20
Jul
09

Is My Call Center In Scope?

Here is a question that keeps coming up.  The PCI SSC issued article number 5362 in their FAQ site about two years ago.  I am not going to quote it all here, but I am going to discuss the key points of this clarification.  Hopefully this post will clear this up once and for all.

The most important part of the clarification is that it only applies to call centers that record operator conversations with customers.

The second biggest point of clarification is that ALL call center audio recordings are in scope.  As such, those audio recordings must be protected to the same level as any digital data.  This includes security measures such as encryption, access based on business need and other PCI recommended security measures for protecting cardholder data (CHD).

The final largest point the clarification makes is that this clarification only applies to retention of CVV2, CVC2, CAV2 or CID data in the call center’s audio recordings even though requirement 3.2.2 states that CVV2, CVC2, CAV2 or CID data must not be retained under any circumstances.  However, there are some strings attached in allowing CVV2, CVC2, CAV2 or CID data to be retained in the audio recordings.

  • The information contained in the audio recordings must be protected according to all applicable PCI DSS requirements.  This includes meeting requirement 3.4 (encryption, hashing, etc.), as well as minimizing access to the recordings, logging of access to each recording and other related PCI DSS requirements in sections 1, 2 and 3 of the PCI DSS.  Compensating controls for achieving these requirements is allowed for call center audio recordings if the PCI DSS requirements cannot be achieved.
  • If a commercially available solution exists to purge the cardholder data from the audio recordings, the cardholder data MUST be purged.  If the CHD is purged, then only those requirements in 1.1 need to be applied to the audio files.  This means that if your call center application has the ability to purge CHD, you must be running that purge capability at least daily.  Even if that purge capability is an extra add-on to your call center application, you must purchase it and you must use it.
  • The audio files can not be programmatically searched or queried for the cardholder data.  There are applications that can search certain types of digital audio recordings that need to not be present anywhere on the organization’s systems.  In addition, there are applications that convert audio files to text transcripts.  Sometimes these applications are provided as part of the call center application suite.  Either way, text transcription of audio recordings is not allowed.
  • If audio recordings are backed up to other electronic media, the audio recordings must be encrypted on the backup media.

I hope you now understand this important clarification.

UPDATE: On January 22, 2010, the PCI SSC issued a new clarification regarding call recordings containing CVV/CVC/CID.

About these ads

2 Responses to “Is My Call Center In Scope?”


  1. July 21, 2009 at 10:15 AM

    Thank you for your comments Emma. In regards to your first question, it would be nice to be able to avoid such information in any recording, but that is just not realistic. Unfortunately not every call center will have the budget to introduce new technology like yours into the mix. As a result, for at least the time being, call centers will have to have an option to handle CHD in their call recordings without incurring additional expense. However, as time goes on, call centers will be expected to deal with this situation by adopting the necessary technology to remove that information from their recordings.

    In regards to your second question, your solution is exactly what the PCI SSC considers ‘commercially viable’. Based on my understanding, the PCI SSC was trying to keep call centers away from the more sophisticated products that supposedly go through audio recordings searching for key words or phrases such as ‘credit card number’ or ‘CVV’ and the like and then supposedly get rid of the sensitive information. I have been through a number of product demonstrations of these solutions and they work really slick in the demonstration but are a nightmare to implement and make work in the real world.

  2. July 21, 2009 at 9:14 AM

    Hi PCI Guru,

    Two points of response for you. (Disclosure first: I work for a business, Veritape, which is a provider of PCI DSS compliant call recording systems.)

    1. In our view, the only way to comply with these regs is to simply _not_ store the senstive authentication data in the recordings in the first place. There are a couple of ways to do that, one being listed here: http://www.veritape.com/our-product/compliance/pci-dss-call-recording/.

    2. The ‘commercially reasonable’ phrase in the PCI SSC article is one which I find interesting. Veritape gets many questions from its customers along the lines of “what IS commercially reasonable?”. What are your thoughts on that?

    Interested to hear your thoughts,

    Emma Jenkins
    Veritape


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

Calendar

July 2009
M T W T F S S
« Jun   Aug »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 834 other followers


Follow

Get every new post delivered to your Inbox.

Join 834 other followers

%d bloggers like this: