PCI credit card compliance: Credit card data protection (over the phone)

Alan Calder discusses PCI credit card compliance and explains the importance of encryption to credit card data protection when primary account numbers (PANs) and CVV numbers are recorded over the phone.

As we move towards PCI credit card compliance, I have been asked by our call centre to look at installing a recording function on the phone system (as many do). The problem is that card transactions are taken over these phone lines, which means people's card details are recorded along with the conversation, and these include the security code.

PCI says you can't store this data, so how can certain providers sell their products to call centres and say these recordings can be stored for any length of time unencrypted?
Regarding credit card data protection, it is a requirement of the Payment Card Industry's Data Security Standard (PCI DSS) that all records that contain the primary account number (PAN) and the CVV number (the 3-digit security code), if they are stored together (which they shouldn't be), must be encrypted. If the vendor that you've chosen doesn't produce an adequate product for that purpose, I suggest that you look for alternatives elsewhere.
This was last published in June 2009

Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...