Veritape Blog

In all areas of card payment security, governed by the Payment Card Industry Data Security Standard (PCI DSS) guidelines, it is a fundamental tenet that the 3- or 4-digit card security number is never stored following authorisation of a card transaction. The security numbers are variously called the CVV2, CVC2, CAV2 or CID, depending on the individual card payment scheme, and are printed on the front or back of the credit card. By never storing this information anywhere, in any format, there is an implicit guarantee that the person providing a merchant with the CVC actually does have the credit card in their hands.

The PCI Security Standards Council (PCI SSC) has a ‘frequently asked questions’ (FAQ) document which discusses the applicability of card payments to those operating in the contact centre space. The FAQ applies to call centres which take card payments on the phone, and who record phone calls using a digital telephone recorder or similar system.

The FAQ has been recently updated by the PCI SSC. The wording of the 18 Feb 2010 version of the FAQ is listed below:

Question: Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?

“This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.”

In response to the latest word changing, Veritape has published a White Paper with interpretation of how customers should apply the PCI standards to their telephone conversation recording systems.

For more information on the latest FAQ, interpretation of it, or the complete White Paper “PCI SSC update on call recording and call centres, issued Feb 2010″, please contact us.

===

About Veritape

Veritape provides call recording software to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.

Veritape is the only call recording company accredited by the PCI SSC (the ultimate rule-setting body for PCI DSS) as a Participating Organisation, and regularly provides specialist advice to banks and PCI industry groups. Veritape provides many tools for eliminating sensitive cardholder data from recorded telephone calls. More information is available at http://www.veritape.com/pci-dss-call-recording.

Veritape’s telephone monitoring software is trusted every day to improve the operations of:

• four of the world’s five largest car manufacturers.
• major UK travel companies.
• finance and insurance companies of all sizes.
• local and regional government, including Regional Trading Standards.
• pharmaceuticals businesses and major suppliers to the NHS.
• outsourced call centres, including the UK’s market leader.

Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.

For more information on our call recording systems, please see http://www.veritape.com