Know the rules of call recording: PCI DSS, HIPAA, and more


The phrase on everyone’s lips these days is customer engagement, to the point where what we once referred to as call centers have now become customer engagement centers. However, it’s important to never forget that customer engagement comes hand-in-hand with regulatory compliance aimed at protecting both customers and businesses. Violating regulations can cost a company the proverbial arm and a leg, both financially and in terms of reputation. And while it’s typically an organization’s legal department that is responsible for ensuring compliance, it pays for all contact center employees, but especially managers, to have a good grasp on the rules.


Regulations generally take the form of pan-national laws (e.g. EU), national laws and industry standards, and aim to prevent fraud and abuse and to protect consumer privacy. But the array of rules and regulations can make for a confusing alphabet soup of acronyms – PCI DSS; HIPAA; NACHA; TSR; TILA; FDCPA; CTR – that can be hard to make sense of and keep up with.

Things get still more complex when you take into account that some US states, such as California, have stricter requirements than those imposed by Federal laws, or that the rules governing EU contact centers are not fully harmonized across member countries. Then add technical and practical considerations. For example, while it’s easy to inform incoming callers that their call is being recorded, how do you do this with outbound calls? And in the US, companies that rely on auto-dialers need to know whether they’re calling a landline or mobile number since the Telephone Consumer Protection Act doesn’t permit making calls to consumers that they have to pay for, but don’t want to get.

To help untangle some of this mess for the non-lawyers among us, below is a basic overview of four of the most relevant standards and regulations.


The Payment Card Industry (consisting of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) established the PCI Security Standards Council (PCI SCC) in 2006 in order to create a set of rules for merchants and service providers that accept credit and debit card payments that would minimize payment card data loss (whether malicious or otherwise). It followed this with the Data Security Standard (PCI DSS), which details the security requirements for anyone processing, storing or transmitting cardholder data.

What this means is that if your organization accepts credit or debit cards, it must do so in accordance with the latest standards. And while compliance isn’t a legal requirement, merchants and service providers that don’t comply are in breach or their contract and could have their card acceptance privileges terminated, resulting in likely business losses.

Simply put, according to PCI-DSS, no cardholder data (cardholder name, expiration date, PAN, etc.) should ever be stored unless it’s necessary to meet the needs of your business, and no sensitive authentication data (SAD), which includes card validation codes (CVV2, CVC2, CID, or CAV2), personal identification numbers and/or full magnetic stripe data, may be stored in a digital, audio or video format (such as WAV or MP3) after authorization, even if encrypted.

So how does this affect call centers and call recording?

First and foremost, you need an order processing and recording system that masks, mutes and encrypts customer and card data. You also need to set up strict authentication controls for all employees and implement strict processes to prevent agents from, for example, writing card numbers on note pads for later entry. Finally, make sure you maintain your systems to secure configuration standards and regularly test them for vulnerabilities

For more information about becoming PCI DSS compliant, start here

  1. Implement strict authentication controls for all employees with access to call recordings

  2. Maintain systems to secure configuration standards and regularly test them for vulnerabilities

  3. Make sure there’s no direct connection between the Internet and systems storing audio recordings

  4. Use a data processing system that masks the PAN when displayed (the first six and last four digits are the maximum that may be shown) and renders the PAN data unreadable when stored

  5. Encrypt all transmissions of cardholder data across public networks and clearly label, inventory and render unreadable any media used to record card information

  6. Make sure that remote agents and supervisor PCs have personal firewalls installed, have the latest version of your organization’s virus protection software and definition files, have the latest security patches installed and only use company-approved systems

PCI DSS Compliance in Contact Centers Whitepaper  


In 1996, the US Congress enacted the sweeping Health Insurance Portability and Accountability Act (HIPAA) in order to protect people covered by health insurance by ensuring that individual health care plans are accessible, portable, and renewable. More importantly to contact centers, the the act also sets the standards for the storage and privacy of personal medical data and for how medical data is shared across the U.S. health system with the aim of preventing fraud and abuse, and has since been amended to also include processes for safely storing and sharing patient medical information electronically. Not complying with the standards set by the HIPAA could result in possible civil or criminal penalties.

The HIPAA distinguishes between two types of organizations: covered entities and business associates. Covered entities are any persons, businesses or government entities that provide health care services or issue bills or receive payments for health care in the normal course of business – for example, physicians, hospitals, pharmacies, heath care clearinghouses and health insurers. Business associates are persons or organizations that perform a function on behalf of a covered entity – for example, software vendors, third-party billing companies, claims processors, collection agencies or contact centers.

The most important part of HIPAA that affects contact centers is the Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule. The Privacy Rule protects all individual health information, which is defined as “any health information that is individually identifiable” and referred to as “protected health information (PHI)”. This includes name, date of birth, social security number, address, health status and payment/billing information

The Privacy Rule further sets out how covered entities and business associates may use and disclose personal health information, whether in written, oral or electronic format, and also establishes a person’s right to understand and control how their health information is used.

What this means for contact centers is that you need to:

Notify patients of their privacy rights and how their personal data may be used

Implement privacy procedures

Train employees so they’ fully understand all privacy procedures

Secure all patient records that include individually identifiable health information so anyone who isn’t authorized to view them doesn’t have access

Here are some best practices to follow to ensure that you fully comply with the HIPAA.


