According to the Columbus Dispatch:

“Mary Ann O’Garro said a request for records in her grandson’s case revealed that Franklin County Children Services recorded some of her phone conversations with the agency. […]

O’Garro and her attorney, Susan Eisenman of Upper Arlington, said the recordings are especially troubling because the O’Garros live in the state of Washington, whose phone-recording law requires consent from both parties. […]

Ohio requires the consent of just one of the parties. Federal law is single-consent, too, but observers say past cases have left it unsettled as to whether federal or stricter state laws apply. […]

State government doesn’t have a policy on recording calls, and a few agencies surveyed say they avoid the practice.”

Advanced call recording systems can block call recordings by certain area codes, preventing situations like this all together.

Additionally, as a best practice, agencies and employers can require anyone on the phone to give notice to their customers that the call is taking place on a recorded system.  A robust quality management program can help managers enforce these policies.

CallCopy helps businesses and agencies solve problems like this every day.

» Download our Recording Laws Whitepaper today to get more information and best practices

» Learn more about how CallCopy can help your business achieve and maintain compliance

Because PCI compliance is such an important issue for contact centers, CallCopy recently sponsored DMG Consulting’s whitepaper, Payment Card Industry Data Security Standard (PCI DSS) Guide for Contact Center Managers. This guide provides critical details about PCI DSS, how it affects call recording applications and what you can do to ensure your contact center operates in compliance with the PCI DSS.

Some of the topics include:

• What is PCI DSS? The PCI DSS is a security standard that includes requirements for security management, policies, procedures, and other critical protective measures and is intended to help organizations proactively protect customer account data.
• The Implications of PCI DSS for Contact Centers – Contact centers are responsible for ensuring that all data transmission systems, network segments and data storage solutions comply with the data security standards.
• Which Standards Apply to Contact Centers? While all 12 requirements may be applicable to some degree, requirements three (protect stored cardholder data), four (encrypt transmission of cardholder data across open, public networks) and 12 (maintain a policy that addresses information security) are especially relevant to contact centers.
• How Should Contact Centers Protect Cardholder Information? There are many steps you can take to protect customer data. For example, you’ll want to ensure that all employees are properly trained about all security policies and procedures. You’re also required to make sure that the data is encrypted using strong encryption protocols.
• PCI and At-Home Agents and Supervisors – At-home agents can present additional risks to PCI compliance, but certain precautions, like ensuring that agent screen and voice conversations are recorded, can help lower the overall risk.

Download the whitepaper now or visit our PCI compliance page for more info.

We have researched this topic extensively; however,
CallCopy is not affiliated with the PCI Security Standards Council™. The information presented in this whitepaper
is based on our research using the information provided at www.pcisecuritystandards.org,
interviews with peers in the industry, and feedback from our clients.

What is PCI?

PCI stands for Payment Card Industry. The PCI Security Standards Council was
founded by American Express, Discover Financial Services, JBC, MasterCard
Worldwide, and Visa International. The
Council’s stated mission is “To enhance payment account data security by
fostering broad adoption of the PCI Security Standards.”

Who Enforces PCI?

While the PCI Security Council established and maintains
the Data Security Standards (DSS), each card brand still manages its own
compliance programs. If you have
questions or concerns regarding your company’s compliance status or the risks
and penalties for falling out of compliance, we recommend you contact the
payment brands you are contracted with.

Why All the Fuss?

We could fill volumes with the reasons that PCI Security
Standards are important, but in this case the above picture is worth 1,000
words. Identity theft is pervasive in
today’s economy, and consumers need to be protected. The PCI DSS take great measures to help
safeguard consumer account information and minimize or eliminate the potential
for identity theft.

What Are the DSS?

What follows is an outline of the PCI DSS, and notes on how
a recording system may be impacted by those standards. The full PCI DSS version 1.1 is available at www.pcisecuritystandards.org.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall
configuration to protect cardholder data

Most recording applications will
not have an impact on the existing firewall; they will be on your network
behind your firewall. This will be
different for hosted applications, however.

Requirement 2: Do not use vendor-supplied defaults
for system passwords and other security parameters

While we cannot speak for all
vendors in the industry, part of CallCopy’s standard installation procedure is
to reset/remove all default passwords. Other
measures can be taken to ensure employees do not create overly-simple
passwords. This includes the ability to
restrict any users from resetting their own passwords, thus providing the
capability to maintain a higher standard for password security (such as a
higher number of characters, requirements for both upper- and lower-case alpha,
numeric, and special characters in the password).

