Payment card industry compliance: Protect phoned-in credit card data

Mathieu Gorge explains how to protect credit card data over the phone if you're a call centre trying to meet payment card industry compliance standards.

As my organization moves towards PCI DSS compliance, I have been asked by our call centre to look at installing a recording function on the phone system. The problem is that card transactions are taken over these phone lines, which means people's card details are recorded along with the conversation, including the security code. Payment card industry compliance states you can't store this data, so how can providers sell a product to call centres and say these recordings can be stored for any length of time unencrypted?

A number of organisations have recently been asking how they can comply with PCI DSS requirements if they have to store call records to ensure good customer service and train employees. This is a tricky question, and there does not seem to be a universal answer from Qualified Security Assessors (QSAs) who validate payment card industry compliance.

In the U.K., the Financial Services Authority introduced legislation that requires companies to record and store phone conversations. However, if you are taking customer credit card details and data over the phone, the fact that some recorded calls may contain the full details of cardholder data (CHD) is an issue as regards to PCI DSS compliance. Indeed, payment card industry compliance states that CVV (Credit Card Validation Value -- the three-digit security code) information cannot be kept and that the full personal account number cannot be kept either (it should not be stored at all or it should be truncated or hashed). So where does that leave U.K. businesses taking orders over the phone?

The advice is to work with your QSA and acquiring bank to put in place a compensating control that fits your business model and maintains the highest security levels for CHD. You will need to demonstrate that due to FSA compliance regulations, you must store this data and demonstrate that you are using every available means to protect the data to meet the original intent of PCI DSS relevant controls.

This needs to be documented using the relevant forms, validated by your QSA, and ideally it should also be discussed in detail with your acquiring bank in advance. To ensure that the compensating control is meeting the intent of the original control, tapes or disk drives (if using VOIP recording systems) used to record the information must be clearly labelled, inventoried and encrypted following PCI DSS encryption guidelines.

You should also restrict access to the physical tapes as well as logical access to the product used to record the calls, and ensure that all interaction is logged. Storage and backup of the recording solution must not become a backdoor to this solution. In addition, a destruction policy should be put in place such that call records are not kept any longer than required by FSA. Incidentally, this also helps you meet the 5th of the eight principles of the U.K. Data Protection Act, which says you should not hold data for longer than is necessary.

This is an area that the PCI Security Standards Council is focusing on more, and it would be a fair guess to expect that a working group will be created to discuss these issues and that an information supplement will be published at some stage. Meanwhile, it is advisable to find a call recording product allowing you to track logical and physical access to media containing data. It should also provide encryption features, strong authentication and detailed reporting and logging.

Return to the PCI learning guide.

Read more on Regulatory compliance and standard requirements