Anyone who’s looked into the conundrum of PCI DSS knows that various solutions exist to help deal with the puzzle of compliance. These range from the downright dangerous such as ‘pause and...
How to Successfully Navigate Through the Maze of Call Recording Regulations
Navigate through the maze of call recording regulations with BCH’s fully compliant communications platform. Avoid the pitfalls and preserve your budget along the way.
On the face of it, it seems straightforward to simply record calls for quality and training purposes. Indeed, it’s fair to say that before the onset of a stringent regulatory environment, this simple recording proposition posed little problem for existing legacy systems. Even with the advent of data protection, the hedges within the recording maze were low enough to afford a clear pathway to the exit and thus compliance. However, with the onset of more data protection regulations including PCI DSS, GDPR and now MiFID II, the hedges are getting taller. In fact, tall enough to block your pathway through the maze so that compliance becomes a costly and complex proposition.
‘Pause and resume’ does not and cannot secure a pathway to regulatory compliance
If you’re using ‘pause and resume,’ perhaps via an existing legacy system, this is fraught with danger. Agents may still have opportunities to misuse data, and if you’re still using unencrypted internet telephony (VoIP) then the doors are wide open to hackers. However hard you try, ‘pause and resume’ won’t cut a compliant pathway through the regulatory maze.
The regulations – PCI DSS, GDPR and MiFID II
Firstly, PCI DSS regulations demand that sensitive payment cardholder data is automatic, not manually, removed from call recordings. Even if ‘pause and resume’ is instigated through automation, it’s still only ever going to take your call recordings out of PCI DSS scope. It won’t de-scope your agents (on-site or in the field), telephones (mobile or otherwise) or any other part of your call centre environment.
Then there’s GDPR which calls for sensitive personal data to be encrypted. As with PCI DSS regulations, the use of VoIP and procedures such as ‘pause and resume’ aren’t suitable. Even the precise determination of what constitutes sensitive data is very complex. For example, an email address alone might not be considered sensitive, but when combined with a postcode it can be. So how can you identify and prevent staff stumbling across sensitive data when reviewing calls for quality and training? The simple answer is that without encryption, you can’t.
Finally, MiFID II completes the picture. It requires businesses within the financial services sector to record all transaction-related calls and to securely store them for a minimum of 5 years. In addition to the aforementioned problems, there’s also the time and costs associated with the effective monitoring and secure storage of audio files.
There are, of course, overlaps between PCI DSS, GDPR and MiFID whether it be through secure storage, accurate call retrieval or deletion due to data subject request or, as with GDPR, the ability for data to be ‘forgotten’ as well as for its access to be controlled.
The solution to overall compliance – a fully hosted, cloud-based communications’ platform
To successfully navigate this regulatory maze, any approach to compliance should be a holistic one. BCH’s PCI and MiFID compliant systems provide such an approach with an all-inclusive communications platform designed to de-scope your call recordings as well as your entire contact centre. Our platform can either sit alongside your existing legacy system or entirely replace it.
Achieving compliance is an opportunity to transfer to such a fully hosted cloud-based communications platform. Doing so can avoid additional costs with your existing systems when, for example, you have to modify procedures or buy licences every time a new or updated regulation is introduced. We provide non-disruptive automatic software updates to ensure on-going regulatory compliance.
By the very nature of call recording and agent-based PCI services, we have to ‘get in the way’ of every call as it routes through us, in-bound or out-bound, to ensure that each is recorded, logged and securely stored. BCH’s PCI Level 1 approved systems encrypt sensitive data across multiple devices, whether it emanates from mobile or VoIP lines. Data is processed within the BCH environment, not yours, so it can’t be accessed by agents. Our encryption services can be extended through speech analytics to other aspects of data, ensuring that no sensitive material whatsoever enters your call centre environment.
BCH’s systems are affordable and fully scalable: you simply pay for what you use. They follow the OPEX system, not the CAPEX model, thus avoiding the need for any up-front capital investment.
To find out about us follow the link. To enquire about our PCI and MiFID compliant systems, call the BCH team on 0161 537 7707.
We look forward to hearing from you.