Why not just encrypt call recordings to become PCI compliant?
Although the credit or debit card Primary Account Number (PAN) can be stored in an encrypted form the CVC should not be stored in any format (see FAQ Can we store the CVV on the call recording?). Encrypting the call recording presents a host of management issues that have to be administered downstream of the call recording. Encryption and decryption keys have to be distributed to the appropriate personnel, and policies have to be defined under which call recording can be decrypted (e.g. training, quality control, process optimisation, customer complaints). Where call recordings are required by external bodies (e.g. regulators), then credit card credentials have to be “white noised” before they can be shared. This manual process has to be very carefully managed because of the risk of sharing credit cards details externally.