Skip to main content

Do you record phone calls?

Updated
If you record phone calls where customers provide payment information, here's how to protect your business:
 
Recording calls that capture card numbers, CVV codes, or other payment data violates PCI DSS Requirement 3 and makes PCI compliance impossible. This puts your business at serious risk of penalties, fines, and liability for data breaches.
 
Essential steps to reduce your risk:
 
1. Implement automatic call-blocking technology (recommended)
  • Use software that automatically stops recording when card numbers are detected
  • This provides the best protection with minimal staff training required
  • Contact your phone system provider about available call-blocking solutions
2. Create separate payment processing procedures
  • Option A: Use a dedicated, non-recording phone line exclusively for payment processing
  • Option B: Transfer customers to a secure payment line when taking card details
  • Option C: Direct customers to online or in-person payment methods instead
3. Manual recording controls (last resort only)
  • Train all staff to pause recording before taking any payment information
  • Resume recording only after payment processing is completely finished
  • Implement regular monitoring to ensure staff compliance
  • Establish procedures to immediately report and delete any recordings containing card data
4. Document and monitor your procedures
  • Include call recording policies in your security documentation
  • Conduct regular quality checks on all recorded calls
  • Train staff thoroughly on when and how to pause recording
  • Create incident response procedures for accidental card data recording
5. Red flags that increase your risk
  • Any recorded calls containing card numbers, CVV codes, or expiration dates
  • Staff unsure about when to pause recording during payment calls
  • No automated systems to prevent card data recording
  • Recorded calls stored without regular review for payment data
  • Lack of clear procedures for handling payment information over the phone
 
The bottom line
 
Recording card data in phone calls makes PCI compliance impossible and creates massive liability. Implement call-blocking technology or separate payment processes immediately.
 
Contact your phone system provider and payment processor today to explore automated solutions - manual processes are error-prone and put your business at risk.