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Encrypting the stored data, i.e.
your audio and screen recordings, is perhaps the best way to protect the stored
cardholder data. In the unlikely
scenario that a person could access your secured data center, remove the hard
drives from your recording server or storage unit, and connect those drives to
another server, that person could access unencrypted data on those disks. It is an unlikely scenario, but after all it
happened at Los Alamos…

Requirement 4: Encrypt transmission of cardholder
data across open, public networks

Hosted systems aside, a call
recorder will be on your network behind your firewall, and will not be on an
open public network. If you offer remote
access to the system by third parties, such as a client accessing a system at
an outsourcer facility, that access should be through a secured connection such
as VPN, and not over the public Internet.

Other data transmissions that
could be encrypted include screen capture data sent from a PC to your recording
server, audio and screen files that are downloaded or streamed from the server
for playback, or recordings that are exported from the system.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus
software

Contact your vendor to see if
there is a recommended anti-virus program for the recorder. We strongly advise against installing any
anti-virus software on your existing recorder without first verifying that it
is compatible with the recording software!

Requirement 6: Develop and maintain secure systems
and applications

Most, if not all, recording
applications have sophisticated permissioning systems to ensure that
unauthorized users cannot access recordings. Exceptions may be tape recorders or units that tap a handset and save
the recordings to a local PC. Notwithstanding
those exceptions or hosted recorders, you should have the ability to restrict
user access at the network level by denying access to the server IP address, in
addition to user name and password authentication. The server itself will require authentication
through Windows for an administrator to log on.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data
by business need-to-know

User permissions should be able to
restrict what records each user can access, or deny any person from having
access to the server. You can also use
IP restrictions in your data network to further ensure the unauthorized
employees cannot reach the server from their workstations.

Requirement 8: Assign a unique ID to each person
with computer access

Whatever you do, DON’T SHARE YOUR
LOGINS!!!

Requirement 9: Restrict physical access to
cardholder data

The recording server should be in a
locked computer room / data center at your facility. For a hosted solution, check with your
hosting provider to ensure access to the server is restricted. Having encryption for your stored files is
also helpful in restricting physical access to the data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to
network resources and cardholder data

Most PCI compliant companies are
likely to have something in place that is monitoring network activity. In addition to your network management
protocols, your recorder should log user access and user activity within the
system as it pertains to accessing recordings.

Requirement 11: Regularly test security systems and
processes

While we cannot speak for other
vendors, as we add new features to cc: Discover and other CallCopy software,
part of our QA process is to conduct regression testing to ensure new components
to not have unwanted effects on existing modules.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses
information security

If your vendor has direct access
to your recorder through modem, VPN, or other means, you should ensure that
vendor has a policy for information security.

Exceptions to the DSS

“PCI DSS requirements are applicable if a PAN [Primary
Account Number] is stored, processed, or transmitted. If a PAN is not stored, processed, or
transmitted, PCI DSS requirements do not apply.”

What Can Be Stored

Information on what can and can’t be stored is reprinted
from the Payment Card Industry (PCI) Data Security Standard Version 1.1, Release:
September 2006. Descriptions for the
CVC2/CVV2/CID are taken from the Glossary available at www.pcisecuritystandards.org.

What Can’t Be Stored

*The second type of card validation value or code is the
three-digit value printed to the right of the credit card number in the
signature panel area on the back of the card. For American Express cards, the
code is a four-digit unembossed number printed above the card number on the
face of all payment cards. The code is uniquely associated with each individual
piece of plastic and ties the card account number to the plastic. The following
provides an overview:

CID Card Identification Number (American
Express and Discover payment cards)

CAV2 Card Authentication Value 2 (JCB
payment cards)

CVC2 Card Validation Code 2 (MasterCard
payment cards)

CVV2 Card Verification Value 2 (Visa
payment cards)

Recommendations

After extensive research on the Internet and through
personal interviews, we have not been able to find any conclusive rulings
regarding the PCI DSS and call recording applications. As with the two-party state recording laws,
our recommendation is to err on the side of caution and implement the solution
that best addresses the PCI DSS.

The aspect of the PCI DSS that poses the greatest challenge
to the recording industry is the prohibited storage of the CVC2/CVV2/CID – the
three- or four-digit security code, depending on the card type. This information is stored in your audio and
screen recordings.

So how can you remove or block the security code from your recordings?

