PCI DSS update related to digital audio recordings containing cardholder data

PCI SSC released another update yesterday related to digital audio recordings. The update provides further clarification (to the update on January 22) on the storage of sensitive data in digital audio recordings after authorizing transactions.

As always, I recommend that  organizations look at options to avoid storing CVV or like codes in their call center recordings after authorizing transactions. If the data is stored, they would be faced with the extra burden associated with compensatory controls (documentation, demonstrating effectiveness etc.)

(PCI SSC FAQ updates reproduced below)

————————————————————————————————————

PCI SSC FAQ – 5362 dated February 18, 2010

 

Question: Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?

This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.

If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.

————————————————————————————————————

PCI SSC FAQ – 5362 dated January 22, 2010

 

“It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.

On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analog format after authorization is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.

Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centers must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4.”

Follow and like us!

7 thoughts on “PCI DSS update related to digital audio recordings containing cardholder data

  1. Emma Jenkins Reply

    Yes, this is the third version of this FAQ! To help companies seeking to understand the ramifications for them, Veritape has written a white paper on this issue.

    Having clarified the wording in January, it looked as if the PCI SSC had finally established a clear definition of what constitutes PCI compliance in call recording. However, less than a month later, the wording was revised again, leaving companies who record telephone conversations and handle sensitive payment card data potentially confused.

    If you’re interested in reading a little more, please do so here http://www.veritape.com/2010/02/pci-dss-compliant-call-recording-in-call-centres-latest-changes-to-faq-by-pci-ssc-on-18-feb-2010, where you can also request the white paper titled: ‘PCI SSC update on call recording and call centres’.

    Thanks,

    Emma

  2. Emma Jenkins Reply

    (Disclaimer: I work for Veritape. We provide PCI compliant call recording systems to contact centres.)

    As a further update to the above discussion, you may be interested to know that Veritape has just launched Veritape CallGuard – a generic ‘bolt-on’ which brings full PCI DSS compliance to *any* existing call recording system. Customers keep their existing telephony, call recorder, CRM systems, payment processes and (critically) payment provider. _Nothing_ changes in a customer’s critical IT and telephony systems, and PCI compliance for call recording is achieved incredibly quickly.

    Veritape CallGuard also dramatically reduces the potential for internal data theft, since customers never tell their card details to a contact centre agent, and the agent never sees the card details on screen.

    For more information, please see our blog post announcing the launch, here: http://www.veritape.com/2010/04/veritape-callguard-brings-pci-dss-compliance-to-any-call-recording-system/

    Thanks,

    Emma.

  3. Andy Reply

    So does this mean i only need to become PCI compliant on voice recording if the CVC2 code can be queried in the voice recording?

    Thanks

    Andy

    • Kamal Govindaswamy Post authorReply

      Andy,

      Thanks for asking the question. The short answer to your question is No.

      Storing CVC2 and similar Card Validation Codes or Values in a non-query-able audio recording still doesn’t exclude the recordings from being in scope for PCI DSS. I’m saying this based on the following excerpt from PCI SSC’s FAQ Article # 5362 dated 2/18/2010.

      “If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats. “

      Remember the basic rule that you are NOT allowed to store the Card Validation Codes post authorization even if encrypted. I guess PCI SSC made this exception just in case you can’t avoid storing it in a call recording, in which case it should not be query-able. Regardless, the recording must still be considered part of the Cardholder Data Environment and all PCI DSS requirements apply to the recording.

      Hope this helps! As always, please consult with your QSA or Acquirer for further confirmation.

  4. Brian Reply

    I’ve been asked to look into this for my employer. To clarify, if a business has a call center and records PAN, but does not ask for, and as such, does not record authorization codes (CAV2, CVC2, CVV2 or CID)….are the recordings subject to PCI DSS ? If so, what needs to be done to make the recordings compliant ?

  5. Brian Reply

    Hi, I am trying to get clarification on a question that has been raised by my boss regarding PCI DDS requirements. The question is this………”If our call center records customer Primary Account Numbers (PAN) are there any requirements that apply to the related recordings ? I understand that there is guidance out on Sensitive Authentication Data (SAD) pertaining to this issue, but I wanted to get clarification on the PAN issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.