Is our call center compliant? That\u2019s a question that I get asked a lot, since I\u2019m the CISO for a company that provides cloud contact center solutions. And the sad truth is that it often only takes a few questions to figure out that the person\u2019s call center is probably not fully compliant, at least not under their current rules of operation.\nThe good news is that many of these compliance traps can be addressed fairly easily, without a lot of additional resources. I always tell people that before they assume that they\u2019re fine, they should invest in at least a short consultation with a local attorney specializing in security and compliance, but the road to compliance starts with these questions:\n1. Do you record customer calls? Do you take credit information in these calls?\nIf you do, you need to be aware that it is against PCI-DSS standards\u2014the Holy Grail of credit-card processing security\u2014to store the secret CVV2 number (the three- or four-digit number often listed on the back of the card)\u2014at any time, in any way, no matter what level of encryption or encapsulation is used. If your company regularly records the entire call, you\u2019re probably storing this information in your recordings, unless you\u2019re going through special procedures to stop voice recording during the part of the transaction when the customer gives out the number.\nThe fix: One way to handle this situation is to cause the voice recording to automatically pause when the agent\u2019s cursor gets to the segment of your electronic form where they are inputting credit data. For instance, it\u2019s possible to use an API to stop the voice recording just during the time the customer is saying or inputting their credit card information to the call center agent, and resume recording immediately after this part of the conversation is complete.\u00a0 This way, the call center agent can enter the credit card data directly into the credit card processor, so that it is not stored with the recordings.\n2. Do you store credit card information for repeat billing?\nPCI-DSS consultants commonly say that \u201cnothing should stick\u201d within your systems\u2014meaning that credit card information and other sensitive data should not be stored. There are two types of PCI compliance PCI-DSS and PA-DSS.\u00a0\nPCI-DSS is for merchants who accept credit cards. It is set up to protect consumers\u2019 credit card info at the MERCHANT level. In contrast, PA-DSS is for those who process credit card info for merchants.\nWhy should you care? Because merchants at the PCI-DSS level\u2014most businesses that take credit cards\u2014are not allowed to store CVV2 in any way. \u00a0If you do, then you\u2019re breaking the rules.\nThe fix: All CC data should be passed through your system to a PA-DSS-certified credit card processor, who can arrange to provide you with a tokenized unique ID that could, for instance, be the last four digits of the credit card number, which you can then use for repeat billing.\n3. Are you recording your call center agents\u2019 calls?\nMany organizations announce that the call will be recorded\u2014something like \u201cFor customer service improvement purposes, this call will be recorded.\u201d\nBut far fewer organizations provide this notification when the call center is making outgoing calls. And fewer still don\u2019t stop to think that when they record calls, they are recording and monitoring their employees\u2019 conversations as well as their customers\u2019.\nAnd in most states in the US, notification of ALL parties is required before you record. Therefore, many legal sources advise that to be safe, it is important to ensure that all parties are advised that they will be recorded\u2014and are given an option to opt out if they do not wish to be recorded.\nAlso, some companies assume everyone whose call is being recorded know that they hear this announcement that they know that to \u201copt out,\u201d they should hang up.\u00a0 Some judges have ruled that you should not make that assumption. It\u2019s a good idea to check with an attorney to determine whether or not you need to specifically inform callers as to how they can opt out, as there are also other alternatives\u2014such as call back without recording\u2014in addition to their just hanging up with not further contact.\nThe fix: Ask all your employees and contractors\u2014including your call center agents\u2014to sign a \u201cnotice and consent\u201d document acknowledging your company\u2019s notification that their conversations may be \u201cmonitored and recorded.\u201d It\u2019s a good idea to work this into your hiring and contracting processes.\n4. Do you allow 'barge' and 'whisper' functionality?\u00a0 If so, monitoring might be an issue.\nSome contact center software lets supervisors listen in on conversations. The whisper option lets managers speak to the agent\u2014so the caller can\u2019t hear the supervisor\u2014to give directions about how to handle the call. Barge lets supervisors listen and break into the call if they feel it\u2019s necessary.\nIn some places, these very useful options fall under regulation. For instance, the Californian Call Recording Statute (California Penal Code Section 632(a)) prohibits eavesdropping without consent.\u00a0 So it might be argued that a supervisor who listens to a call without consent, violates this law.\u00a0 The law covers recording or eavesdropping, and the laws of each state are open to interpretation, but there might at least be enough of an argument to support a lawsuit.\nThe fix: Your outgoing announcements should warn callers that they may be \u201crecorded or monitored\u201d for quality control purposes.\u00a0 Many attorneys suggest that you should be sure to add the \u201cor monitored,\u201d to be on more solid legal ground.\nThese are fairly easy, low-cost or no-cost suggestions that any contact center manager can easily implement. They put you in a much better compliance position, and can help your firm stay out of trouble. But this article only reflects my views and extensive experience as a security-and-compliance professional, and is not intended to constitute legal advice.\u00a0 Readers should consult with an attorney for advice on their specific situations and to evaluate overall compliance at their organizations.