Manual Editing

Manual editing is one way to remove that data, but we do
not recommend this method. It seems with
the goal of PCI DSS being to limit access to the cardholder data, manually
editing the recordings is exactly the opposite – it is requiring someone to
access the data, however temporary that access may be. Not to mention the labor requirements…

Automated Editing

There are challenges with automated editing of records as
well. A recording that has been tampered
with or edited may not be usable in court. You also need to ensure the right sections of the call are edited. This can be an automated or manual trigger
sent to the recorder to update the record with start and stop points, between
which is the sensitive data. With
CallCopy’s cc: Discover platform, we offer a bcc: Compliance module that allows
users to send these triggers, and there is a blackout applied to the sensitive
data.

If this is a manual trigger, then you are relying on your
staff to always remember to click a button to initiate and end the
process. This is obviously subject to
human error, and the result will be some recordings where an agent forgot to
start the blackout and some where the agent forgot to end it.

Our recommendation is for automated triggers based on
activity in a desktop application or web form. In this scenario, a trigger to start a blackout would be sent when an
agent clicks on the field to enter the security code, and it would end when the
agent submits the account information. This method is still not infallible, as a customer may provide account
information before the agent takes the action that starts the blackout.

Encryption

We recommend a recording system that is able to offer
encryption for your stored data as well as encryption for all client-server
communications. This includes screen
data being sent across your networks and audio/video playback.

Exported Records

Perhaps the most critical time to
encrypt calls is when they are exported from the system. We do not recommend that calls with sensitive
cardholder data be exported unless they are encrypted and password protected.

The information presented does not
constitute legal advice, and we strongly encourage anyone seeking more
detailed information to enlist the services of a lawyer who is versed
in the requirements for your industry and/or state.

In part one of this series, we explored reasons to record your calls. This included quality management and various industry regulation. In part two of this series will explore reasons not to record your calls, specifically state laws regarding two-party notification. We will also discuss ways to keep your recorder compliant.

State Recording Laws

Recent political activity has created excessive attention toward the act of recording telephone calls. We have received numerous inquiries from our clients and prospects regarding call recording and state recording laws.

Each state has its own laws regarding the recording of telephone calls. The key differentiator in these laws is the number of parties to the call that must provide informed consent to the recording. In most states, only one party must consent. In twelve states, all parties must consent.

How to Notify

There are a number of ways to alert callers that their conversation with your company is being recorded. There are also many ways to inform your employees.

Employer Agreements

Employer / Employee Agreements are perhaps the most suitable means of gaining consent from your employees. Many call centers have an employer / employee agreement that specifically states that the employee understands that their company phone calls may be recorded. This it typically a signed agreement. If consent to be recorded is an item that is included in an employee handbook or similar document, the document should include some form of signatory page to verify the employee has received and read the handbook.

Caller Notification

Inbound callers are usually notified through an announcement stating “This call may be monitored or recorded.” It is important to consider where the announcement is played in the call routing. It is often played after any touch-tone or voice prompting and before the caller is connected to an agent or a queue. Playing the notification as a message in queue is not recommended, as this will result in either bypassing the message if the caller is connected directly to an agent, or redundant announcements.

Beep Tones

Beep tones may also be used as a means of notifying callers that recording is taking place. Our research found that the requirements for a beep tone relate to its frequency and duration: the beep tone must be within 1260-1540 Hertz, and it must last .17 to .25 seconds. It must be played every 12 to 15 seconds while the call is being recorded, and it must be audible to all parties being recorded.

Which States Are Two-Party?

• California
• Connecticut
• Florida
• Illinois
• Maryland
• Massachusetts
• Michigan
• Montana
• Nevada
• New Hampshire
• Pennsylvania
• Washington

We found http://www.rcfp.org/taping/ to be a useful resource in researching state recording laws.

Canada

Our research has found Canada to only require one-party notification. As with any legal matter, if you have concerns regarding your call recording for calls to or from Canada, we recommend you contact an attorney.

But What If…

Here’s where the lines get blurry:

What if a person in a one-party state calls a person in a two-party state?

For example, a call center agent on Ohio, a one-party state, calls a person in neighboring Pennsylvania, a two-party state. If the recording takes place in Ohio, is it under Ohio’s laws and jurisdiction, or do Pennsylvania’s laws apply to its citizen? If you must record the call for compliance or regulatory requirements, you may be at risk with federal legislation if you do not record the call. But what if you are not able to obtain the callers consent?

We have not been able to find a conclusive answer for this situation! For clarification you can always check with an attorney familiar with the laws of the states and countries in which you do business.

Rock, Paper, Scissors?

Here’s what it comes down to: are you willing to play rock, paper, scissors with state and federal laws, or with the laws of two different states?

Which has precedent, the federal regulation that says all customer transactions must be recorded or the state law that requires consent from all parties to the recording?

Which state law wins if one state is one-party and the other is two-party notification, assuming the act of recording takes place in the one-party state?

