PCI standards for phone call recordings of payments over the phone

Does your company record calls for quality assurance or other purposes? The PCI Security Standards Council has issued supplemental guidelines “Protecting Telephone-based Payment Card Data” for you to maintain PCI DSS ( Payment Card Industry Data Security Standards) compliance. The intent is to provide supplemental guidance, and does not replace or supersede PCI DSS requirements.
Why Telephone Card Payment Security is Important
In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space. Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or value printed on the card (CVV2, CVC2, CID, or CAV2) cannot be retained after authorization, and full primary account numbers (PANs) cannot be kept without further protection measures.

As such, there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.

Recap: The PCI SSC FAQ
PCI SSC FAQ 5362 – Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

stored card data chart

August 2011 chart from PCI Security Standards

Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queriable.
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the data. Access to the types of functions listed above must be extremely limited, explicitly authorized, documented, and actively monitored. Additionally, controls must be in place to prevent unauthorized access to these functions.
Other methods that may help to render SAD non-queriable include but are not limited to: a. Removing call recordings from the call recording solution b.    Taking the call recordings offline c.    Vaulting the call recordings d.    Enforcing dual access controls to the vaulted call recordings e.    Allowing only single call recordings to be retrieved from vaults

Before considering this option, every possible effort must first be made to eliminate sensitive authentication data. In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business. There must be a documented, legitimate reason why sensitive authentication data cannot be eliminated (for example, a legislative or regulatory obligation), and a comprehensive risk assessment performed at least annually. The detailed justification and risk assessment results must be made available to the acquiring bank and/or payment card brand as applicable. This option is a last resort only, and the desired outcome is always the elimination of all sensitive authentication data after authorization.    If technologies are available to fulfil PCI DSS requirements without contravening government laws and regulations, these technologies should be used.

The PCI Security Standards Council (PCI SSC) is not responsible for enforcing compliance or determining whether a particular implementation is compliant. It is the primary recommended source for all merchants to obtain current PCI DSS information.

Download the complete report here
PCI Data Security Standard (PCI DSS) Protecting Telephone-based Payment Card Data