The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant. More information is available on the PCI Website.
CallTrackingMetrics is a PCI-compliant merchant and can securely accept credit card payments for its services. We utilize a third party to process all credit card payments (a tokenization service). Because of this, we do not store any customer Cardholder Data.
If you expect that potentially sensitive cardholder data is being discussed over the phone, we recommend that you take extra steps to ensure that information is not being stored. Sensitive data could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Recommendations to Protect Phone Call Data:
Enable secure transcriptions: With CallTrackingMetrics secure call transcriptions the system will detect when credit card information, social security information, or phone numbers are spoken during a call, tag the call appropriately, and redact that information from your call transcriptions and associated call recording.
Disable call recording: One way to be compliant is not to process, store, or transmit cardholder data on CallTrackingMetrics such as in call recordings. You can turn on and off call recording on the call settings page (found within the numbers menu) for each of your accounts.
Stop/start recording: If you do need to record calls, both in the CallTrackingMetrics softphone and through the API, you can allow your agents to turn on and off recording while a call is in progress, thus if sensitive information is being exchanged, it will not be recorded.
Redact Data from CTM Regularly: Redaction removes personal information from records of calls, texts, live chats and forms in your account. If you are under obligation to comply PCI, GDPR, CCPA or have other privacy concerns, you can enable redaction to manually or automatically remove personally identifying information from customer interactions in your account.
Limit Use of Call Notifications (and if they need to be turned on, refer to #7 and #8 below): Post call notifications trigger emails each time a call comes in that matches certain criteria you have set. The emails often include links to listen to the audio recording for the call. To avoid these emails being sent, simply don’t set them up for your accounts or when setting up the notification, choose to not include the audio recording field.
Enable Two-Factor Authentication to Access Account: Two-factor authentication can be turned on at the agency level within the agency settings page(“manage feature access”). With this on, the system will send users a text message with a code to enter to log into any accounts within the agency. This can be required at each login or every 30 days, whichever you prefer. This adds an extra level of security for anyone trying to access any accounts in your agency.
Expiring Media URL’s: If you have have call recording turned on, enabling this feature within the agency settings page (“manage feature access”) will ensure that links to audio recordings will only be valid for a certain amount of days. You can specify how many days when turning the feature on. This is especially important if you are using call notifications where emails are sent with links to audio recordings.
Pin Protected Media URL’s: If you have call recording turned on, enabling this feature within the agency settings page (“manage feature access”) will prompt anyone who clicks on a link to an audio recording to enter a username and password, which is set by the agency administrator. This is important if you are using call notifications where emails are sent with links to audio recordings.
As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of CallTrackingMetrics. CallTrackingMetrics does not provide legal advice, and it is up to the customer to determine how to best architect their use of CTM in order to comply with applicable laws.