Recommendations

While we have not been able to find conclusive rulings for these conflicts of laws, we do have recommendations for best practices in recording notification that will help you mitigate and possibly eliminate risk of falling out of compliance. In our professional opinion, it is best to err on the side of caution and always notify your callers of the potential for recording.

Notify Your Callers

There are many ways to notify your callers on both inbound and outbound calls.

Inbound

Most inbound callers are notified of the potential for recording by an automated message. Yes, this is the famous “This call may be recorded…” announcement!

Outbound

Outbound notification is very different. If you are using a predictive dialer, or other automated dialing technology, you may have the ability to insert a recorded notification after your customer picks up and before the call is connected to your agent, but do you want to? In a sales or collections environment this is not an ideal way to begin your interaction.

For outbound calling, we recommend you have your agents notify the customer. This can be done immediately at the beginning of the call through a scripted introduction. For example, “Hello, this is Rick with CallCopy calling on a recorded line…”

One item of caution for this type of notification: if you are speaking with more than one party, it may be necessary to restate the greeting for all parties. For example, if a person answers, hears your greeting, and then hands the phone to another member of the household you should restate the greeting when the other party comes on the line.

If you do not want to open your call with a recording notification, we recommend you do not record outbound calls to two-party states, or that you use a record on-demand function to record only the portions of the call that are required, and do so after a different notification script is used later in the call.

Record On-Demand

For any situations where your agents are providing the notification, you should have checks and balances in place to ensure your staff is adhering to the requirements. Using tools in your CRM or other systems to present scripts or reminders to the agent is helpful. You can also check for script adherence in your quality monitoring and use speech analytics software to find calls that do – or do not – contain the required scripts.

Automated Scripts

Even your best agent is prone to forget something from time to time. If your technology permits, you can create automated scripting flows or reminders in a CRM application. Having reminders or guided scripts will help minimize human error. It also reduces the training requirements for script adherence. Without reminders, your agents must always remember to recite a notification script. To train a person to do this requires repetition of the learning exercise in order for the script to stick in long-term memory. If agents are trained to follow the scripted flow, less repetition is needed in learning the correct verbiage for the actual scripts.

Quality Monitoring

If script adherence is a critical part of job performance, it should be a critical field on an evaluation form. Some quality management systems, including CallCopy’s cc: Discover and cc: Quality, will allow you to set dynamic point values for each question / response in the form. This enables you to set a higher point value and add weight to questions that have a significant impact on your business. You can also consider the use of an auto-fail flag to further weight the scoring.

By including script adherence on your evaluation forms, you should then be able to report on this specific metric to identify trends in agent or team adherence. This provides valuable insight in regard to who is or isn’t following the required scripting.

Speech Analytics

Speech analytics is a technology that will analyze recorded calls and spot key words and phrases. There are a number of solutions available. A key differentiator among the applications is the method of analysis: large vocabulary continuous speech recognition (LVCSR), or phonetic-driven engines. Both types of analytics are suitable for script adherence measurements, identifying calls where scripts are or are not used. One key to maximizing the effectiveness of speech analytics for measuring script adherence is to control the consistency in how the script is read. The longer the phrase you are searching for, the lesser the chance for false positives. Eliminating variations from the script is crucial. For example, you would not want one agent to say “Is it OK if I record this call” while another says “I would like to record this call now, is that alright?”

Speech analytics technology is not 100% accurate, but it can be effective in identifying trends in agent and team performance. It is definitely better than performing a manual audit of all of your recorded calls!

Recording Blocks and Filters

A final recommendation for managing recording to and from two-party states is through recording blocks and filters. This is a feature that may not be available in all call logging systems. This type of functionality would use call data, such as ANI (automated number identification, very similar to caller ID) or DNIS (dialed number identification service, a number identifying what number was dialed by the caller). Other data may be used such as routes in the phone system (sometimes called applications, vectors, VDN, depending on the phone system in use). The recorder will evaluate this data as it is received, and if it matches a list of restricted values the call will not be recorded. For ANI, a partial match can be used to filter based on area code. There approximately 100 area codes in the twelve two-party states.

By filtering calls to or from two-party states, and then using on-demand recording in conjunction with proper scripting, you will be able to minimize or eliminate the risk of recording calls without proper consent while still recording the calls or portions of calls that are needed for compliance.

The information presented does not constitute legal advice, and we strongly encourage anyone seeking more detailed information to enlist the services of a lawyer who is versed in the requirements for your industry and/or state.

If there are reasons you should not record your calls, why is everyone doing it?

