One of the trickiest aspects of complying with the Payment Card Industry Data Security Standard (PCI DSS) is managing transactions made over the telephone. How do you prevent call centre agents from stealing customers' credit card details? How do you ensure recordings of phone conversations -- during which customers hand over their card details -- are protected in a way that meets the PCI DSS requirements?
A series of FAQ notices from the PCI Security Standards Council (SSC), the latest of which was issued in February, has attempted to clarify the rules. But according to many people involved in PCI call centre compliance, the notices created further confusion about how card data could be stored, if at all.
The latest attempt to define and explain the PCI DSS call recording rules (.pdf) comes in the form of a new 13-page white paper, published jointly on June 16 by Barclaycard and Visa Europe, which they hope will be endorsed by the SSC later this month.
According to Neira Jones, head of payment security at Barclaycard, the confusion arose because the early FAQs implied that card information held on PCI DSS call recordings might not present a threat, because it could not be easily mined. The argument was that it would be hard for a criminal to trawl through recordings looking for references to credit cards, which could either be spoken by the customer or recorded in the form of Dual Tone Multi-Frequency (DTMF) tones as the person keyed in his or her card information.
"The call recording FAQ said that if the data was not easily mineable (basically, in analogue voice recording), then it could be stored as long as it followed the security standard principles as outlined in the DSS," Jones said. "People were interpreting it in different ways. It generated a lot of confusion."
The new white paper outlines in detail how companies should manage card data gathered during phone transactions in a variety of circumstances. Companies, said Jones, should avoid recording calls if possible, but where recordings are required for regulatory purposes, then basic principles still apply. PCI DSS regulations stipulate that the CVV2 (three-digit security code) cannot be kept post-authorisation, and full personal account numbers cannot be kept without further protection measures. "Sensitive authentication data has never been allowed to be stored post-authorisation -- full-stop," she said.
Graham Thompson, sales director at Semafone Ltd., endorsed the same view, saying it was a mistake to think that card information could not be mined from recordings. "Every call recording can be queried. There are several analytics vendors which can analyse a whole range of different proprietary formats of call recordings," he said.
The best approach, Thompson said, is to prevent PCI DSS call centre agents from hearing card details at all, and to prevent the card details from being recorded. London-based Semafone provides technology that can be added to an existing call recording system and will intercept the DTMF tones sent by customers as they key in their card details. The Semafone system interprets the DTMF tones and sends the card details to the company's payment system, but it obscures them so the call agent hears only a plain tone, and that plain tone is also heard on the recording.
A similar approach has also been launched by Manchester-based Veritape Ltd., a producer of PCI DSS call-recording equipment. Its new CallGuard product is designed to work with any existing call-recording system, and, like Semafone, to obscure DTMF tones.
According to Cameron Ross, managing director of Veritape, CallGuard consists of two hardware devices: a decoder fitted to each call agent's phone and a filter that sits in-line in front of the PCI call centre recording equipment.
The decoder is a USB device that is fitted between the phone and the agent's PC. When it picks up a DTMF tone, it interprets the tone and places the appropriate numeric value in the payment field on the agent's screen. Optional software is also available from Veritape to obscure the numbers, showing them as asterisks on the screen.
While the agent can still hear the DTMF tones, when the conversation goes through to the central recording system, the filter takes out the tones so there is no audio record kept of the credit card details.
"The only change the contact centre needs to make is, instead of asking the customer to give card details verbally, they should ask customers to type in the details using a telephone keypad," Ross said.