Overview: Best Practices for PCI Compliance
This article provides best practices information for being PCI compliant.
Best practices for collecting credit card information
Handling credit card information over the phone as a Contact Center as a Service (CCaaS) agent comes with significant responsibility and potential security risks. Ensuring the security of this sensitive information is paramount to protect both the customer and your organization from fraud and data breaches.
Here are some best practices for CCaaS agents when taking credit card information over the phone:
PCI DSS Compliance: Ensure that your organization complies with the Payment Card Industry Data Security Standard (PCI DSS). Familiarize yourself with these standards and adhere to them strictly. https://www.pcisecuritystandards.org/
Secure Environment: Work in a secure and private location, free from distractions and interruptions, when taking credit card information. Never write down or store credit card details.
Limit Access: Only authorized personnel should have access to credit card information. Access should be restricted based on job roles and responsibilities.
Encryption: Use secure and encrypted communication channels for phone calls. Avoid using public Wi-Fi networks and use a VPN if necessary.
Never Record: Do not record or store credit card information in any form, including digital notes or recordings, and/or paper records. Customers should not use custom fields in Workflows to capture credit card information as this will not be PCI Compliant
Pause/Stop Recording: Use this module in Workflow that allows you to pause or stop the recording if/when customers provide sensitive cardholder data. This ensures that the sensitive information is not stored in call recordings.
Verification: Always verify the caller's identity using multiple factors, such as name, account number, or other personal information before proceeding.
Inform Customers: Inform customers at the beginning of the call that the conversation may involve the collection of sensitive information, such as credit card details. In many regions, it is also your responsibility to inform callers if the call is being recorded.
Note: The system provides the functionality via the “Say” module in Workflows to play an announcement to you callers as they are waiting to be connected to an agent.
Secure Data Entry: If you need to manually enter credit card details into a system, ensure that the system is secure and that you don't see the full credit card number on your screen. Use asterisks or placeholders when displaying numbers.
Voice Authentication: Where possible, Implement voice recognition or biometric authentication systems to add an extra layer of security for identifying customers.
Note: Via open API’s from third party voice authentication providers, this functionality can be integrated to Workflows via simple Webhooks.
Limit Information Sharing: Do not discuss credit card information with colleagues, even if it's within the context of resolving an issue.
No Storage: Avoid saving credit card information on notepads, sticky notes, or any other physical or digital form including voice recordings.
Redact Information: When necessary, redact sensitive information from transcripts, recordings, or notes to protect customer data.
Note: If you have a call recording which you would like to be redacted, please contact our support team by opening a case. Include the specific interaction ID and the system will delete the recording.
Avoid Eavesdropping: Ensure that no one else can overhear the conversation while you're discussing credit card information.
Be Wary of Phishing: Be vigilant about potential phishing attempts, where fraudsters may pose as customers and request credit card information. Verify customer identity before proceeding.
Regular Training: Stay updated on the latest security practices and undergo regular training to keep your knowledge current.
Incident Reporting: If you suspect a security breach or incident, report it immediately to your organization's security team or supervisor.
Automated Redaction: Implement automated redaction solutions that can automatically detect and remove sensitive cardholder data from call recordings, replacing it with placeholders or asterisks.
Note: Embedded Workflows using the “Say” + “Gather” modules allows customers to redact specific information, such as Credit Card or other personal information, collected during a call.
Regular Audits: Conduct regular internal audits and assessments to ensure ongoing compliance with PCI DSS requirements.
Remember that protecting customer data is a shared responsibility within your organization. Always follow your company's specific policies and procedures for handling credit card information and consult with your security or compliance team for guidance when in doubt.
Best practices when recording calls on Avaya.cx
Recording calls in a contact center while maintaining data protection compliance is essential to protect sensitive customer data.
Here are some best practices for data protection when recording calls on the Avaya.cx platform:
Customer Consent and Notification: Using workflow functions, inform customers that their calls may be recorded and provide them with an option to opt-out of recording if they are uncomfortable with it. Ensure that this information is provided in compliance with applicable laws and regulations.
Minimize Data Collection: Implement a policy of not recording sensitive customer data (e.g., personal identifiable information, credit card numbers, CVV codes, or PINs) during phone calls whenever possible. Encourage customers not to provide such information over the phone.
Pause/Stop Recording: Use this module in Workflows that allow you to pause or stop the recording if/when customers provide sensitive cardholder data. This ensures that the sensitive information is not stored in call recordings.
Remove Agent from the call during the collection of Credit Card Information: Utilizing a purpose built “Embedded Workflow”, it is If possible utilize Workflows to remove the agent from hearing the credit card information.
Encrypt Information: The system uses TLS Encryption by default on all WebRTC connections and is available on deskphones if so enabled.
Secure Storage: The system allows customers to keep their recordings or offload their recordings to other data storage of their choice. If you must store recordings containing sensitive data, ensure that they are encrypted both in transit and at rest. Follow strong access controls and encryption protocols in line with data protection requirements.
Access Controls: Limit access to call recordings containing sensitive information to authorized personnel only. Implement strong authentication and authorization procedures to control who can access, view, or listen to recorded calls.
Retention Policies: Develop and enforce retention policies for call recordings. Delete or move recordings to your own storage solution and archive recordings when they are no longer needed, and ensure that the retention period aligns with recommended data protection requirements.
Remember that data protection compliance is a continuous process, and it's important to stay vigilant and adapt your practices to changes in technology and regulations to maintain the security of customer data during call recordings. Always consult with your organization's compliance and security teams for specific guidance and requirements.