Recording calls between a business and a customer is not a new phenomenon. Companies have historically relied on call recording software for a number of reasons – better agent training, improving customer service relationships, and staying in compliance – to name a few. However, new compliance rules out there aimed at protecting consumer’s personal data, have made it more challenging to know when calls can be recorded, and when they shouldn’t.  For instance, since 2006 the Payment Card Industry PCI, which consists of big players including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, have worked together to establish the PCI Security Standards Council (PCI SCC). The organization created a set of rules for merchants and service providers to follow who accept credit and debit card payments. PCI aims to ensure that all entities accepting, storing, processing, or transmitting card information maintain a secure environment. PCI Data Security Standards (DSS) are ‘rules of engagement’ for processing credit card payments. And, in addition to many other implications, these rules also impact how businesses can record, store, and process voice calls.

There are also Health Insurance Portability and Accountability Act (HIPAA) rules that govern call recording and record-keeping for traditional phone systems as well as unified communication (UC) and hosted VoIP phone systems. As with PCI DSS  rules, most HIPAA breaches are not the result of malicious misappropriation of data, but, instead, the accidental loss of data or unauthorized data access. Part of the reason for new rules is that data breaches are becoming more and more of a problem for businesses and consumers. reports that there have been 11,583,442,497 records breached that have been made public since 2005. With increasing data breaches as well as ever-changing regulations around PCI DSS and HIPAA, recording customer calls is no longer a no-brainer. Failing to get it right can levy hefty fines, and companies can take a hit in terms of their reputation.

Other considerations for mitigating risks

Dealing with recording personal information from customers’ phone calls is also tricky when you’re working in multiple US states. California, for example, has stricter requirements than those imposed by federal laws, regarding contact centers. According to PCI-DSS, storing cardholder data (cardholder name, expiration date, PAN, etc.) is a big no-no – unless it’s necessary to meet the needs of the business. And, no sensitive authentication data (SAD), may be stored in a digital, audio or video format after authorization, even if encrypted. (Source: PCI Security Standards). For those looking at how to stay compliant when it comes to recording customers, here are some tips.


  • Start with authentication controls for employees with access to call recordings
  • Look for data processing systems that mask the Primary Account Number (PAM) data and makes the data unreadable when stored
  • Encrypt all transmissions of cardholder data across all public networks


  • Understand that all identifiable patient data is personal health information and needs to be protected, including paper, electronic and voice
  • To prevent theft of data or compliance violations, avoid recording sensitive information. Set a policy requiring agents to turn off call recording and avoid storing this data in your database
  • Make sure your data runs through a network infrastructure that is up to date with the latest security and software patches to ensure safety and stability of data

UCaaS adds another layer

When it comes to looking at call recording options, it’s essential to plan for your future needs, as well as the present. A flexible call recording feature within your UC or UC as-a-Service system can help businesses quickly pivot to keep pace with changing regulations and business needs.

Organizations can avoid being on the wrong side of fines and sanctions by doing their homework, and having specific policies in place for governing the capturing, storing and accessing of customer information. If you want help balancing your UC system requirements with your compliance needs, talk to Crexendo! We’ve helped thousands of customers reap the benefits of cloud-based UC while securing customer data and maintaining compliance.