What are best practices for credit cards in a call centre?
Can a call centre, which takes credit card payments, record telephone
conversations, which will obviously contain full card details, name, address, security code etc.?
Also, can it then archive these recordings for any period it wants?
Credit card data that is collected by a call centre is subject to the PCI Data Security
Standard (PCI DSS), however it is collected. The PCI restriction against storing CVV numbers
(security code) alongside the primary account number (PAN), or more simply the credit card number,
will apply. That storage
of credit card data
it is not allowed under any conditions.
Protection Act also applies, as this is personal data. So the credit card data from call
centres may only be collected in ways and for purposes that callers have consented to, and must be
protected appropriately. It then must be destroyed as soon as that purpose is achieved. In other
words, the information may not be stored indefinitely.
This was first published in May 2009