention method. Although Atmos is a Microsoft and Cisco certified solution, it provides a superior level of PCI compliance protection (see “BEST” below), making it an ideal solution for companies that rely upon UC for their business.
BETTER – API Call
If you agree that it’s better not to allow PCI compliance to be subject to human error, then you may prefer the API call method. This method is rooted in the software itself, relying upon inter-software communications through an application programming interface (API) to mask off a portion of the screen during a transaction.
For example, the API call method could be used to keep a recording from capturing numbers entered into a form field for account data while leaving the rest of the recording untouched. The software can recognize when an agent is typing in a pre-determined compliance-based field and automatically pause the recording until the agent leaves that field.
Because the API call method is automatic, it removes some potential for human error. However, in this case, Atmos’ integration is dependent upon the call center’s payment gateway software. Suppose an agent leaves their cursor engaged in a compliance-based field or their mouse hovering over a blocked area. Depending on the call center’s payment software set-up, the API software could remain activated and not record any voice audio while those areas are engaged.
BEST – Automatic Redaction
Automatic redaction is easily the best method of ensuring PCI compliance, but it’s also the most difficult to achieve. It requires that the recording software itself be smart enough to know exactly when sensitive data is being spoken and avoid recording the audio data.
CallCabinet’s Atmos platform accomplishes this feat through its AI-driven voice analytics. The same artificial intelligence that the platform uses to mine voice recording data for specific terms and valuable customer insights can recognize when it is receiving sensitive data and automatically redacts the data from the audio recording and the call transcription files.
By automating PCI compliance in this way, Atmos removes the potential for human error and ensures that the only portions of each recording that are left out is the data required for PCI compliance.
PCI compliance for Financial Services Companies
While nearly every business that transacts remotely is bound by PCI compliance standards, those in the financial services industry arguably have the most at stake.
Not only are these companies more likely to be the target of hackers seeking valuable data, but the cost of a financial services data breach can be especially devastating. In addition to hefty fines and legal liability, financial services companies are likely to lose critical consumer confidence and may also lose the backing of banks and other financial services providers they require to operate.
That’s why CallCabinet specializes in compliance of all kinds for the financial services industry. For these enterprises, compliance is not a matter of preference. It’s a matter of survival.