PCI credit card compliance: Credit card data protection (over the phone)
As we move towards PCI credit card compliance
, I have been asked by our call centre to look at installing a recording function on the phone system (as many do). The problem is that card transactions are taken over these phone lines, which means people's card details are recorded along with the conversation, and these include the security code.
PCI says you can't store this data, so how can certain providers sell their products to call centres and say these recordings can be stored for any length of time unencrypted?
Regarding credit card data protection
, it is a requirement of the Payment Card Industry's Data Security Standard (PCI DSS)
that all records that contain the primary account number (PAN) and the CVV number (the 3-digit security code), if they are stored together (which they shouldn't be), must be encrypted. If the vendor that you've chosen doesn't produce an adequate product for that purpose, I suggest that you look for alternatives elsewhere.
This was first published in June 2009