The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant. More information is available on the PCI Website.
CallTrackingMetrics is a PCI-compliant merchant and can securely accept credit card payments for its services. We utilize a third party to process all credit card payments (a tokenization service). Because of this, we do not store any customer Cardholder Data.
If you are re-selling our services to your customers and payment is not being processed through CallTrackingMetrics, these transactions are not covered under CallTrackingMetrics compliant status as a merchant. CallTrackingMetrics recommends that customers seek guidance from their legal counsel for any compliance questions concerning the way they are accepting payments from their customers.
In addition, if you expect that potentially sensitive cardholder data is being discussed over the phone, we recommend that you take extra steps to secure access to any recordings of those phone calls. Sensitive data could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Recommendations to Protect Phone Call Data:
Disable call recording: One way to be compliant is not to process, store, or transmit cardholder data on CallTrackingMetrics such as in call recordings. You can turn on and off call recording on the call settings page (found within the numbers menu) for each of your accounts.
Limit Use of Call Notifications (and if they need to be turned on, refer to #4 and #5 below): Post call notifications trigger emails each time a call comes in that matches certain criteria you have set. The emails often include links to listen to the audio recording for the call. To avoid these emails being sent, simply don’t set them up for your accounts or when setting up the notification, choose to not include the audio recording field.
Enable Two-Factor Authentication to Access Account: Two-factor authentication can be turned on at the agency level within the agency settings page(“manage feature access”). With this on, the system will send users a text message with a code to enter to log into any accounts within the agency. This can be required at each login or every 30 days, whichever you prefer. This adds an extra level of security for anyone trying to access any accounts in your agency.
Expiring Media URL’s: If you have have call recording turned on, enabling this feature within the agency settings page (“manage feature access”) will ensure that links to audio recordings will only be valid for a certain amount of days. You can specify how many days when turning the feature on. This is especially important if you are using call notifications where emails are sent with links to audio recordings.
Pin Protected Media URL’s: If you have call recording turned on, enabling this feature within the agency settings page (“manage feature access”) will prompt anyone who clicks on a link to an audio recording to enter a username and password, which is set by the agency administrator. This is important if you are using call notifications where emails are sent with links to audio recordings.
As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of CallTrackingMetrics. CallTrackingMetrics does not provide legal advice, and it is up to the customer to determine how to best architect their use of CTM in order to comply with applicable laws.