CONTACT CENTER COMPLIANCE | 5 Minute Read

What to Know If Your Call Center is Storing Unredacted Call Recordings

* The compliance risks and mitigation steps referenced in this article are for informational purposes only and should not be taken as a legal advice. Please consult with your own legal counsel and compliance officer to determine risks and mitigation steps.

Operating call centers that record calls and store recorded audio files, especially those containing personal and private data like social security numbers or credit card numbers, poses several risks to companies. These risks can be broadly categorized into legal, security, and reputational risks.

Because the sensitive data a cybercriminal would be looking for is stored on individual audio files, the risk of a large-scale data breach is low. If hackers wanted to work that hard they’d have real jobs.

With that in mind, we’ll focus on the highest, most-likely risks and repercussions.

Fines, Penalties, and Increased Transaction Fees from Credit Card Companies
The Payment Card Industry Data Security Standard (PCI DSS) sets the requirements for organizations and merchants to securely process, store, and transmit credit card information to prevent fraud and data breaches.
As a merchant, you’re required to comply with PCI-DSS standards and must complete a PCI audit or attest in writing that you do. Non-compliance with PCI-DSS requirements, or falsely filling out PCI self-attestation forms, can lead to several serious repercussions for merchants, including:

Fines, Penalties, and Breach of Contracts

Call centers can incur substantial fines from payment processors and banks for failing to comply with PCI DSS standards. These fines are imposed to penalize and encourage remediation of compliance failures, especially regarding the storage of unencrypted/unredacted cardholder data within call recordings.

Increased Transaction Fees

Non-compliance may lead to higher transaction fees imposed by payment processors. For call centers, where transactions are often processed as “card not present” transactions, these increased fees can significantly affect operational costs.

Loss of Credit Card Processing Privileges

Severe non-compliance issues might result in the call center losing its ability to process credit card payments, which could cripple its operations, especially if alternative payment methods are not viable.

Increased Scrutiny and Audit Requirements

A call center found non-compliant may be subjected to more rigorous audits and assessments by QSAs, increasing the burden of compliance and the costs associated with audits and security measures.

Breach of Service Level Agreement with Creditor Clients

Storing call recordings with sensitive financial and personally-identifiable data is prohibited in many SLAs. Particularly, in EBOs and first-party collections where your call center is calling customers or patients on behalf of, or in reference to, that entity.

Even if a redaction requirement is not specifically mentioned in an SLA, your clients may assume they are, or find out through a consumer complaint or during a request to listen to a series of calls for QA oversight.

Legal Action, Litigation Costs, and Reputational Damage

Although litigation and court cases directly related to a failure to redact sensitive data from audio recordings are rare, the costs should they be brought are significant and are worth mentioning.

Compensatory Costs

In the event of a data breach involving unredacted call recordings, call centers may be responsible for covering fraud losses, card replacement costs, and the expenses of forensic investigations to identify the breach’s scope and source.

Legal Action and Litigation Costs

Call centers could face lawsuits from customers whose personal information was compromised. Legal proceedings and settlements can be financially draining and damage the call center’s reputation and client relationships.

Reputational Damage

Call centers could face lawsuits from customers whose personal information was compromised. Legal proceedings and settlements can be financially draining and damage the call center’s reputation and client relationships.

Remediation Costs

To achieve compliance, call centers will need to invest in technologies and processes to redact sensitive information from call recordings, alongside potentially upgrading their data security infrastructure. This might include implementing speech analytics software capable of automatically detecting and redacting sensitive data from audio recordings.

Operational Disruptions

Implementing the necessary changes to achieve compliance can cause operational disruptions. Training staff, modifying procedures, and integrating new technologies require time and resources, potentially affecting the call center’s efficiency temporarily.

Steps to Mitigate These Risks

Ensuring all call recordings are processed through technologies that redact sensitive information.

Regularly reviewing and updating data protection policies and practices.

Training staff on the importance of data security and compliance requirements.

Engaging with qualified security professionals to assess and improve data handling processes.