In order to be PCI DSS compliant, you cannot record and store sensitive payment card details in call recordings of conversations between customers and agents , such as the CV2 number (at all) or the long card number/PAN (unless encrypted), even if you need to record calls for quality control or compliance purposes.
In the past, pause and resume (or ‘stop/start’) systems have sometimes been recommended to overcome this but these are no longer seen as fit for purpose (see our blog post on this topic that explains why pause and resume is dead) and may even put you at loggerheads with financial regulators if they require you to have full length call recordings.
The only way you can be fully PCI DSS compliant when taking card payments by phone is if the card details are neither audible to the contact center agent nor call recordings, as with the latest technology DTMF payment solutions such as Syntec’s CardEasy system.
Call recording when using CardEasy can be full length, whilst fully complying with PCI DSS, as the DTMF tones of the card number entry by the customer using their phone keypad are masked, so tonality of the touchtones (and therefore the card numbers) cannot be deciphered or compromised in call recordings or elsewhere.
Using CardEasy mid-call, the agent is able to talk to the customer throughout to control the call and the transaction, but audio from the customer to the agent is very briefly dropped just while the caller enters the middle six digits of their long card number and also their CV2.
This is so that not only can the agent not hear the DTMF tones whilst the card numbers are being entered by the customer, but it also avoids the numbers being overheard or picked up in call recordings should the caller happen to read them out aloud whilst keying then on their phone handset, as does sometimes happen. Other DTMF systems do not do this, with the risk of card numbers slipping through into your call recordings, thus leaving you with the problem of not knowing which call recordings now have card numbers stored in them – which of course is the compliance issue you were trying to avoid in the first place.