  1. Implement strict controls over customer databases to make sure that unauthorized employees don’t have access to information about the health condition of specific individuals

  2. Implement specific policies and procedures that restrict access to PHI

  3. Record all interactions and monitor frequently for compliance and use screen analytics software.

  4. Install software that automatically masks or encrypts protected information from those without authorization to view it


In the US, the most comprehensive federal legislation aimed directly at contact centers is the Telemarketing Sales Rule, otherwise known as TSR. And although it’s aimed specifically at telemarketing activities, with the primary aim of preventing fraud and abuse, any call center that makes calls to or receives calls from consumers, or provides, offers to provide, or arranges to provide goods or services to consumers in exchange for payment must comply. And this regardless of whether the calls are made from outside the US, as long as they are made to consumers in the US. Some organizations, however, such as political campaigns, charities, third party fundraising firms, common carriers, and certain financial institutions are exempt. 

The Rule requires that sellers and telemarketers disclose certain material information before the consumer pays for any goods or services. Material information is any information a consumer needs to make an informed decision about whether to make the purchase. In general this includes disclosing the identity of the seller, the nature of the goods or services offered for sale, the full cost of all offers, any conditions or restrictions associated with the offers, and business policies, such as handling of order cancellations and returns. Sellers and telemarketers may provide this information either by mail in advance of the order or by phone during the call.

Failure to disclose any of the required information truthfully and transparently before the consumer pays for the goods or services subjects the seller or telemarketer to a fine of $16,000 per each violation.

The Rule also requires “express verifiable authorization” when payment is made by other than a credit or debit card since other payment methods aren’t equipped with proper protection against unauthorized charges or with dispute resolution rights should the customer be unhappy with the goods or services. In these cases the call center must meet a higher standard for proving authorization, even if you use the services of a third party to process or submit non-credit or debit card billing information.

Authorization is considered verifiable if obtained in one of three ways:

Advance written authorization from the consumer

An audio recording of the consumer giving express oral authorization

Written confirmation of the transaction sent to the consumer before you submit the charge for payment

Of the three, call recording – in which the consumer has to acknowledge seven pieces of information – is the fastest, most convenient and most foolproof method.

Another important facet of the TSR are the Do Not Call provisions, which prohibit telemarketers and sellers from calling numbers in the Do Not Call Registry

On the European front, things are a lot less clear cut, since member states have their own customized rules and regulations, but while the specifics may differ (even significantly), the intent remains the same and it’s always best to adhere to best practices (and consult local counsel) to avoid any regulatory complications.


  1. Create scripts to make sure agents disclose all required information

  2. Record all voice and screen interactions that involve phone sales or sales attempts

  3. Install speech or screen analytics software to quickly pull up relevant calls.

  4. Make sure the latest Do Not Call registry is loaded on your dialer software and that the software can automatically detect and block calls to numbers on the list

  5. Don’t pre-record sales messages

  6. Make sure you have enough agents to take live calls within two seconds of the time a person answers the call and the automated greeting ends.

  7. Use a dialer that ensures that no more than 3% of answered calls are abandoned.


In the US, the Federal Electronic Protection Act (ECPA) allows you to record telephone calls and in-person conversations as long as you have the consent of at least one of the parties, with thirty-eight states and the District of Columbia have adopting similar laws. The other twelve states require two-party consent.

But that still begs the question: what exactly is consent? According to the courts simply providing advance notice that the call will be recorded is enough; if the called (or calling) party continues the conversation after the verbal warning, consent is implied. In two-party consent states, agents must also consent to being recorded or monitored. 

At the same time, the called or calling party may record the agent, as long as the agent is told beforehand.

In Europe EU-member states are guided by a general European directive, but each member state is responsible for enacting its own laws in line with the directive.


  1. If you are recording calls with customers, always announce beforehand the call may be recorded or monitored

  2. Even if the jurisdiction you operate in only requires one-party consent, it’s good customer relations practice to notify the customer beforehand

  3. Advise agents via employee handbooks or even signed agreements that they may be recorded for training and quality control purposes

This just scratches the surface when it comes to compliance. Each country and industry brings its own set of rules, regulations and standards. But while the details are best left to a knowledgable legal team, it's a good idea to have a solid understanding of this complex landscape and how your contact center fits into the big picture.

Written by Communication and Training Team, ZOOM International

Learn more about ZOOM Compliance Solutions for PCI , HIPPA & More Here:  Solutions

Tell us what you think:


Captures and improves the omnichannel customer experience across calls, emails, chats, surveys, and more. Covers more platforms: Cisco, Broadsoft, Genesys, AudioCodes(radios), Microsoft Skype for Business, and Amazon Connect.

Learn More >>

Get a Demo

Are you ready to take a closer look at what ZOOM has to offer?


About ZOOM

At ZOOM, we give contact centers of all sizes the tools to improve the customer and agent experience while addressing back office compliance and risk. That's why we've made it our mission to lead by example, and continually aim to improve our tools and set new challenges for ourselves.

Since 1999, ZOOM has held a world class track-record of customer satisfaction, scoring 82%+ with Net Promoters. Our customers range from sub–100 agent contact centers to some the world’s largest companies—Finansbank, Cigna, Rostelecom, IBM, and Saudi Aramco.

ZOOM has solved some of the hardest call recording problems in the world, and the new ZOOM Omnichannel Search Engine is the first of its kind.

Learn more about ZOOM »