Confirmation that storing credit card data in recorded telephone calls is forbidden
The Payment Card Industry Security Standards Council (PCI SSC) has formally clarified that storing sensitive credit card data in digital call recordings is forbidden
(Please note, there is now an updated blog posting on this topic - read it here).
In an update to their ‘frequently asked questions’ document on call recording, the PCI SSC has simplified its wording, making it clear that only analogue recordings are allowed to store the 3- or 4-digit security codes from credit cards. Calls which are recorded digitally (the overwhelming majority of all call recording) cannot contain the data, known as CVC or CVV codes, even if the recording is encrypted.
Cameron Ross, Managing Director of Veritape, says “This is a sensible move by the PCI Security Standards Council. For the past 2 years, the market has seen real confusion, with QSA companies interpreting the SSC guidelines in different ways. Finally, the call centre industry has a clear message: don’t store credit card information in recorded audio. The statement by the SSC is a result of joint industry efforts to clarify this area. It shows how PCI member companies like Participating Organisations can have a real voice in the way credit card security is improved for banks and customers alike. The PCI SSC is to be commended for their work in simplifying this area. They’ve also recognised that there are a number of businesses which can help to eliminate card data from recorded telephone calls, which means all call centres can put a plan in place to improve the security of recorded telephone calls.”
This is the PCI SSC’s full statement:
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.
On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analog format after authorization is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.
Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centers must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4.
===
About Veritape
Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.
Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is at http://www.veritape.com/pcidss
Veritape’s software is trusted every day to improve the operations of:
- four of the world’s five largest car manufacturers.
- major UK travel companies.
- finance and insurance companies of all sizes.
- local and regional government, including Regional Trading Standards.
- pharmaceuticals businesses and major suppliers to the NHS.
- outsourced call centres, including the UK’s market leader.
Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.