Client discussions lately have been revolving around the new call center FAQ out on the PCI SSC Web site. Most of our clients are arguing with us about why pre-authorization data is ending up in scope? After all, when a customer places an order via the telephone, it is pre-authorization data. The answer is that it all comes down to timing.
Everyone understands that call centers routinely record calls to ensure service quality. For those call centers that provide order entry, those recordings have a high likelihood of recording information that the PCI SSC and the card brands consider sensitive such as the cardholder name, primary account number (PAN), expiration date and sometimes CVV/CVC/CID.
Here is where timing becomes important.
A customer calls into a call center to place an order or conduct any other transaction that requires a credit card. Until that transaction is completed, any cardholder data provided is considered pre-authorization data by the card brands and the PCI SSC and is therefore not covered by the PCI DSS.
Once the transaction is completed, you are now in the post authorization realm and all information is subject to the PCI DSS. Under requirement 3.2.2 of the PCI DSS, retention of the CVV/CVC/CID is not allowed. Even though the recording is prior to the completion of the transaction, once that transaction is complete, the information becomes in-scope for PCI compliance and therefore cannot be retained.
The double edged sword in all of this is that you cannot use a compensating control to meet any of the requirements in 3.2. As a result, your only alternative is to remediate the situation.
