New PCI Supplement – Protecting Telephone-Based Card Data

Today, customers can swipe credit cards in POS readers, they can use e-commerce sites online, or quite commonly use the telephone to complete payment transactions.  New guidance has just been issued by the PCI Security Standards Council aimed at securing stored payment card data collected via call centers and over-the-phone payments.  This directive is highly necessary and very timely.  Card data collected over the telephone or by voice-based payment systems are often overlooked as a vulnerable payments channel and have become a targets for criminals.

The PCI Council’s Protecting Telephone-Based Payment Card Data information supplement provides actionable recommendations for merchants and service providers to process payment card data over the phone in a secure manner.  What makes phone-based payments unique and more vulnerable than other payment processing methods is the regulatory requirement to record the calls, and the “card-not-present” capture and storage of sensitive CVV or CVC authentication data.  It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.  These authentication codes should not be stored in any manner.  Full primary account numbers (PANs) cannot be kept without additional protective controls in place.  PAN data should be encrypted if it must be stored.  Most payments made to call centers or over the phone with service reps are recorded.  Here’s a little PCI compliance secret for you.       ‘If you don’t need it, don’t store it.’

In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.  Until now, these phone-based transaction records have fallen outside the scope of the PCI standards.  The response to those merchants concerned enough with compliance to have asked, have heard the response from the PCI  council; If there is no way to extract the card data from the audio, PCI rules do not apply.  With the emergence and general acceptance of digitally recorded files for call recording, these records can now be easily be searched and extracted.  More merchants are using audio recordings, but are not encrypting or destroying the data.

Key points:

  • Explains how the PCI-DSS applies to card holder data stored in call recording systems.
  • Recommendations for assessing risk and applicable controls of call center operations.
  • Specific guidance around storage of sensitive authentication data, which includes suggested methods to meet PCI-DSS requirement 3.2.
  • Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.