Comments on: New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

By: Emma Jenkins

Emma Jenkins — Thu, 30 Jun 2011 15:59:18 +0000

Oh, and http://storefrontbacktalk.com/securityfraud/new-pci-call-center-recording-advice-make-sad-go-away/ is the great article about it :-)

Emma.

By: Emma Jenkins

Emma Jenkins — Thu, 30 Jun 2011 15:57:29 +0000

Just pointing out that there is a more up-to-date guidance document from the PCI SSC about call recording and compliance here: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

Emma.

By: Jeff Man

Jeff Man — Thu, 18 Feb 2010 21:48:51 +0000

As a QSA, I’ve been telling call center clients to protect their recordings for at least five years. Now I have “proof” that recordings are in scope – and that sensitive authentication data simply should not be recorded.

@Martin – I’d check back with TrustWave in light of this latest clarification. MP3 and WAV are digital formats – so this clarification FAQ definitely applies.

By: Evan Schuman

Evan Schuman — Thu, 18 Feb 2010 14:49:55 +0000

That’s what the current clarification now says. But the phrase “in any way” is not one you want to have to defend if your QSA chooses to push it.

By: Martin

Martin — Thu, 18 Feb 2010 14:43:23 +0000

Go to the source, this is a misinterpretation of the original FAQ. You can use MP3 o WAV if you can’t query in any way the data. (Trustwave checked this in our call center).

By: Walt Conway

Walt Conway — Tue, 02 Feb 2010 16:25:44 +0000

@Joe,
My guess is Reg E call centers will be issuing banks, so they may not be subject to PCI as such. Also, the Council’s guidance said only to remove the offending security codes – you can keep the rest and protect it per PCI.

@Steve,
I agree with your points. At least from my end, I don’t know what it will cost to purge the codes from existing records. But what I find interesting is your statement that there isn’t any process to search the records which flies in the face of the Council’s position that such applications existed. BTW, what are the “storage requirements of 3 years”? I know banks have to retain financial transaction history, but merchants?

By: Steve French

Steve French — Tue, 02 Feb 2010 16:07:27 +0000

For a company to purge old recordings may well breach FSA compliance relating to tampering with recordings. Also, with call centres blanket recording 10,000+ calls per day with an original storage requirement of 3 years, (now 6 months), the process of even finding the calls with the sensitive data boggle the mind. I don’t know of any process capable of searching the millions of encrypted compressed digital audio files for calls that contain sensitive data, and then copy the recording anew without the sensitive data to maintain compliance with FSA and the companies own recording keeping needs. It seems PCI have made the ruling without considering its members.

By: Joe

Joe — Tue, 02 Feb 2010 15:40:27 +0000

So how does this work with Regulation E in call centers, where the call is required to be recorded and archived for 2 years when a caller is agreeing to use of a debit card?

By: Dave CISA/M/SP

Dave CISA/M/SP — Fri, 29 Jan 2010 17:35:01 +0000

This is scary and potentially quite expensive – implementation costs aside. This would seem to put merchants with verifcation values stored on digital audio in the position of storing prohibited data. Prohibited data retention enforcement fines can be much (many times) higher than PCI DSS non-compliance fines.

This one has the potential to be very “disruptive”

By: Walt Conway

Walt Conway — Thu, 28 Jan 2010 23:47:39 +0000

Call center recordings have been in scope for PCI for at least a year or two. The previous guidance from the PCI Council stated that if the data were digital, they had to be protected according to PCI DSS. If your recordings included the security codes (CVV2, CVC2, etc.) you got a kind of free pass so long as the recordings were protected and weren’t searchable. What changed with the January 22 revision to the FAQ (as you point out) is you can no longer store the security codes – ever – and if you store them digitally you have to scrub them out. All the Council said was that call centers are now subject to the same requirement 3.2 as everybody else.

To me, the revised FAQ is an example of the Council’s efforts to reflect current attack vectors and available technology. I can’t say I’ve ever seen a credible account of a data breach resulting from call center recordings. I’ve heard anecdotal, second-hand reports, but I classify them as urban myths. I guess the Council knows something I don’t. But I do know there are vendors with call recording apps that can interrupt the recording and not record sensitive data. My take is the Council is simply reflecting this fact and bringing call centers into line with the DSS.

Merchants with existing recordings will need to purge the CVV2/CVC2 data. In some cases, the recordings age off after a period, so it may not be a big issue or at least it can be a self-correcting one. I know one merchant who is looking at ceasing call recording until they can install an updated system. In the meantime, if you record the PANs, the PCI Council says you have to protect the recordings per PCI – nothing new there. What they added last Friday was that if you record the sensitive security codes you are going to have to stop, and then you need to find a reasonable way to purge them from your old recordings.