Home › Support Hub › Settings › Account Management › PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant. More information is available on the PCI Website.
CallTrackingMetrics securely accepts credit card payments for its services. We utilize a third party to process all credit card payments (a tokenization service). Because of this, we do not store any customer Cardholder Data.
If you are going to be collecting credit card information as part of your use of the CallTrackingMetrics application, the collection of that information is not covered under CallTrackingMetrics compliant status as a merchant. CallTrackingMetrics recommends that customers seek guidance from their legal counsel for any PCI compliance questions concerning the way they are collecting payment information from their customers.
- If you are recording phone calls and credit card information is being collected, you will need to either omit the card information from those recordings or avoid recording during those portions of the call.
- It is not PCI compliant and thus prohibited as part of our Terms of Service to store card information you are collecting in any call data fields such as recordings, transcriptions, notes, tags, keywords etc.
Specific Recommendations to Protect Cardholder Data:
- Only use call recording with transcription redaction turned on: Secure call transcriptions allow the system to detect when credit card information, social security information, or phone numbers are spoken during a call, tag the call appropriately, and redact that information from your call transcriptions and associated call recording. These optional security features are available for basic transcriptions only.
- Disable call recordings: If you do not want to use transcription redaction, turn off call recordings so that you are not storing any cardholder data in your recordings. You can turn on and off call recording on the call settings page (found within the numbers menu) for each of your accounts.
- Do not input cardholder data in any other fields such as notes, emails etc. Doing so is a violation of our Terms of Service.
- Consider having unrecorded lines that calls can be transferred to if the caller needs to provide credit card information.
- Use stop/start call recording: Agents can stop and start call recording during a call through the softphone panel. This can also be done through the API if you are building your own interface. This is helpful if a caller needs to provide card details and the call recording can be stopped for that portion of the call and then re-started for the remainder.
As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of CallTrackingMetrics. CallTrackingMetrics does not provide legal advice, and it is up to the customer to determine how to best architect their use of CTM in order to comply with applicable laws.