In order to be PCI DSS compliant you cannot store sensitive card details such as the CV2 number or the entire long card number (PAN) as part of your call recordings, even if you need to record calls for quality control or for compliance.
The only way you can be fully PCI DSS compliant when taking card payments by phone is if the card details are neither audible to the contact center agent nor included in the call recording. This means that ‘pause and resume’ systems are not always PCI DSS compliant as they stop the recording at the point at which the card details are being entered.
This opens you up to the possibility of agent fraud as you have no way of knowing what is being said during the time that the recording is paused and the agent still has access to the card details so your contact center and homeworkers remain in scope for PCI DSS audits.
Call recording when using Syntec’s CardEasy system can be full length whilst fully complying with PCI DSS, as Syntec is a level 1 service provider. Furthermore, using CardEasy the audio to the agent is briefly dropped while the caller enters the middle six digits of their long card number and also their CV2, whilst audio from the agent to the caller remains open throughout. This means that the agent not only cannot hear the DTMF tones while the card details are being entered, it also guards against the risk of hearing the card numbers should the caller read then out at the same time as entering them. And whilst the whole call is being recorded, it stops the sensitive card numbers being picked up by the call recording in this situation too.