What are best practices for credit cards in a call centre?

Expert Alan Calder explains the security and compliance challenges for call centres that record telephone conversations and credit card details.

Can a call centre, which takes credit card payments, record telephone conversations, which will obviously contain full card details, name, address, security code etc.? Also, can it then archive these recordings for any period it wants?
Credit card data that is collected by a call centre is subject to the PCI Data Security Standard (PCI DSS), however it is collected. The PCI restriction against storing CVV numbers (security code) alongside the primary account number (PAN), or more simply the credit card number, will apply. That storage of credit card data it is not allowed under any conditions.

The Data Protection Act also applies, as this is personal data. So the credit card data from call centres may only...

be collected in ways and for purposes that callers have consented to, and must be protected appropriately. It then must be destroyed as soon as that purpose is achieved. In other words, the information may not be stored indefinitely.

This was first published in May 2009



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Regulatory compliance and standard requirements



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...