The answer is easy. There are many good reasons to record your calls. For some it’s not a matter of choice – industry regulations mandate that they record some or all of their customer transactions. For other companies call recording and desktop screen capture are vital parts of quality, coaching, and training programs. Using the recordings in this capacity can yield tremendous returns in regard to agent development.

Industry Regulations

Many industries have federal and other regulations that make call recording a necessity. Financial institutions need records of all customer transactions, including telephone calls. Retailers, telecommunications companies, catalog houses, and ecommerce businesses need to record sales verifications.

Sales / Upsell

The Telephone Consumer Protection Act (TCPA) and the Telemarketing Sales Rule (TSR) have specific language that impacts call center operating procedures. The TCPA covers regulations regarding general consumer contact, most notably Do Not Call requirements. The TCPA does include provisions regarding the use of recordings in outbound calling, but this is different than the recording of a phone call.

The TSR has provisions requiring written or recorded verification for up-sell and cross-sell activities and for certain types of payment authorization. Many companies do not realize that the TSR applies to inbound calls as well as outbound calls. For upsell and cross-sell, where an item is sold in addition to or instead of the item that the customer was inquiring about in their call, the seller must be able to verify that full disclosure of the terms of the sale has been provided. This may be through written authorization from the customer or through audio recording.

Written disclosure is rarely the preferred method, as it prolongs the timeframe to close the sale, giving the buyer time to reconsider and cancel the order. Recorded verification enables the seller to close the sale on the spot. Also covered in the TSR is the need to have a customer’s express agreement to be charged. The rules for this verification vary slightly depending on the method of payment; Electronic Funds Transfers (EFT) and debit cards have more stringent policies than credit cards. Express agreement to be charged is required when a free trial period is followed by an automated payment cycle, regardless of the method of payment.

Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, is a federal law implemented in response to corporate accounting fiascos such as Enron, WorldCom, Tyco, and Adelphia. The Act is wide ranging, with a strong focus on accounting oversight. Call recording is beneficial to companies working to meet Sarbanes-Oxley Act requirements, as it provides an auditable source of transactional information.

Dispute Resolution

Most companies providing sales and service support via the telephone can benefit by using recorded calls to resolve disputes. For companies that are recording to meet industry regulations, these same recordings have potential for use in dispute resolution.

FDCPA

The Fair Debt Collection Practices Act (FDCPA) does not require call recording, but a recorded call may be used to settle a claim against a collector’s behavior in relation to the act. While the perceived need for this recording is subjective, the benefit from being able to effectively resolve or settle this type of dispute is clear.

Insurance Claims

Recorded calls can also be used to resolve disputes regarding insurance claims, where a recording of the primary claim is leveraged to validate what coverage was granted or denied, based on the information provided by the caller at the time of the claim. Each insurance company will likely have specific policies regarding the need for recording and acceptable use of recorded calls.

Billing Support

The Telemarketing Sales Rule (TSR) is effective in preventing many billing disputes by requiring full and complete disclosure of the terms of the sale, and express verified consent for payment. However, as many a call center manager will tell you, customers are prone to forgetting that they gave consent and agreed to the terms of sale. Using recordings in billing support is an effective way to resolve disputes. And, in the event your agent did err in his or her sales efforts, the ability to properly determine the correct course of action for the customer is paramount to retaining that customer.

Quality and Training

It may be the most well known recording of all time. Many can recite its words by heart. It is heard daily by millions:

“This call may be monitored or recorded for quality and training purposes…”

One of the more critical – and more variable – aspects of a quality program is the composition of the form itself. We recommend starting the process by designing the reports you would like to see. Keep in mind that you can gather data while you are evaluating the call, so do not limit the scope of the evaluation form to agent performance. The more information you can gather about the call itself, you can better identify trends in performance relative to specific call scenarios. For example, if you are taking billing calls, use your evaluation form to identify what products or services the call pertains to. As you collect more data, you may see trends emerge indicating a need to educate your agents or your customers on a specific product or service.

Using pre-recorded calls in the training room is a more effective tool compared to live monitoring. With recorded calls you are able to ensure that the content of the call is appropriate for where you are in your training curriculum. By doing this type of observation in the training room and not on the live call floor you are able to provide a more consistent learning experience, because all agents are learning from the same calls and the same agents. You eliminate the randomization and the wild cards inherent in live monitoring.

Coming Next…

In part two of this series will explore reasons not to record your calls, specifically state laws regarding two-party notification. We will also discuss ways to keep your recorder compliant.

The information presented does not constitute legal advice, and we strongly encourage anyone seeking more detailed information to enlist the services of a lawyer who is versed in the requirements for your industry and/or state.