Companies which take payments over the phone have been warned that they risk financial penalties unless they act to ensure compliance with potentially contradictory and confusing regulations.
The issue is muddled as the two bodies which police the area, the Payment Cards Industry Data Security Council and the Financial Services Authority contradict each other over how companies should handle calls.
The FSA, for instance, may require some calls to be recorded and stored in full while the PCI contradicts this by saying that data-sensitive parts of a call – including when the caller hands over their three digit security code – can never be stored.
Now the DMA is aiming to clear up the confusion by publishing a set of guidance notes on the PCI’s Data Security Standard (DSS) to ensure companies achieve call compliance. The guidance notes outline strategies and technical solutions to help companies tackle this problem.
They include: providing the telephone agent with an on-screen pause/resume button so the recording can be paused at the payment processing stage of the call; the use of various applications which perform a similar function automatically; or asking the customer to enter data on their telephone keypad.
In order to work effectively, the keypad solution requires a particular type of technology that prevents tones from being passed on. This isn’t Government regulation but payment card organisations acting through merchant acquiring banks have the power to impose sanctions on merchants who fail to comply.
Rufus Grig, managing director at Callmedia and member of the DMA Contact Centres and Telemarketing Council, said: “Compliance is crucial for anyone working in a service environment processing orders over the phone – catalogue companies, for example, or travel agents – where calls are recorded for quality monitoring, training, or regulatory compliance purposes. In short, any company dealing with the processing of card payments will either have to demonstrate some sort of compliance with the PCI or remove themselves from the scope of its requirements.”
The Guidance Notes on PCI DSS Compliance as it relates to call recording can be downloaded at http://www.dma.org.uk/sectors/cct-faq.asp
