Here is a question that keeps coming up. The PCI SSC issued article number 5362 in their FAQ site about two years ago. I am not going to quote it all here, but I am going to discuss the key points of this clarification. Hopefully this post will clear this up once and for all.
The most important part of the clarification is that it only applies to call centers that record operator conversations with customers.
The second biggest point of clarification is that ALL call center audio recordings are in scope. As such, those audio recordings must be protected to the same level as any digital data. This includes security measures such as encryption, access based on business need and other PCI recommended security measures for protecting cardholder data (CHD).
The final largest point the clarification makes is that this clarification only applies to retention of CVV2, CVC2, CAV2 or CID data in the call center’s audio recordings even though requirement 3.2.2 states that CVV2, CVC2, CAV2 or CID data must not be retained under any circumstances. However, there are some strings attached in allowing CVV2, CVC2, CAV2 or CID data to be retained in the audio recordings.
- The information contained in the audio recordings must be protected according to all applicable PCI DSS requirements. This includes meeting requirement 3.4 (encryption, hashing, etc.), as well as minimizing access to the recordings, logging of access to each recording and other related PCI DSS requirements in sections 1, 2 and 3 of the PCI DSS. Compensating controls for achieving these requirements is allowed for call center audio recordings if the PCI DSS requirements cannot be achieved.
- If a commercially available solution exists to purge the cardholder data from the audio recordings, the cardholder data MUST be purged. If the CHD is purged, then only those requirements in 1.1 need to be applied to the audio files. This means that if your call center application has the ability to purge CHD, you must be running that purge capability at least daily. Even if that purge capability is an extra add-on to your call center application, you must purchase it and you must use it.
- The audio files can not be programmatically searched or queried for the cardholder data. There are applications that can search certain types of digital audio recordings that need to not be present anywhere on the organization’s systems. In addition, there are applications that convert audio files to text transcripts. Sometimes these applications are provided as part of the call center application suite. Either way, text transcription of audio recordings is not allowed.
- If audio recordings are backed up to other electronic media, the audio recordings must be encrypted on the backup media.
I hope you now understand this important clarification.
UPDATE: On January 22, 2010, the PCI SSC issued a new clarification regarding call recordings containing CVV/CVC/CID.