It is very common nowadays for companies around the world to record telephone conversations with their clients, either for training and monitoring purposes, quality assurance or to review clients’ complaints. VoIP’s call recording feature has proven to be a very useful tool to improve the efficiency of the work and provide a better experience for clients. However, with only one month left until the General Data Protection Regulation (GDPR) is enforced, companies that deal with EU nationals and wish to continue recording their clients’ calls will be required to give a legal justification explaining why personal data is being recorded and collected.
Call recording presents a further challenge when it comes to phone payments. A client may be asked to make a payment over the phone and to do so, they need to provide their credit or debit card details including the card number, cardholder name and CV2 number. This sensitive data will also be recorded and stored on the system if the company is using call recording feature, which breaches the rules of Payment Card Industry Data Security Standard (PCI DSS). These rules state that a caller’s payment card details must not be recorded by a telephone system.
The situation is even more complicated if this client is an EU national. Recording their payment details will not only breach PCI DSS rules but also GDPR.
What can you do?
There are two easy ways to stay compliant when you record a telephone conversation in which a client is asked to make a payment:
1- Pause and resume recording during a conversation
A good VoIP system should enable a telephone operator to dial a simple code on the phone to pause call recording when the caller is ready to provide their payment details. On our VoIP platform, the codes are #9 to pause the recording and #8 to resume.
2- Transfer the call to another extension which is not included in the call recording regime
The customer should be able to decide which extensions on their system they want to be included or excluded from call recording. They could designate one or more extensions to be used for the purpose of capturing payment card details and these extensions would be excluded from call recording. In this situation, when a caller wants to provide their card details, the telephone operator would transfer the call to one of the special non-recorded extensions. The special extension number could be set up as a second “identity” on the same telephone – so the same operator can continue the call.
We are currently working on an alternative solution as well, using voice recognition and text-to-speech technology to integrate directly with card payment gateways such as Worldpay and Paymentsense. The idea is to completely avoid the need for a human being to handle payment card data, allowing for our partners to remain PCI CSS and GDPR compliant.