PCI DSS offers call center PCI compliance tips

With a new set of Payment Card Industry (PCI) standards in effect since October, the PCI Security Standards Council (PCI SSC) has prepared a new document to help contact centers keep in compliance with PCI Data Security Standard (DSS) 2.0 when securing cardholder data in audio recordings.

The guide, Protecting Telephone-Based Payment Card Data Information Supplement, is a .pdf file available on the PCI SSC website in the documents library. PCI standards apply to call center organizations where credit card information is passed over the phone and may be recorded and stored.

The standards have created a challenge for many call centers, particularly those in countries or regions that require the recording of transactions over the phone in the event of a dispute.

“If we look at the call centers, these are an increasingly popular method of transactions,” said Jeremy King, European regional director of the PCI SSC. “What we’re seeing globally really is that in countries around the world, regulatory bodies are saying, ‘We require these conversations to be recorded.’ This has created a unique challenge. On the one hand we [tell people not to] store the data, and on the other hand authorities are saying [that] you have to record the conversation.”

The PCI standards do not supersede government regulation. However, call centers recording calls that include credit card data, whether due to regulation or for agent training, still need to protect that information.

“Wherever possible that data should not be stored longer than it needs to be,” King said. “Be sure you understand what that means and make sure you take precautions to encrypt the data. There are some big implications. It can bring the whole call center into the arena of PCI DSS. That is quite a significant work effort that could be required.”

For example, the information supplement notes that under PCI DSS card validation, codes and values cannot be stored after authorization even if they’re encrypted. In general, cardholder data should never be stored unless it’s necessary to meet the needs of the business, PCI DSS advises.

“If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed,” the document reads. “This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.”

The report also says that Sensitive Authentication Data must not be able to be queried by database query functions, data mining or data analysis, or decryption mechanisms or sniffer tools. Encrypting sensitive authentication data is not by itself sufficient to render it non-queryable.

The document also includes tips like:

• Limit the amount of time that card information is kept on the quality assurance (QA) or recording server and CRM solution databases (both voice and screen recordings); it may be necessary for corporate governance, legal and QA departments to work out a compromise between what is needed to adhere to the PCI DSS and regulatory compliance requirements. However, note that PCI DSS does not supersede local or regional laws, government regulations, or other legislative requirements.
• Use strong encryption protocols for public networks, including both wired and wireless networks used by at-home and remote agents and supervisors. For example, via a virtual private network (VPN) with Secure Socket Layer and Transport Layer SecuritySSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks.
• Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography,
• Ensuring at-home or remote agents and supervisors use a two-factor authentication process.

“The call centers are very aware that this is an issue,” King said. “This gives them a common guide and a common approach. This document also points out that the industry has responded very well [to the new standards].”

For example, King said, some software vendors have created functionality to remove cardholder data from voice recordings.

However, PCI compliance in the call center remains a headache for many. 

Barney Beal is the News Director for the Business Applications and Architecture Group at TechTarget. You can follow him on Twitter at @barneybeal.