Monday, February 1, 2010

New PCI Call Center Recording Rules

If your Development department (or anyone else on campus) records phone transactions, you need to take a look at the PCI Council's revised FAQ on these recordings. You may need to upgrade or replace your recording system or, failing that, stop call recording altogether.

The issue is recordings that include card security codes, e.g., CVV2, CVC2. Many Development and Advancement departments record complete donor calls during phone-a-thons. These recordings have always been in scope for PCI, but if they were not searchable you could keep the security codes, too. This amounted to a free pass for Requirement 3.2 which states you may not store any sensitive authentication data.

The free pass was revoked January 22 when the Council issued a revised FAQ on call center recordings. The Council stated:
It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.
The Council's reasoning was:
Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors.
What does this mean? If you have a digital voice recording system, you will need to purge all your old recordings of the security codes. Then you need to configure/upgrade/replace your call recording system not to record these codes on all new recordings.

The Council carved out a minor exception for analog or tape recordings since these are not searchable. It reinforced, however, that even these recordings are in scope for PCI.

To see the complete FAQ go here. Then take a look at your IT budget to see if you have a line for new/upgraded call center recording software. Then again, maybe you don't need those recordings after all.

7 comments:

  1. Thanks for the alert. I never would have found it on the PCI Co site.

    ReplyDelete
  2. What about the recordings that include full PAN only. Is this in scope?

    ReplyDelete
  3. Yes, they would be in scope. See the discussion in the followup post.

    ReplyDelete
  4. Most call call centers these days use call recordings to listen to what their customers are asking and check the quality. They probably upgrade software for these kinds of features. I forgot where I read about it, but I believe it gives secure access to recordings too.

    ReplyDelete
  5. This has changed as of Feb 17, 2010:

    "It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings."

    http://selfservice.talisma.com/display/2/kb/article.aspx?aid=5362

    ReplyDelete
  6. Has anyone come across a situation where, due to the in-call mute or pause being a manual process, accidental recording takes place with the need for remediation afterwards - ie deletion of the call.
    If yes what was involved?

    ReplyDelete
  7. PCI council changed their FAQ format, new link to current call recording FAQ:

    http://selfservice.kb.net/article.aspx?article=5362&p=81

    ReplyDelete