New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed
Written by Evan SchumanJanuary 28th, 2010
Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.
The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won't say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.) The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
10 Comments | Read New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
January 28th, 2010 at 7:47 pm
Call center recordings have been in scope for PCI for at least a year or two. The previous guidance from the PCI Council stated that if the data were digital, they had to be protected according to PCI DSS. If your recordings included the security codes (CVV2, CVC2, etc.) you got a kind of free pass so long as the recordings were protected and weren’t searchable. What changed with the January 22 revision to the FAQ (as you point out) is you can no longer store the security codes – ever – and if you store them digitally you have to scrub them out. All the Council said was that call centers are now subject to the same requirement 3.2 as everybody else.
To me, the revised FAQ is an example of the Council’s efforts to reflect current attack vectors and available technology. I can’t say I’ve ever seen a credible account of a data breach resulting from call center recordings. I’ve heard anecdotal, second-hand reports, but I classify them as urban myths. I guess the Council knows something I don’t. But I do know there are vendors with call recording apps that can interrupt the recording and not record sensitive data. My take is the Council is simply reflecting this fact and bringing call centers into line with the DSS.
Merchants with existing recordings will need to purge the CVV2/CVC2 data. In some cases, the recordings age off after a period, so it may not be a big issue or at least it can be a self-correcting one. I know one merchant who is looking at ceasing call recording until they can install an updated system. In the meantime, if you record the PANs, the PCI Council says you have to protect the recordings per PCI – nothing new there. What they added last Friday was that if you record the sensitive security codes you are going to have to stop, and then you need to find a reasonable way to purge them from your old recordings.
January 29th, 2010 at 1:35 pm
This is scary and potentially quite expensive – implementation costs aside. This would seem to put merchants with verifcation values stored on digital audio in the position of storing prohibited data. Prohibited data retention enforcement fines can be much (many times) higher than PCI DSS non-compliance fines.
This one has the potential to be very “disruptive”
February 2nd, 2010 at 11:40 am
So how does this work with Regulation E in call centers, where the call is required to be recorded and archived for 2 years when a caller is agreeing to use of a debit card?
February 2nd, 2010 at 12:07 pm
For a company to purge old recordings may well breach FSA compliance relating to tampering with recordings. Also, with call centres blanket recording 10,000+ calls per day with an original storage requirement of 3 years, (now 6 months), the process of even finding the calls with the sensitive data boggle the mind. I don’t know of any process capable of searching the millions of encrypted compressed digital audio files for calls that contain sensitive data, and then copy the recording anew without the sensitive data to maintain compliance with FSA and the companies own recording keeping needs. It seems PCI have made the ruling without considering its members.
February 2nd, 2010 at 12:25 pm
@Joe,
My guess is Reg E call centers will be issuing banks, so they may not be subject to PCI as such. Also, the Council’s guidance said only to remove the offending security codes – you can keep the rest and protect it per PCI.
@Steve,
I agree with your points. At least from my end, I don’t know what it will cost to purge the codes from existing records. But what I find interesting is your statement that there isn’t any process to search the records which flies in the face of the Council’s position that such applications existed. BTW, what are the “storage requirements of 3 years”? I know banks have to retain financial transaction history, but merchants?
February 18th, 2010 at 10:43 am
Go to the source, this is a misinterpretation of the original FAQ. You can use MP3 o WAV if you can’t query in any way the data. (Trustwave checked this in our call center).
February 18th, 2010 at 10:49 am
That’s what the current clarification now says. But the phrase “in any way” is not one you want to have to defend if your QSA chooses to push it.
February 18th, 2010 at 5:48 pm
As a QSA, I’ve been telling call center clients to protect their recordings for at least five years. Now I have “proof” that recordings are in scope – and that sensitive authentication data simply should not be recorded.
@Martin – I’d check back with TrustWave in light of this latest clarification. MP3 and WAV are digital formats – so this clarification FAQ definitely applies.
June 30th, 2011 at 11:57 am
Just pointing out that there is a more up-to-date guidance document from the PCI SSC about call recording and compliance here: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf
Emma.
June 30th, 2011 at 11:59 am
Oh, and http://storefrontbacktalk.com/securityfraud/new-pci-call-center-recording-advice-make-sad-go-away/ is the great article about it :-)
Emma.